1

CHAPTER 5CHAPTER 5

DIFFINGDIFFING

2

What is Diffing?What is Diffing?

Practice of comparing two sets of data, before and Practice of comparing two sets of data, before and after a changed has occurredafter a changed has occurred

Purpose to determine what data to modify in the Purpose to determine what data to modify in the data file directly to cause the change behind the data file directly to cause the change behind the application’s backapplication’s back

The two things could be files, Registry entries, The two things could be files, Registry entries, memory contents, packets, e-mails etcmemory contents, packets, e-mails etc

Here we’ll limit our discussion on files (including Here we’ll limit our discussion on files (including special files such as the Window Registry)special files such as the Window Registry)

Can use this technique to cheat at games, recover Can use this technique to cheat at games, recover passwords, bypass protection mechanism etcpasswords, bypass protection mechanism etc

3

ToolsTools

File Comparison ToolsFile Comparison Tools– Determine the differences between two filesDetermine the differences between two files– FCFC

» Included in DOS (later in Windows)Included in DOS (later in Windows)

– DiffDiff» Originates on the UNIX platformOriginates on the UNIX platform» Has limited binary comparison capabilities, but Has limited binary comparison capabilities, but

useful primarily for text file comparisonuseful primarily for text file comparison» Microsoft also includes this utility called Windiff in Microsoft also includes this utility called Windiff in

Windows NT and Windows98 resource kitWindows NT and Windows98 resource kit

4

ToolsTools

Hex EditorsHex Editors– Make changes to a binary fileMake changes to a binary file– Direct accessDirect access– HackmanHackman

» Free Windows-basedFree Windows-based» Features including searching, cutting, pasting, a hex calculator, Features including searching, cutting, pasting, a hex calculator,

a disassembler etca disassembler etc

– [N] Curses Hexedit[N] Curses Hexedit» Free programFree program» Under GPL (GNU Public License)Under GPL (GNU Public License)» Available for all UNIX version, DOSAvailable for all UNIX version, DOS» Features, search, binary calculator (converter) etcFeatures, search, binary calculator (converter) etc

5

ToolsTools

Hex EditorsHex Editors– Hex WorkshopHex Workshop

» Commercial software from Breakpoint SoftwareCommercial software from Breakpoint Software

» $49.90 U.S, windows platform$49.90 U.S, windows platform

» 30 days trial available30 days trial available

» Features, arithmetic functions, base converter, Features, arithmetic functions, base converter, calculator, checksum calculator etccalculator, checksum calculator etc

6

ToolsTools

File System Monitoring ToolsFile System Monitoring Tools– Work on a group of files such as partition, drive Work on a group of files such as partition, drive

letter or directoryletter or directory– To determine which file, this tools make the To determine which file, this tools make the

process easierprocess easier– HardwayHardway

» Copy all files then compare with modified files to Copy all files then compare with modified files to identify which files have been changedidentify which files have been changed

– File attributesFile attributes» Things like dates, times, size, permissions etcThings like dates, times, size, permissions etc

7

ToolsTools

File System Monitoring ToolsFile System Monitoring Tools– Using the Archive AttributeUsing the Archive Attribute

» The FAT (File Allocation Table) file system include The FAT (File Allocation Table) file system include a file attribute called the archive bita file attribute called the archive bit

» The purpose to determine when a file had been The purpose to determine when a file had been modified since the last backupmodified since the last backup

– Checksums / HashesChecksums / Hashes» Central problem when viruses, trojans or rootkits Central problem when viruses, trojans or rootkits

modified the filesmodified the files

» Use checksums or cryptographic hash algorithmUse checksums or cryptographic hash algorithm

8

ProblemsProblems

Challenges to edit data files directlyChallenges to edit data files directly Checksums / HashesChecksums / Hashes

– Checksum or hash being store with the filesChecksum or hash being store with the files– Small value represent a block of data to Small value represent a block of data to

compare old files and new files, if same compare old files and new files, if same proceed if not file corruptproceed if not file corrupt

Compression / EncryptionCompression / Encryption– All files will show as changedAll files will show as changed

9

How to Secure Against DiffingHow to Secure Against Diffing

No true security against this type of attackNo true security against this type of attack Implement by encrypting the files using a Implement by encrypting the files using a

variation of a real encryption algorithmvariation of a real encryption algorithm Just to make it difficultJust to make it difficult

10

End Of Chapter 5End Of Chapter 5