Google 推出 BinDiff 分析惡意軟體

看到 Google 推出 BinDiff 時以為是某種對 binary 檔案產生類似 diff 結果的軟體 (像是 bsdiff 這樣的東西),仔細看才發現是跟資安有關的東西:「BinDiff now available for free」。

可以用在只有 binary 的情況下,快速找出有哪些 assembly code 有差異,進而讓人可以更快的分析。資安分析可以透過這個工具加速。相同的,也可以透過這個工具看出 vendor patch 實際上修了什麼東西:

BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary.

而另外一個用途則是快速分類,把相同的 malware 集合起來,降低重複分析的時間:

Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries.

目前支援的 assembly 指令集包括了這些:

Compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures.

從原始文章可以看到還有 flowchart 分析:

不過這是配合其他 Hex-Rays IDA 的 Professional 版本產生的結果分析,官網報價一套是 USD$1129。

To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later.