NullSec BinaryDiff
February 27, 2026 ยท View on GitHub
Binary Comparison Tool
A comprehensive binary diff and analysis tool written in Swift, demonstrating protocol-oriented programming for security-focused binary comparison.
๐ฏ Overview
NullSec BinaryDiff compares binary files to identify changes in sections, functions, imports, and exports. It highlights security-sensitive modifications and calculates similarity scores for patch analysis and malware research.
โจ Features
- Section Comparison - Detect changes in .text, .data, .bss sections
- Function Diffing - Track function additions, removals, modifications
- Import/Export Analysis - Monitor library dependencies
- Security Highlighting - Flag changes to sensitive functions
- Similarity Scoring - Calculate binary similarity percentage
- Complexity Tracking - Monitor cyclomatic complexity changes
๐ Analysis Types
| Type | Description | Severity |
|---|---|---|
| .text Modified | Code section changed | High |
| Security Func Changed | auth/crypto function modified | High |
| Section Added | New section in binary | Low |
| Function Removed | Function deleted | Medium |
| Import Added | New library dependency | Info |
๐ฆ Installation
# Clone the repository
git clone https://github.com/bad-antics/nullsec-binarydiff
cd nullsec-binarydiff
# Compile with swiftc
swiftc -O binarydiff.swift -o binarydiff
# Or run directly
swift binarydiff.swift
๐ Usage
# Compare two binaries
./binarydiff app_v1 app_v2
# Function-level diff only
./binarydiff -f old.so new.so
# Section-level diff only
./binarydiff -s binary1 binary2
# JSON output
./binarydiff -j old new
# Run demo mode
./binarydiff
๐ป Example Output
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ NullSec BinaryDiff - Binary Comparison Tool โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[Demo Mode]
Comparing sample binaries...
Section Differences:
[~] .text
Type: MODIFIED
Reason: Section content changed
[~] .data
Type: MODIFIED
Reason: Section content changed
[+] .plt
Type: ADDED
Reason: New section added
Function Differences:
[HIGH] ~ auth_user ๐
โข Size: 200 โ 350
โข Complexity: 8 โ 12
[MEDIUM] ~ main
โข Size: 500 โ 600
โข Complexity: 15 โ 18
[HIGH] - unsafe_strcpy ๐
โข Function removed
[INFO] + new_feature
โข New function
Import Changes:
[-] libssl.so.1.1
[+] libssl.so.3
[+] libpthread.so.0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Summary:
Old Binary: /usr/bin/app_v1.0
New Binary: /usr/bin/app_v2.0
Similarity: 20.0%
Changes:
Sections: 4
Functions: 5
Imports: 3
Exports: 1
Security-Sensitive Changes: 2
๐๏ธ Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Binary Parser โ
โ ELF | Mach-O | PE Format Support โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Binary Info Extraction โ
โ Sections | Functions | Imports | Exports | Hashes โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ
โผ โผ โผ
โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ
โ Section โ โ Function โ โ Symbol โ
โ Compare โ โ Compare โ โ Compare โ
โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ
โ โ โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโ
โ DiffAnalysis โ
โ Result โ
โโโโโโโโโโโโโโโโ
๐ฆ Swift Features Demonstrated
- Enums with Associated Values -
DiffType,Severity - Structs - Value types for
Section,FunctionEntry,BinaryInfo - Computed Properties -
Severity.color - Protocol Extensions -
CaseIterable - Optionals - Safe handling of missing data
- Higher-Order Functions -
filter,map,contains - Set Operations -
subtractingfor diff calculation - String Interpolation - Clean output formatting
๐ง Data Structures
struct BinaryInfo {
let path: String
let size: UInt64
let hash: String
let sections: [Section]
let functions: [FunctionEntry]
let imports: [String]
let exports: [String]
}
struct FunctionDiff {
let diffType: DiffType
let oldFunc: FunctionEntry?
let newFunc: FunctionEntry?
let severity: Severity
let changes: [String]
}
๐ Security-Sensitive Functions
The tool flags changes to these function patterns:
- Memory:
strcpy,memcpy,malloc,free - System:
system,exec,popen,fork - Network:
connect,bind,recv,send - Crypto:
crypt,encrypt,decrypt - Auth:
auth,login,verify,validate
๐ก๏ธ Security Use Cases
- Patch Analysis - Understand security patch changes
- Malware Research - Compare malware variants
- Supply Chain - Verify binary integrity
- Forensics - Identify unauthorized modifications
- Vulnerability Research - Track function changes
โ ๏ธ Legal Disclaimer
This tool is intended for:
- โ Authorized security research
- โ Malware analysis (authorized samples)
- โ Patch verification
- โ Educational purposes
Only analyze binaries you're authorized to examine.
๐ Links
- Portal: bad-antics.github.io
- Discord: x.com/AnonAntics
- GitHub: github.com/bad-antics
๐ License
MIT License - See LICENSE file for details.
๐ท๏ธ Version History
- v1.0.0 - Initial release with binary comparison and security analysis
Part of the NullSec Security Toolkit