search

clearbluejar / ghidriff

Python Command-Line Ghidra Binary Diffing Engine
https://clearbluejar.github.io/ghidriff/
GNU General Public License v3.0
476 stars 22 forks source link

Ability to diff already existing databases #49

Closed dev-zzo closed 6 months ago

dev-zzo commented 8 months ago

In some cases it is much more useful to diff two pre-existing databases. For example, when ghidra's auto-analysis does not pick up certain functions especially when they are referred to using pointers and I typically have to go through the database and fix that by manually defining them functions. If not fixed, the diff will miss those pieces of code, of course.

If that is already supported, please let me know.

clearbluejar commented 8 months ago

I see what you mean. Currently, the tool creates a new project by default or opens an existing project

https://github.com/clearbluejar/ghidriff/blob/main/ghidriff/ghidra_diff_engine.py#L417

While you are able to reuse the same Ghidra database (or a single existing database), by setting the project location/name, you would like to be able to define multiple projects:file mappings to diff. ie.

ghidriff proj1:filev1 proj2:filev2. or ghidriff --project proj1 filev1 --project proj2 filev2

Do I understand that correctly?

dev-zzo commented 8 months ago

This looks correct to me.

clearbluejar commented 8 months ago

I like this idea to support importing already analyzed files from multiple projects. I will need to refactor that way files are opened. Currently a single project is used to hold all the analyzed files in the end. I will likely stick with this, so the resulting project will contain all the files being diffed, but be able to import the already analyzed files from previous projects.

Ghidra already has a feature to export analysis to .gzf files. It might be as simple as exporting the file a importing into the newly created ghidriff project. This could be a temporary workaround for you while you wait for this feature. There might be some complexity if the versions of Ghidra are different, and the latest version of Ghidra can't successfully upgrade the old program file, but we can see how it goes.

Again, for input, something like:

two files from different projects

ghidriff <project-path>:filename1 <project-path2>:filename2

one file from old project, one from path

ghidriff <project-path>:filename1 filename2

Please add your thoughts here and I will link a branch here shortly.

clearbluejar commented 6 months ago

This is a bit embarrassing, but this already worked and I didn't know it. 😬

Well to some extent. If you want to use a binary that has already been analyzed you only need export it into a Ghidra Zip File:

image

This will create a file with a .gzf extension. Simply run the current version of ghidriff with the gzf exported program as one of the args and it should work! I'm releasing a new version that adds test for this, but for now that is how I will meet the requirement.

Let me know if it works for your case!

clearbluejar commented 6 months ago

I closed this as apart of the last PR. Reopen if needed.