Oct 27, 2022

Modern Binary/Patch Diffing

 

In this webinar, Stephen will demonstrate the process of downloading Microsoft cumulative updates to extract the patches and prep them for diffing. 

It's a very useful way to identify patched vulnerabilities that can potentially be weaponized for exploitation of un-patched systems, as well as learning how vulnerabilities are patched to aid in bug hunting. 

My notes:

  • Time consuming to find the diff. (use bindiff or diaphora)
  • 2022-10 x64 "Windows 10" 22H2  Vs "Cumulative windows 10"
  • 2 purposes:
    • weaponize patched vuln (n-day exploit)
    • find new 0-day vuln
  • MS doesn't obfuscate the patch management process. 😅
  • expand.exe -F:* .\xxxx.msu .\extract
  • expand.exe -F:* .\extract\xxxx.cab .\patch
  • expand.exe -F:* .\patch\yyyy.cab .\patch
  • expand.exe -F:* .\patch\zzzz.cab .\patch [20min++]
  • gci -Recurse c:\windows\WinSxS\ -Filter ntdll.dll
  • .\delta_patch.py -i .\NTDLL\ntdll.dll -o ntdll.2020-10.dll .\NTDLL\r\ntdll.dll .\2020-10\x64\ntdll.dll_10.0.18362.1139\f\ntdll.dll
  • .\delta_patch.py -i .\NTDLL\ntdll.dll -o ntdll.2020-11.dll .\NTDLL\r\ntdll.dll .\2020-11\x64\ntdll.dll_10.0.18362.1171\f\ntdll.dll


Links: