clearbluejarNew #ghidriff release! v0.9.0
- Set custom analysis options
- Set custom base address (bootloaders, etc)
https://github.com/clearbluejar/ghidriff/releases/tag/v0.9.0
buheratorHereβs the #Ghidriff output for CLFS.sys 10.0.20348.3328 vs. 10.0.20348.3453, likely corresponding to the CVE-2025-29824 use-after-free LPE:
https://gist.github.com/v-p-b/8c43fb8e0d72814dcd03764d478622ce
Here are the results of #ghidriff's VersionTrackingDiff ran on the latest patch of afd.sys (likely as the result of CVE-2025-21418):
https://gist.github.com/v-p-b/458475d0c7f8aaf6496b5168c04ea262
The change seems to affect a single but significant API (AfdAccept()), my initial guess is this was a locking issue.
#ExploitWednesday
https://gist.github.com/v-p-b/458475d0c7f8aaf6496b5168c04ea262
The change seems to affect a single but significant API (AfdAccept()), my initial guess is this was a locking issue.
#ExploitWednesday
Just released #ghidriff v0.8.0 - Ghidra 11.3 Support + PyGhidra π₯π
This release uses the latest PyGhidra now officially supported by Ghidra π€πͺ
https://github.com/clearbluejar/ghidriff/releases/tag/v0.8.0
π included!
CVE-2024-43625 - 2024-Nov - Microsoft Windows VMSwitch Elevation of Privilege - Use After Free - CVSS 8.1
#ghidriff vmwsitch diff
https://gist.github.com/clearbluejar/b5c12615270a54d031dc13a7d07988c9
ππ₯
Side-by-side view: https://diffpreview.github.io/?b5c12615270a54d031dc13a7d07988c9 π§
A patch diffing π§΅...
CVE-2025-21325 - 2025-Jan - ARM64 - Windows Secure Kernel Mode Elevation of Privilege
#ghidriff full diff π https://gist.github.com/clearbluejar/318abe5d072eef55b9ea7c23a591726e
Incorrect permission assignment? π§ https://gist.github.com/clearbluejar/318abe5d072eef55b9ea7c23a591726e#skmicommitpte-diff
CVE-2025-21325 2025-Jan ARM 64 Windows Secure Kernel Mode Elevation of Privilege Incorrect Permission Assignment for Critical Resource 7.8
CVE-2025-21325 2025-Jan ARM 64 Windows Secure Kernel Mode Elevation of Privilege Incorrect Permission Assignment for Critical Resource 7.8 - securekernel.exe.arm64.10.0.19041.5247-securekernel.e...
ghidriff - mpengine.dll - VersionTrackingDiff - 1.1.24030.4 vs 1.1.24060.5
https://gist.github.com/v-p-b/f9aa39263e125c8e3b04c4d22fd4d78d#strings
This one executed much faster than SimpleDiff (with the O(n^2) FuncName:Param algorithm)!
Unfortunately the diff is so big it's difficult to judge quality, so the next step is to come up with some metrics that can be checked automatically.
#bindiff #ghidriff
https://gist.github.com/v-p-b/f9aa39263e125c8e3b04c4d22fd4d78d#strings
This one executed much faster than SimpleDiff (with the O(n^2) FuncName:Param algorithm)!
Unfortunately the diff is so big it's difficult to judge quality, so the next step is to come up with some metrics that can be checked automatically.
#bindiff #ghidriff
You diff binaries and immediately find the single change that adds the overflow check.
I diff mpengine.dll and break all reversing tools out there.
We are not the same.
https://gist.github.com/v-p-b/513a8f70a32c62f3ab7bf0d6a90e0941
#bindiff #ghidriff
I diff mpengine.dll and break all reversing tools out there.
We are not the same.
https://gist.github.com/v-p-b/513a8f70a32c62f3ab7bf0d6a90e0941
#bindiff #ghidriff
Exciting! My talk recording just dropped from #OBTS v7! π£οΈβ¨ Learn how to patch diff on Apple with #Ghidra, #ghidriff, and #ipsw: "Patch Different on *OS": https://www.youtube.com/watch?v=Ellb76t7nrc
#OBTS v7.0: "Patch Different on *OS" - John Mclntosh
latest #ghidriff now running with Ghidra 11.2 π π₯ https://github.com/clearbluejar/ghidriff/releases/tag/v0.7.3
