July 4, 2026
Advanced Reverse Engineering: Binary Diffing Using Diaphora
What is Binary Diffing ?

By Xchgll
3 min read
What is Binary Diffing ?
binary diffing is a reverse engineering technique used to compare two binaries to identify differences in the code (functions).
Why is it used ?
-
Vulnerability Researching: researchers use binary diffing tools to compare unpatched binary to a patched version to find the security flaw and understand how it got patched.
-
Malware Analysis: Analysts for example… use it to find differences between an old malware and the newest one to find what was upgraded in this malware and the latest malicious techniques.
-
Other: can be used to reveal new features,bug fixes that company unrevealed
Popular Binary Diffing Tools
- source: https://www.techtarget.com/searchsecurity/feature/An-introduction-to-binary-diffing-for-ethical-hackers
- Zynamics BinDiff (free) Acquired by Google in early 2011, Zynamics BinDiff is available at zynamics.com/bindiff.html. It requires a licensed version of IDA (or Ghidra).
- turbodiff (free) Developed by Nicolas Economou of Core Security, turbodiff is available at https://www.coresecurity.com/core-labs/open-source-tools/turbodiffcs. It can be used with the free version of IDA 4.9 or 5.0. If the links are not working, try here: https://github.com/nihilus/turbodiff.
- DarunGrim/binkit (free) Developed by Jeong Wook Oh (Matt Oh), DarunGrim is available at https://github.com/ohjeongwook/binkit. It requires a recent licensed version of IDA.
- Diaphora (free) Developed by Joxean Koret. Diaphora is available at https://github.com/joxeankoret/diaphora. Only the most recent versions of IDA are officially supported.
Download Diaphora
- why exactly i choose Diaphora ?
Diaphora has no bugs like "BinDiff" and easy to use, open source and advanced.
- Download
go to: https://github.com/joxeankoret/diaphora and clone | download the repo whatever and extract it.
Use Diaphora with IDA
-
i got two versions of srv.sys driver, unpatched version which is infected with MS17–010 vulnerability aka EternalBlue and the patched one. our goal is to figure out the vulnerable function in the driver.
-
it is really easy to use, just press "ALT + F7" navigate to diaphora folder and load diaphora_ida.py file.
-
it will show you this simple window:
by pressing ok, this will generate a sqlite database contains all informations that tool need about the binary.
- load the unpatched version into ida
repeat the same operation but this time, click on "SQLite database to diff against" and select the patched version database.
this will generate sqlite database for the unpatched version and compare them.
Hit Ok.
here we go… some windows has been shown, you can expand it using the expand button where arrow pointing to.
Best Matches
this window shows the functions that fully matched. this mean there is no changes in this functions which is out of our interests.
Unmatched in Primary: functions in the unpatched version don't exists in the new version (deleted).
Unmatched in Secondary: functions in the patched version don't exist in the unpatched version (new functions).
Partial Matches
this is what we interest in. Partial match means functions with little changes.
this is a flag for every researcher.
we don't want to waste time figuring out all partial matches … as known. the vulnerability caused by SrvOs2FeaListSizeToNt() function.
to display the function diff, right click on it and press Diff Assembly or Pesudo whatever you like.
good byeeeeeeeeee