DarunGrim3 Installation & Usage Guide

Prerequisites Must-have
IDA 5.6 We tested current release of DarunGrim3 on IDA 5.6. Any other versions are not officially supported yet. Further support for other versions will come soon after more testing. ou can always try yourself if it wor!s" though. #heoretically there will not $e any ma%or pro$lems with any IDA upper 5.&.

Optional
If you are going to use python source code for e'ecution" you need to install following (ython distri$ution and (ython modules. #he other versions might wor!" $ut this is the e'act pac!ages we tested. #his (ython and (ython module installation is not necessary if you are using the compiled pac!age we provide. Python 2.6.5 http)**www.python.org*ftp*python*+.6.5*python,+.6.5.msi SQLAlchemy 0.6.3 http)**www.s-lalchemy.org*download.html CherryPy 3.1.2 http)**download.cherrypy.org*cherrypy*3...+* Mechanize 0.2.2 http)**wwwsearch.sourceforge.net*mechani/e* BeautifulSou 3.1.0 http)**www.crummy.com*software*0eautiful1oup* Ma!o 0.3." http)**www.ma!otemplates.org*download.html

Web Browser
Any we$ $rowser will wor! e'cept lyn'" $ut we found that 2o/illa Firefo' is the $est in rendering the results as we intended. I3 is good" $ut sometimes it needs you some patience displaying $ig si/e ta$le.

Starting the DarunGrim3 Server

1tart DarunGrim31erver.e'e from $inary directory. If you4re trying python source code distri$ution" e'ecute DarunGrim31erver.py from the source directory. If you start the server" you will see the Darungrim3 We$server starting.

#he default $inding #5( port is 6&. ou can change the port $y editing DarunGrim3.cfg in the line loo!s li!e following.
7Glo$al8 (ort 9 6&

Main Menu
ou can see the first page with 3 menus. With first run" there will not $e anything to analy/e.1o you need to import files first. 5lic! :Files Import; lin!.

Importing
ou will see an input $o'" you can put any local folder name to import (3 files. I recommend testing $y importing :c)<windows; directory which contains pretty much every system files. If you clic! :import;" it will start importing files. If the process ta!es too long" the session will $e timed out. 0ut when it times out" don4t reload the page $ecause it will trigger the import action again which is unnecessary.

List of Company ames

ou go $ac! to main menu" $y connecting to the root =>I and select :Files ?ist; menu. It will display the company names of the all the files. (ro$a$ly you might $e interested in patches from 2icrosoft" Ado$e or 1un. For e'ample" to chec! 2icrosoft4s $inaries" %ust clic! :2icrosoft 5orporation; lin!.

List of !iles
#he ne't page will display every files that were collected under the selected company name. ou %ust need to clic! the name of the file you are interested in. I want to diff netapi3+.dll for the analysis e'ample. #he file is !nown for having good history of vulnera$ilities.

List of "ersion strings for the file

It will display all the different versions of the file that were collected from the system. It4ll display many different versions of the same file. #his is possi$le $ecause when installing patches" 2icrosoft usually leaves original file in some directory. 1o $y %ust collecting $inaries from a machine that is fully patched" you have a good chances of collecting many versions of the patched files. ou can choose the versions you want to compare with $y clic!ing the radio $uttons.

Initiating Diffing #ro$ess

After choosing the files to compare" press :1tarting Diffing; $utton.

%nalysis &esults
It ta!es few minutes to finish the analysis. After that you can see the list of functions that has $een modified. ou can sort $y the columns li!e :1ecurity Implication 1core;

Function Level Analysis

If you clic! the function names from the previous view" you can get to the function analysis page li!e following scrrenshot. It will show the result side,$y,side. ?eft side is unpatched function and right side is patched one.

Reading the Results

#he red $loc!s on the right side are inserted $loc!s.

IDA View
From the functions list view" you can clic! :@pen IDA; lin! and it will open the IDA views. And if you clic! each functions list" the IDA view will $e automatically refreshed to the matching position and the color code will $e applied to each of them.

Configuration
2ain configuration file name is :DarunGrim3.cfg; 7Glo$al8
(ort 9 6& 7Directories8 0inaries1torage 9 0inaries 2icrosoft0inaries1torage 9 0inaries<2icrosoft DGFDirectory 9 @utput IDA(ath 9 5)<(rogram Files A'66B<ida<idag.e'e Data$aseCame 9 inde'.d$ (atch#emporary1tore 9 #emp

#he default $inaries storage folder name is :0inaries;. ou can configure this $y modifying :0inaries1torage; value. #he default @utput folder name is :@utput;. ou can configure this $y modifying :DGFDirectory; value. ou can also configure IDA path name $y changing :IDA(ath; value.

!urther details
If you need more information or help" visit http)**www.darungrim.org or shoot me a mail to oh.%eongwoo!Dgmail.com. Any $ug reporting or feature re-uests are appreciated.