BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary. Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries. This also helps to retain knowledge across teams of binary analysts where the individual workflows might vary from analyst to analyst.
More specifically, BinDiff can be used to:
- Compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures.
- Identify identical and similar functions in different binaries.
- Port function names, comments and local variable names from one disassembly to another.
- Detect and highlight changes between two variants of the same function.
Here is a screenshot demonstrating what using BinDiff to display per-function differences looks like:
At Google, the BinDiff core engine powers a large-scale malware processing pipeline helping to protect both internal and external users. BinDiff provides the underlying comparison results needed to cluster the world’s malware into related families with billions of comparisons performed so far.
Ever since zynamics joined Google in 2011, they have been committed to keeping their most valuable tools available to the security research community. They first lowered the price, and today they are taking the next logical step by making it available free of charge.
You can download BinDiff from the zynamics web site. It’s the current version, BinDiff 4.2 for both Linux and Windows. To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later.