Dailydave: Re: Binary Paths

[Alexander Sotirov <asotirov () determina com>]

Dave Aitel wrote:
> I guess I was a bit vague. What would really clear things up would be
> some Python code in BinNavi 2.0 or some C# code in eEye's differ, but
> I'm still prepping to go to China so I don't have time for that.
>
> What I'm looking to do is dial down the accuracy a bit on bindiff, but
> have it work anonymously without everyone sharing all their DLL's. In
> a sense, I want to have a z=f(x,y) where x is a DLL y is a memory
> location, and z is a string representation of that memory location
> that can be given to another person to plug into their debugger
> (y'=f'(x',z)) which will end up at reasonably the same spot, most of
> the time.
How about finding a pattern of instructions that can identify a specific
location in the DLL? I've been using simple regexps over IDA disassembly to
identify patch points in multiple DLL versions, and it works great. In most
cases the code doesn't really change that much (or at all) between different DLL
revisions.

One improvement would be to discard some instructions or normalize their
operands to allow for fuzzier matching. For example, structure offsets can be
excluded from the pattern, because they are more likely to change between versions.

Alex
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave