Bindiff Remarks

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

BinDiff Remarks

BinDiff Limitations

BinDiff excludes known time stamp fields and version information that are documented in the Windows module format (known as the PE specification). It also locates date and time string constants (such as __DATE__ and __TIME__) in the source code, and excludes them. This catches the majority of differing regions between two executables, but it is possible to generate files that contain differing regions not excluded by BinDiff. In these cases, BinDiff will report the files as "Different" when the user might have expected the files to be "Near Identical." The following list gives some examples that illustrate this behavior:

  • Debug information comes in many formats, each of which has various time stamps scattered among the debug data. BinDiff does not try to parse the debug information. Instead, it excludes all known debug regions in the files. Thus, if debug data is stored outside of the specified debug regions, then BinDiff does not know to exclude it.

  • There are many post-processing tools that change modules after they are built. These tools, while optimizing page layout, load order, and resources, might strip out information, such as debug information or user names. Localization tools, for example, also change resource strings. Many of these post-processing tools leave data behind, add data, or neglect to clean up dead space and padding areas. This can lead to unexpected differing regions in the two files, which then causes BinDiff to mark the files as "Different."

  • Some modules embed other modules in their resource data. If an embedded module is rebuilt, the time stamps in that module change. Running BinDiff on the embedded module itself should result in a "Near Identical" match. When that module is embedded in another module, however, it becomes part of the resource data of the main module. When BinDiff compares two builds of the main module, it will result in "Different" because the differing regions are now a part of the resource data .

Understanding FileSpec1 and FileSpec2

FileSpec1 and FileSpec2 can represent either files or directories. If two files are specified, then the files will be compared with each other. If two directories are specified, then all the files within the first directory will be compared with files with the same name in the second directory.

Regions Excluded By BinDiff

The following regions are excluded by default if found in a module :

  • The IMAGE_FILE_HEADER.TimeDateStamp field

  • The IMAGE_OPTIONAL_HEADER.CheckSum field

  • The DOS/Win16 stub code

  • The IMAGE_EXPORT_DIRECTORY.TimeDateStamp field

  • The IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp field

  • The entire IMAGE_DEBUG_DIRECTORY array

  • All debug sections

  • The IMAGE_LOAD_CONFIG_DIRECTORY.TimeDateStamp field

  • The IMAGE_BOUND_IMPORT_DESCRIPTOR.TimeDateStamp field

  • All IMAGE_BOUND_FORWARDER_REF.TimeDateStamp fields

  • The IMAGE_RESOURCE_DIRECTORY.TimeDateStamp field

  • All padding between resources

  • All ANSI __TIMESTAMP__ string constants used in code

  • All ANSI __DATE__ string constants used in code

  • All ANSI __TIME__ string constants used in code

  • All UNICODE __TIMESTAMP__ string constants used in code

  • All UNICODE __DATE__ string constants used in code

  • All UNICODE __TIME__ string constants used in code

If the /v parameter is specified, the following regions are excluded in addition to the default regions:

  • The IMAGE_OPTIONAL_HEADER.MajorLinkerVersion field

  • The IMAGE_OPTIONAL_HEADER.MinorLinkerVersion field

  • The IMAGE_OPTIONAL_HEADER.MajorOperatingSystemVersion field

  • The IMAGE_OPTIONAL_HEADER.MinorOperatingSystemVersion field

  • The IMAGE_OPTIONAL_HEADER.MajorImageVersion field

  • The IMAGE_OPTIONAL_HEADER.MinorImageVersion field

  • The IMAGE_OPTIONAL_HEADER.MajorSubsystemVersion field

  • The IMAGE_OPTIONAL_HEADER.MinorSubsystemVersion field

  • The IMAGE_OPTIONAL_HEADER.Win32VersionValue field

  • All VERSION_INFO resources

Comparing Executable Files

By default, BinDiff uses a special compare routine for all 32-bit and 64-bit Windows executable files that masks various build time stamp fields in both files when performing the compare. This allows two executable files to be marked as "Near Identical" when the files are truly identical, except the time they were built. You can override this behavior with the /b parameter, which forces BinDiff to perform a straight binary compare of all files.

See Also

Concepts

Bindiff Overview
Bindiff Syntax
Bindiff Examples
Alphabetical List of Tools
Iasparse Overview