Environment Setup and Tooling
Table of Contents
Tools and Scripts
In order to perform patch analysis the following tools and scripts will be used:
- Ghidra - the primary SRE tool
- Download the latest release and follow the installation instructions.
- ghidra-patchdiff-correlator - plugin to improve default Ghidra version tracking correlators. Latest version available here.
- Install it.
- Java 11+ (JDK) (Ghidra Dependency)
- symchk - Microsoft Utility to download relevant symbols for Microsoft binaries (optional as Ghidra provides a way to download symbols)
Installation
- Install minimum+ version of Java Runtime and JDK.
- Download and unzip Ghidra to local directory.
C:\Ghidraor some other place - Download and unzip ghidra-patchdiff-correlator.zip.
In Ghidra:
File->Install Extensionshit the top right green+icon; then select theghidra_<VERSION>_PatchDiffCorrelator.zip(that you either build from source with the GhidraDev plugin or downloaded pre-build from the releases section; please make sureVERSIONmatches your Ghidra version!)
- Just need python for Patch-Delta and Patch-Extract.
- Symchk is included with Microsoft’s Debugging Tool for Windows
Preparation
File Collection (suggested)
Gather all the binaries for Patch Diffing into a single directory.
Sample collection of files from Security-Patches conclusion.
$ find WindowsPrintSpooler/
WindowsPrintSpooler/
WindowsPrintSpooler/2020-04
WindowsPrintSpooler/2020-04/p..ooler-core-localspl_6.1.7601.24383
WindowsPrintSpooler/2020-04/p..ooler-core-localspl_6.1.7601.24383/localspl.dll
WindowsPrintSpooler/2020-04/p..ooler-core-localspl_6.1.7601.24383/winprint.dll
WindowsPrintSpooler/2020-05
WindowsPrintSpooler/2020-05/p..ooler-core-localspl_6.1.7601.24554
WindowsPrintSpooler/2020-05/p..ooler-core-localspl_6.1.7601.24554/localspl.dll
WindowsPrintSpooler/2020-05/p..ooler-core-localspl_6.1.7601.24554/winprint.dll
WindowsPrintSpooler/2020-08
WindowsPrintSpooler/2020-08/p..ooler-core-localspl_6.1.7601.24559
WindowsPrintSpooler/2020-08/p..ooler-core-localspl_6.1.7601.24559/localspl.dll
WindowsPrintSpooler/2020-08/p..ooler-core-localspl_6.1.7601.24559/winprint.dll
WindowsPrintSpooler/2020-11
WindowsPrintSpooler/2020-11/p..ooler-core-localspl_6.1.7601.24562
WindowsPrintSpooler/2020-11/p..ooler-core-localspl_6.1.7601.24562/localspl.dll
WindowsPrintSpooler/2020-11/p..ooler-core-localspl_6.1.7601.24562/winprint.dll
Symbol Collection (mostly required)
Symbols improve Ghidra’s ability to analyze a binary and also speed up the Patch Diffing process.
Create Symbol Directory
Create a directory on your OS to store symbols:
C:\symbols/home/user/symbols- any path you like
Download
Run symchk on all the collected binaries and cache the symbols locally.
symchk /r /v /s SRV*c:\symbols*https://msdl.microsoft.com/download/symbols .
This command will recursively download symbols from https://msdl.microsoft.com/download/symbols and cache them in c:\symbols.
PS C:\Users\user\Desktop\WindowsPrintSpooler> symchk /r /v /s SRV*c:\symbols*https://msdl.microsoft.com/download/symbols .
.
.
.
.
[SYMCHK] PDB: "c:\symbols\winprint.pdb\BA411BB6DA07421F9EDF79D8EE6F218E2\winprint.pdb"
[SYMCHK] CV: RSDS
[SYMCHK] CV DWORD: 0x53445352
[SYMCHK] CV Data: winprint.pdb
[SYMCHK] PDB Sig: 0
[SYMCHK] PDB7 Sig: {BA411BB6-DA07-421F-9EDF-79D8EE6F218E}
[SYMCHK] Age: 2
[SYMCHK] PDB Matched: TRUE
[SYMCHK] DBG Matched: TRUE
[SYMCHK] Line nubmers: FALSE
[SYMCHK] Global syms: FALSE
[SYMCHK] Type Info: FALSE
[SYMCHK] ------------------------------------
SymbolCheckVersion 0x00000002
Result 0x00030001
DbgFilename
DbgTimeDateStamp 0x5f8667a4
DbgSizeOfImage 0x0000e000
DbgChecksum 0x00018262
PdbFilename c:\symbols\winprint.pdb\BA411BB6DA07421F9EDF79D8EE6F218E2\winprint.pdb
PdbSignature {00000000-0000-0000-0000-000000000000}
PdbDbiAge 0x00000000
[SYMCHK] [ 0x00000000 - 0x00030001 ] Checked "C:\Users\user\Desktop\WindowsPrintSpooler\2020-11\p..ooler-core-localspl_6.1.7601.24562\winprint.dll"
SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 11
Configure Ghidra to User Your Download Symbols
Ghidra also has an option to download the symbol, and has the Microsoft symbol server baked in.