Category Archives: Fuzzy hashing

Diaphora, a program diffing plugin for IDA Pro

UPDATE: The plugin is now published in GitHub.

Some weeks ago I started developing a binary diffing plugin for IDA Pro (in IDA Python) like Zynamics BinDiff, DarunGrim or Turbo Diff. The reasons to create one more (open source) plugin for such task are various, but the following are the main ones:

  1. We need an Open Source plugin/tool that is updated, maintained and easy to modify or adapt.
  2. The plugin should do much more than what the current ones do. It must offer much more functionality than previously existing ones.
  3. The plugin should be as deeply integrated in IDA as possible (because 99% of serious researchers use IDA as the main tool).
  4. The plugin must not be subject to big corporation’s desires (i.e., Google).

The plugin or tool I have more used and the one I liked the most was Zynamics BinDiff. However, after Google bought the company, updates to it are either too slow or non existent (you can check this issue and, my favourite, this one, where Google people tells to actually patch the binary and that, may be, they can have a real fix for the next week). Also, nobody can be sure Google is not going to finally kill the product making it exclusively a private tool (i.e., only for Google) or simply killing it because they don’t want to support it for a reason (like it killed GoogleCode or other things before). Due to this reason, because I like no current open source plugins for bindiffing and, also, because they lack most of the features that, on my mind, a decent todays binary diffing tool should have, I decided to create one of mine: Diaphora.

Continue reading

A typical work day with DeepToad

Sometimes, I receive so many malware samples that it turns out to be imposible (or at least inhuman) to analyze all the samples by hand and I need to automate the typical (boring) tasks: Clusterization of the samples in smaller sets and initial (and superficial) analysis of the different samples. For the first task I created DeepToad, a tool to clusterize any kind of file using fuzzy hashing techniques.

Continue reading