Recently I have been working on new DarunGrim and I was just cleaning up the old code. The objective of this new version 4 is faster, lighter and simpler DarunGrim. For a week, I cleaned up a lot of code and fixed a lot of issues with many code refactorings. It is still far from the complete, but I thought that I can share the binary from time to time so that I can get some feedback from the users.
I just uploaded a developmental snapshot here:
The following shows the basic steps to follow to test this test release.
Generating DGF files
After installation, you need to confirm that DarunGrim plugin is installed under IDA program folder. Then, first open an unpatched and patched binaries and run DarunGrim plugin. (Figure 1)
Figure 1 Select DarunGrim Plugin from IDA
A dialog box will pop up and it will ask you where to save the analysis file with .dgf extension. (Figure 2) The analysis file is basically in SQLite format and we just use our own extension so that it can register DarunGrim program handler upon .dgf extension.
Figure 2 Choose output DGF filename
You also do same thing upon patched file with different name, kernel-post.dgf in this case. (Figure 3)
Figure 3 Choose output DGF filename for the patched binary
Perform Binary Diffing
After saving two unpatched and patched dgf files, open them from DarunGrim main program. Run DarunGrim.exe from the Start menu and choose File -> New Diffing menu item. Select source and target dgf files we created already and set output file to save diffing analysis results. (Figure 4)
Figure 4 File Selections Dialog
When you press OK button, the analysis will start. (Figure 5)
Figure 5 Start analysis
It takes some time to complete analysis, the actual timing depends on the binary sizes to analyze. When it is complete, you will see the results will show up on the Functions list. (Figure 6)
Figure 6 Analysis complete
When you double click each function, the Blocks list will be activated and will show the list of blocks inside the function. (Figure 7)
Figure 7 Blocks list
Synchronized IDA view
So, now you can now go through functions and check what functions are patched or something. But it might be beneficial to synchronize DarunGrim program with IDA and DarunGrim already supports it.
First choose View -> Connect to IDA menu. (Figure 8)
Figure 8 Connect to IDA
From the dialog, press “Accept Connection” button from “Source File” line. It will show “Listening…” message. DarunGrim uses TCP port 1216 for the connection between DarunGrim and IDA. This will make DarunGrim to listen on TCP port 1216.
Figure 9 Accept connections
At this point, open up original binary and run DarunGrim plugin. (Figure 10) It will first try to connect to port 1216 on localhost first. If it can connect to that port, it will be running in IDA synchronization mode.
Figure 10 Run DarunGrim plugin
When the connection is successful, the dialog box “Listening…” message will turn into a file path from the original filename. (Figure 11)
Figure 11 IDA Plugin connected successfully
Perform same operations with patched binary. (Figure 12)
Figure 12 Connecting patched binary IDA
Now if everything worked fine, you will see that IDA will display the position where you click from Blocks list view.
Figure 13 Full synchronized view
Now you can enjoy full power of IDA with DarunGrim.
This release is pre-alpha and it might have a lot of issues that are not taken care of yet. I refactored a lot of code and there might be some issues I never tested. If you find any issues or if you have any suggestions form DarunGrim 4, just shoot me a mail at firstname.lastname@example.org or send me a tweet at http://twitter.com/ohjeongwook.