Binary Difference Analysis Via Phase Cancellation presented at ShmooCon 2005

by Joe Stewart (LURHQ), Mike Wisener (LURHQ),

Tags: Security Analysis


Summary : Binary difference analysis is becoming more popular due to a rise in the number of patches released from Microsoft and the increase in
long-running multi-variant malware. An interesting approach was taken by Halvar Flake using graph analysis to determine differences in binaries, however, this method has some drawbacks, one of which is the post-analysis data representation.

Other than the math-intensive graph isomorphism technique, the other obvious approach is to use fingerprinting to identify key characteristics of code, and find non-matching sequences. However, this method is also somewhat limited.

We propose a new analysis system, using methodology borrowed from the audio/RF world: phase cancellation. By applying these techniques, it is possible to overcome some of the drawbacks of both prior methodologies and present a clear picture of what has changed between two binaries. We present two new tools - OllyPerl, a plugin to allow scripting of the OllyDbg debugger in Perl, and WaveDiff, a Perl script which implements the phase-cancellation difference analysis described in the paper. Full source will be provided for both tools.