•   2 min read

DarunGrim with Symbols

DarunGrim is a patch diffing utility written by Matt Oh. It uses IDA Pro and a few open source python libraries to perform patch diffs. At the time of this writing, DarunGrim 3.12 Beta is the most recent release. It can be obtained from Github. If that link goes down, you can get it from this mirror. This page tells you which prerequisites are needed, where to get them, and how to install them. Alternatively, you can use this zip file that contains all the prerequisites in one place and save yourself some from having to hunt them down (DarunGrim uses some pretty old versions of the required libraries).

If you’re using a recent version of IDA Pro (I’m using 6.3), you’ll notice that after performing a diff, sometimes the symbols used by IDA (and therefore DarunGrim) will not be accurate. For instance, consider some of the results of a diff performed on d2d1.dll:

d2d1.dll no symbols diff

Doesn’t provide a lot of information about what each function does right off the bat, does it?

To get symbols listed in the diff results, you need to use a plugin called pdbext. You can read about what it does here. Just extract the plw file to you IDA/plugins directory in %programfiles%. Simply put, pdbext loads the proper symbols into the IDA database. Even though IDA will ask you if you want to use the Microsoft symbol server, it does not always use it.

Open the IDA databases that DarunGrim produced during its analysis. For instance, the folders containing the files I am analyzing are in DarunGrim folder\Binaries\Microsoft Corporation\dll_name\version\dll_name.idb. If this is the first time opening this database since installing pdbext, it will ask you what remote and local sources you want to use for obtaining symbols. I use the default settings:

remote: srv**http://msdl.microsoft.com/download/symbols/

Once these values have been set, select Edit -> Plugins -> Load PDB file (dbghelp 4.1+). This will load the symbols into the IDA database file. Close the database. When it asks how to save the changes to disk, select “Pack Database (Store)”. Do this for all of the binaries that were analyzed by DarunGrim.

Once all the necessary IDA database files have been updated with symbols, go back to DarunGrim, open the previous diffing analysis results and hit Reanalyze. This will perform the diff again, but this time, it will use the IDA databases that contain the proper symbols.

d2d1.dll no symbols diff

Obviously, the diff is a very different result. Hopefully, it is more useful to you.