DiffRays is a research-oriented tool for binary patch diffing, designed to aid in vulnerability research, exploit development, and reverse engineering. It leverages IDA Pro and the IDA Domain API to extract pseudocode of functions and perform structured diffing between patched and unpatched binaries.
- 🔎 Patch Diffing: Compare functions across different binary versions to identify code changes.
- 🧩 IDA Pro Integration: Uses IDA Pro and the IDA Domain API for accurate pseudocode extraction.
- 📂 SQLite Output: Stores results in a SQLite database for easy reuse and analysis.
- 🌐 Web Interface: Built-in server mode to browse, search, and visualize diff results interactively.
- 📊 Research-Ready: Designed to support vulnerability research and exploit development workflows.
- IDA Pro Version
- The IDA Domain library requires IDA Pro 9.1.0 or later.
- IDA Domain API
- Python 3.8+
- Additional Python dependencies
-
Clone the repository
git clone https://github.com/pwnfuzz/diffrays cd diffrays -
Install dependencies
pip install . -
Setup IDADIR environment variable to point to your IDA installation directory:
Windows: set IDADIR="[IDA Installation Directory]" Linux: export IDADIR="[IDA Installation Directory]"
> diffrays --help
______ _ __ ________
| _ (_)/ _|/ _| ___ \
| | | |_| |_| |_| |_/ /__ _ _ _ ___
| | | | | _| _| // _` | | | / __|
| |/ /| | | | | | |\ \ (_| | |_| \__ \
|___/ |_|_| |_| \_| \_\__,_|\__, |___/
__/ |
|___/ v1.0 Kappa
usage: diffrays [-h] {diff,server} ...
Binary Diff Analysis Tool - Decompile, Compare, and Visualize Binary Changes
positional arguments:
{diff,server} Command to execute
diff Analyze two binaries and generate differential database
server Launch web server to view diff results
options:
-h, --help show this help message and exit
Examples:
diffrays diff old_binary.exe new_binary.exe
diffrays diff old.so new.so -o custom_name.sqlite --log
diffrays server --db-path result_old_new_20231201.sqlite --debug
For more information, visit: https://github.com/pwnfuzz/diffrays
-
Run Patch Diffing in IDA
Load your binaries in IDA and run DiffRays to generate diff results:python diffrays.py diff <path_to_old_binary> <path_to_new_binary>
-
Start the DiffRays Server
Once you have a .sqlite file, launch the web interface to explore the diffs:python diffrays.py server --db-path diff_results.sqlite
Open your browser at http://localhost:5555 to view results.
-
Collect target binaries
- CVE-2025-1246 affects the Common Log File System driver (
Clfs.sys). - Download the two versions of the driver from Microsoft’s update packages (via WinBIndex or your preferred source):
- Vulnerable build: Clfs.sys 10.0.22621.5037 → download here
- Patched build: Clfs.sys 10.0.22621.5189 → download here
- Save them into a working directory:
curl -L -o clfs_10.0.22621.5037.sys https://msdl.microsoft.com/download/symbols/clfs.sys/4A2750956f000/clfs.sys curl -L -o clfs_10.0.22621.5189.sys https://msdl.microsoft.com/download/symbols/clfs.sys/68C175656f000/clfs.sys
- CVE-2025-1246 affects the Common Log File System driver (
-
Run DiffRays
python diffrays.py diff clfs_10.0.22621.5037.sys clfs_10.0.22621.5189.sys
-
Start the web server
python diffrays.py server --db-path clfs_diff.sqlite
-
Browse interactively
-
Browse Diff Results
- The Diff Result page shows the results of binary diffing and can be sorted based on changes.
-
View Function Details
- Clicking on a function displays the detailed diff result.
- Researching Microsoft Patch Tuesday vulnerabilities
- Identifying security fixes introduced in new software versions
- Supporting exploit development by analyzing patched vs. unpatched code paths
- Reverse engineering software updates
DiffRays takes inspiration from prior research and tools in the binary diffing space, including:
- BinDiff - Quickly find differences and similarities in disassembled code.
- Diaphora - Diaphora, the most advanced Free and Open Source program diffing tool.
- Ghidriff - Python Command-Line Ghidra Binary Diffing Engine
This project is intended for educational and research purposes only. The author does not condone or encourage malicious use of this tool.
This project is licensed under the MIT License - see the LICENSE file for details.
