Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
BinDiff excludes known time stamp fields and version information that are documented in the Windows module format (known as the PE specification). It also locates date and time string constants (such as __DATE__ and __TIME__) in the source code, and excludes them. This catches the majority of differing regions between two executables, but it is possible to generate files that contain differing regions not excluded by BinDiff. In these cases, BinDiff will report the files as "Different" when the user might have expected the files to be "Near Identical." The following list gives some examples that illustrate this behavior:
Debug information comes in many formats, each of which has various time stamps scattered among the debug data. BinDiff does not try to parse the debug information. Instead, it excludes all known debug regions in the files. Thus, if debug data is stored outside of the specified debug regions, then BinDiff does not know to exclude it.
There are many post-processing tools that change modules after they are built. These tools, while optimizing page layout, load order, and resources, might strip out information, such as debug information or user names. Localization tools, for example, also change resource strings. Many of these post-processing tools leave data behind, add data, or neglect to clean up dead space and padding areas. This can lead to unexpected differing regions in the two files, which then causes BinDiff to mark the files as "Different."
Some modules embed other modules in their resource data. If an embedded module is rebuilt, the time stamps in that module change. Running BinDiff on the embedded module itself should result in a "Near Identical" match. When that module is embedded in another module, however, it becomes part of the resource data of the main module. When BinDiff compares two builds of the main module, it will result in "Different" because the differing regions are now a part of the resource data .
Understanding FileSpec1 and FileSpec2
FileSpec1 and FileSpec2 can represent either files or directories. If two files are specified, then the files will be compared with each other. If two directories are specified, then all the files within the first directory will be compared with files with the same name in the second directory.
Regions Excluded By BinDiff
The following regions are excluded by default if found in a module :
The IMAGE_FILE_HEADER.TimeDateStamp field
The IMAGE_OPTIONAL_HEADER.CheckSum field
The DOS/Win16 stub code
The IMAGE_EXPORT_DIRECTORY.TimeDateStamp field
The IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp field
The entire IMAGE_DEBUG_DIRECTORY array
All debug sections
The IMAGE_LOAD_CONFIG_DIRECTORY.TimeDateStamp field
The IMAGE_BOUND_IMPORT_DESCRIPTOR.TimeDateStamp field
All IMAGE_BOUND_FORWARDER_REF.TimeDateStamp fields
The IMAGE_RESOURCE_DIRECTORY.TimeDateStamp field
All padding between resources
All ANSI __TIMESTAMP__ string constants used in code
All ANSI __DATE__ string constants used in code
All ANSI __TIME__ string constants used in code
All UNICODE __TIMESTAMP__ string constants used in code
All UNICODE __DATE__ string constants used in code
All UNICODE __TIME__ string constants used in code
If the /v parameter is specified, the following regions are excluded in addition to the default regions:
The IMAGE_OPTIONAL_HEADER.MajorLinkerVersion field
The IMAGE_OPTIONAL_HEADER.MinorLinkerVersion field
The IMAGE_OPTIONAL_HEADER.MajorOperatingSystemVersion field
The IMAGE_OPTIONAL_HEADER.MinorOperatingSystemVersion field
The IMAGE_OPTIONAL_HEADER.MajorImageVersion field
The IMAGE_OPTIONAL_HEADER.MinorImageVersion field
The IMAGE_OPTIONAL_HEADER.MajorSubsystemVersion field
The IMAGE_OPTIONAL_HEADER.MinorSubsystemVersion field
The IMAGE_OPTIONAL_HEADER.Win32VersionValue field
All VERSION_INFO resources
Comparing Executable Files
By default, BinDiff uses a special compare routine for all 32-bit and 64-bit Windows executable files that masks various build time stamp fields in both files when performing the compare. This allows two executable files to be marked as "Near Identical" when the files are truly identical, except the time they were built. You can override this behavior with the /b parameter, which forces BinDiff to perform a straight binary compare of all files.