The objective of this work package is to develop a technical solution for detecting, monitoring, and evaluating modifications of files containing executable binary code. A further objective of this work package is to develop a technical solution for detecting and analyzing modifications for the Windows registry. These technical solutions should be considered as concepts, that is, different methods and tools are presented and their application to achieve the respective objectives is discussed. However, no claim is made that the technical solutions allow determining all system modifications, but rather they are applicable to specific scenarios laid out within the document.

• Monitoring System Modifications: Part 1
• Monitoring System Modifications: Part 2
• Tools and Scripts for SiSyPHuS Workpackage 13

Table of Contents – Part 1:

1 Introduction
1.1 Zusammenfassung (german)
1.2 Executive Summary
1.3 Concepts and Terms
2 Technical Analysis
2.1 Deployment of Policy Settings
2.2 Logging Capabilities
2.2.1 Analysis of administrative template files
Appendix
- Tools
- Powershell Commands: Administrative Template Files
- Group Policy Extensions
- Microsoft-Windows-GroupPolicy
- References
- Keywords and Abbreviations

Table of Contents – Part 2:

1 Introduction
1.1 Zusammenfassung (german)
1.2 Executive Summary
2 Concepts and Terms
2.1 Scenario
2.2 Overview and Scoping
3 Current State of Binary Diffing Research
3.1 Binary Diffing Frameworks
4 Technical Solution for Scenario S1
4.1 Individual Steps of Technical Solution
5 Technical Solution for Scenario S2
5.1 Individual Steps of Technical Solution
6 Technical Solution for Scenario S5
6.1 Individual Steps of Technical Solution
7 Technical Solution for Scenario S7
7.1 Format of Hive Files
7.2 Analysis Tool for Hive Files
7.3 Comparison
8 Tasks and Efforts
9 Summary and Recommendations
Appendix
- Keywords and Abbreviations
- References

Summary – Part 1:

This part focuses on the analysis of the Group Policy component in Windows 10. Group Policy is a Windows administration technology. The Group Policy Windows component enables the configuration and deployment of system configurations, referred to as policy settings. Policy settings are administrative directives that configure computer-wide and user-specific capabilities and behaviors. Group Policy deploys policy settings using the Group Policy Protocol. This protocol implements a client-server relationship between the entity which stores policy settings (referred to as the Group Policy server) and the entity on which the policy settings stored at the Group Policy server are being deployed (referred to as the Group Policy client). The Group Policy protocol is implemented as a software entity, referred to as the Group Policy engine (dynamic link library (DLL) library file: gpsvc.dll). Among other things, it specifies the layout of the data exchanged between the Group Policy server and client. The Group Policy client uses the Group Policy protocol to retrieve specific policy settings from a Group Policy server.

Summary – Part 2:

In Section 2, the general terms and concepts needed to describe the technical solution are introduced. There, we differentiate between several scenarios that require using such a solution. Overall, seven scenarios are defined

• Scenario S1: Modifications by Windows Updates for Same Windows 10 Versions (Section 2.1.1.1)
• Scenario S2: Modifications by Windows Updates for Different Windows Versions (Section 2.1.1.2)
• Scenario S3: Modifications by Installers (Section 2.1.1.3)
• Scenario S4: Comparison of Arbitrary Non-Controlled Target System Against Related Controlled Baseline System (Section 2.1.2.1)
• Scenario S5: Comparison of Arbitrary Non-Controlled Target System Against Arbitrary Non-Controlled Baseline System (Section 2.1.2.2)
• Scenario S6: Runtime Modifications of a Windows 10 System (Section 2.1.3.1)

Apart from the scenarios to detect modifications for files containing binary code, a further scenario (that is independent of the previous ones) will be considered:

• Scenario S7: Analysis of Modifications of Windows Registry (Section 2.1.4.1)

In Section 2.2, we define the scope of the current document. It is specified there that the present document focuses on the technical solutions for scenario S1, S2, S5, and S7. It is noted, however, that certain parts of the technical solution can also be applied to the other scenarios.

Since the technical solutions for the scenarios are partly based on existing methods and frameworks for binary diffing, a large part of this document focuses on providing information on how these frameworks are implemented. In Section 3, the current state of binary diffing research is presented and a comparison between approaches used in different research papers is compiled. However, although a lot of research paper exist, almost none of the researcher publishes an implementation of the presented approaches. Consequently, integration of the presented approaches into a binary diffing framework is difficult and coupled with substantial development efforts.

Apart from the current state of binary diffing research, the implementations of existing binary diffing frameworks have been evaluated (Section 3.1). The evaluation focused on maintained and well-established frameworks used by the general community of reverse engineers. Overall, only two frameworks have been identified that fulfill these requirements:

• Diaphora [1] by Joxean Koret
• BinDiff [2] by Zynamics (owned by Google)

The information provided for the technical solution is summarized in Section 9. Additionally, recommendations are given for the implementation and execution of the technical solutions. Overall, the recommendations depend on the personnel available to implement the technical solution and internal requirements. If resources are scarce for the implementation of the technical solution, it is recommended to use an existing binary diffing framework. Here, it is further recommended to use a framework that is open source, since it allows to directly understand the inner workings of the framework and to modify parts of the framework if necessary. However, if complete control over the design of the binary diffing framework is required and enough personnel with software development knowledge is available, then it is a viable option to implement a new binary diffing framework based on the information provided in this document. Similar arguments are also made for the implementation of the registry diffing program.