• Stars
    star
    3,639
  • Rank 12,159 (Top 0.3 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 9 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Diaphora, the most advanced Free and Open Source program diffing tool.

Diaphora (διαφορά, Greek for 'difference') version 3.0 is the most advanced program diffing tool (working as an IDA plugin) available as of today (2023). It was released first during SyScan 2015 and has been actively maintained since this year: it has been ported to every single minor version of IDA since 6.8 to 8.3.

Diaphora supports versions of IDA >= 7.4 because the code only runs in Python 3.X (Python 3.11 was the last version being tested).

Unique Features

Diaphora has many of the most common program diffing (bindiffing) features you might expect, like:

  • Diffing assembler.
  • Diffing control flow graphs.
  • Porting symbol names and comments.
  • Adding manual matches.
  • Similarity ratio calculation.
  • Batch automation.
  • Call graph matching calculation.
  • Dozens of heuristics based on graph theory, assembler, bytes, functions' features, etc...

However, Diaphora has also many features that are unique, not available in any other public tool. The following is a non extensive list of unique features:

  • Ability to port structs, enums, unions and typedefs.
  • Support for compilation units (finding and diffing compilation units).
  • Microcode support.
  • Parallel diffing.
  • Pseudo-code based heuristics.
  • Pseudo-code patches generation.
  • Diffing pseudo-codes (with syntax highlighting!).
  • Scripting support (for both the exporting and diffing processes).
  • ...

Donations

You can help (or thank) the author of Diaphora by making a donation, if you feel like doing so: Donate

License

Versions of Diaphora prior to 1.2.4, including version 1.2.4, are licensed under the GNU GPL version 3. Since version 2.0, Diaphora is now licensed under the GNU Affero GPL version 3 license. The license has been changed so companies wanting to modify and adapt Diaphora cannot offer web services based on these modified versions without contributing back the changes.

For 99.99% of users, the license change doesn't affect them at all. If your company needs a different licensing model, check the next section...

Licensing

Commercial licenses of Diaphora are available. Please contact [email protected] for more details.

Documentation

You can check the tutorial https://github.com/joxeankoret/diaphora/blob/master/doc/diaphora_help.pdf

Screenshots

Diaphora finding the exact function where a vulnerability was patched in CVE-2020-1350:

CVE-2020-1350

Diaphora, again, finding the exact function where CVE-2023-28231 was fixed:

CVE-2023-28231

CVE-2023-28231. As explained in a blog from ZDI, the vulnerability was fixed by checking that the number of relay forward messages in "ProcessRelayForwardMessage()" is not bigger or equal than 32 (0x20), as shown in the following pseudo-code diffing:

CVE-2023-28231

Diaphora doing Hex-Ray's microcode diffing:

Diffing microcode in a graph

Diffing assembly, pseudo-code and microcode:

Assembly, pseudo-code and microcode

Diffing CVE-2023-21768 with Diaphora 3.0:

Diffing CVE-2023-21768 with #Diaphora 3.0

This is a screenshot of Diaphora diffing the PEGASUS iOS kernel Vulnerability fixed in iOS 9.3.5:

Diffing iOS 9.3.5 diff

And this is an old screenshot of Diaphora diffing the Microsoft bulletin MS15-034:

Diaphora diffing MS15-034

These are some screenshots of Diaphora diffing the Microsoft bulletin MS15-050, extracted from the blog post Analyzing MS15-050 With Diaphora from Alex Ionescu.

Diaphora diffing MS15-050, best matches Diaphora diffing MS15-050, partial matches Diaphora diffing MS15-050, diffing pseudo-code

Diaphora diffing a LuaBot, matches and pseudo-code

Here is a screenshot of Diaphora diffing iBoot from iOS 10.3.3 against iOS 11.0:

Diaphora diffing iBoot from iOS 10.3.3 against iOS 11.0

More Repositories

1

pigaios

A tool for matching and diffing source codes directly against binaries.
Python
635
star
2

pyew

Official repository for Pyew.
Python
383
star
3

nightmare

A distributed fuzzing testing suite with web administration
Python
371
star
4

multiav

MultiAV scanner with Python and JSON API. Disclaimer: I don't maintain it any more.
Python
312
star
5

idamagicstrings

An IDA Python script to extract information from string constants.
Python
304
star
6

CVE-2017-7494

Remote root exploit for the SAMBA CVE-2017-7494 vulnerability
Python
256
star
7

cosa-nostra

Cosa Nostra, a FOSS graph based malware clusterization toolkit.
Python
227
star
8

membugtool

A DBI tool to discover heap memory related bugs
C++
125
star
9

maltindex

Mal Tindex is an Open Source tool for indexing binaries and help attributing malware campaigns
Python
66
star
10

tahh

Source codes for "The Antivirus Hackers Handbook" book.
Python
58
star
11

mynav

Automatically exported from code.google.com/p/mynav
Python
28
star
12

oldidc

IDA Python's idc.py <= 7.3 compatibility module
Python
21
star
13

deeptoad

DeepToad is a library and a tool to clusterize similar files using fuzzy hashing
C
20
star
14

diaphora-ml

Diaphora Machine Learning tools and datasets
Python
18
star
15

ubsnippets

Undefined Behaviour Snippets
17
star
16

pyavast

Python bindings for Avast antivirus server version for Linux
Python
14
star
17

jkutils

My own Python Utility Libraries
Python
11
star
18

pinpack

A PIN Tool to unpack simple write and exec packers (for Linux)
C++
10
star
19

super-irudi

Super Irudi, a command line based tool to enhance photographs.
Python
5
star
20

pigaios-databases

Pigaios SQLite databases
3
star
21

tnsids

Automatically exported from code.google.com/p/tnsids
1
star