layout | title | permalink | description | image | author |
---|---|---|---|---|---|
default |
Environment Setup and Tooling |
/docs/Resources/Environment-Setup-and-Tooling |
Ghidra Patch Diffing Setup |
/assets/images/hyunwon-jang-Lahie3_T3Go-unsplash.jpg |
clearbluejar |
- toc {:toc}
In order to perform patch analysis the following tools and scripts will be used:
-
Ghidra - the primary SRE tool
- Download the latest release and follow the installation instructions.
-
ghidra-patchdiff-correlator - plugin to improve default Ghidra version tracking correlators. Latest version available here.
- Install it.
-
Java 11+ (JDK) (Ghidra Dependency)
-
symchk - Microsoft Utility to download relevant symbols for Microsoft binaries (optional as Ghidra provides a way to download symbols)
- Install minimum+ version of Java Runtime and JDK.
- Download and unzip Ghidra to local directory.
C:\Ghidra
or some other place - Download and unzip ghidra-patchdiff-correlator.zip.
-
In Ghidra:
File
->Install Extensions
hit the top right green+
icon; then select theghidra_<VERSION>_PatchDiffCorrelator.zip
(that you either build from source with the GhidraDev plugin or downloaded pre-build from the releases section; please make sureVERSION
matches your Ghidra version!)
-
- Just need python for Patch-Delta and Patch-Extract.
- Symchk is included with Microsoft's Debugging Tool for Windows
Gather all the binaries for Patch Diffing into a single directory.
Sample collection of files from Security-Patches conclusion.
$ find WindowsPrintSpooler/
WindowsPrintSpooler/
WindowsPrintSpooler/2020-04
WindowsPrintSpooler/2020-04/p..ooler-core-localspl_6.1.7601.24383
WindowsPrintSpooler/2020-04/p..ooler-core-localspl_6.1.7601.24383/localspl.dll
WindowsPrintSpooler/2020-04/p..ooler-core-localspl_6.1.7601.24383/winprint.dll
WindowsPrintSpooler/2020-05
WindowsPrintSpooler/2020-05/p..ooler-core-localspl_6.1.7601.24554
WindowsPrintSpooler/2020-05/p..ooler-core-localspl_6.1.7601.24554/localspl.dll
WindowsPrintSpooler/2020-05/p..ooler-core-localspl_6.1.7601.24554/winprint.dll
WindowsPrintSpooler/2020-08
WindowsPrintSpooler/2020-08/p..ooler-core-localspl_6.1.7601.24559
WindowsPrintSpooler/2020-08/p..ooler-core-localspl_6.1.7601.24559/localspl.dll
WindowsPrintSpooler/2020-08/p..ooler-core-localspl_6.1.7601.24559/winprint.dll
WindowsPrintSpooler/2020-11
WindowsPrintSpooler/2020-11/p..ooler-core-localspl_6.1.7601.24562
WindowsPrintSpooler/2020-11/p..ooler-core-localspl_6.1.7601.24562/localspl.dll
WindowsPrintSpooler/2020-11/p..ooler-core-localspl_6.1.7601.24562/winprint.dll
Symbols improve Ghidra's ability to analyze a binary and also speed up the Patch Diffing process.
Create a directory on your OS to store symbols:
C:\symbols
/home/user/symbols
- any path you like
Run symchk on all the collected binaries and cache the symbols locally.
symchk /r /v /s SRV*c:\symbols*https://msdl.microsoft.com/download/symbols .
This command will recursively download symbols from https://msdl.microsoft.com/download/symbols
and cache them in c:\symbols
.
PS C:\Users\user\Desktop\WindowsPrintSpooler> symchk /r /v /s SRV*c:\symbols*https://msdl.microsoft.com/download/symbols .
.
.
.
.
[SYMCHK] PDB: "c:\symbols\winprint.pdb\BA411BB6DA07421F9EDF79D8EE6F218E2\winprint.pdb"
[SYMCHK] CV: RSDS
[SYMCHK] CV DWORD: 0x53445352
[SYMCHK] CV Data: winprint.pdb
[SYMCHK] PDB Sig: 0
[SYMCHK] PDB7 Sig: {BA411BB6-DA07-421F-9EDF-79D8EE6F218E}
[SYMCHK] Age: 2
[SYMCHK] PDB Matched: TRUE
[SYMCHK] DBG Matched: TRUE
[SYMCHK] Line nubmers: FALSE
[SYMCHK] Global syms: FALSE
[SYMCHK] Type Info: FALSE
[SYMCHK] ------------------------------------
SymbolCheckVersion 0x00000002
Result 0x00030001
DbgFilename
DbgTimeDateStamp 0x5f8667a4
DbgSizeOfImage 0x0000e000
DbgChecksum 0x00018262
PdbFilename c:\symbols\winprint.pdb\BA411BB6DA07421F9EDF79D8EE6F218E2\winprint.pdb
PdbSignature {00000000-0000-0000-0000-000000000000}
PdbDbiAge 0x00000000
[SYMCHK] [ 0x00000000 - 0x00030001 ] Checked "C:\Users\user\Desktop\WindowsPrintSpooler\2020-11\p..ooler-core-localspl_6.1.7601.24562\winprint.dll"
SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 11
Ghidra also has an option to download the symbol, and has the Microsoft symbol server baked in.