windiff-version-diff-analysis

Solid

Generate and analyze a diff between two Windows versions (or two patch levels of one version) for security research, using the WinDiff CLI in this repo. Use this whenever the user wants to compare Windows builds to find what Microsoft changed between versions — new or removed syscalls, new exported/internal kernel routines, added structures or struct fields, new security mitigation flags (process/thread mitigations, CFG/CET/XFG, Code Integrity / ci.dll, kCET, win32k lockdown), AND any other new security-relevant feature or component: new kernel notification/callback surface (Ps/Ob/Cm callbacks, ETW providers and the EtwTi threat-intel channel, minifilter/altitude hooks), new telemetry, ELAM/AMSI/PPL/anti-tamper changes, and brand-new drivers or modules. Frame findings for three audiences — anti-malware / EDR developers, anti-cheat developers, and vulnerability researchers. Triggers on requests like "diff ntoskrnl between 21H2 and 23H2", "what new syscalls were added in 24H2", "what changed in win32k.sys / ci.

Code & Development 387 stars 19 forks Updated 2 days ago GPL-3.0

Install

View on GitHub

Quality Score: 86/100

Stars 20%
86
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# WinDiff Version Diff Analysis Compare two Windows builds and turn the raw symbol/type/syscall delta into a security-research report: what was added, what it probably *does*, and why it matters for attack surface, exploitation, or defense. This skill runs inside the **WinDiff** repo. It uses `windiff_cli` to generate the per-binary JSON databases, then diffs and interprets them. The interpretation is the point — anyone can list new symbols; the value is explaining intent from Windows internals conventions. ## Workflow ### 1. Pin down scope Establish, asking the user only if genuinely ambiguous: - **Two OS versions** as WinDiff triples `version / update / architecture` (e.g. `21H2 / BASE / amd64` and `11-24H2 / KB5074105 / amd64`). `update` is `BASE` for an RTM image or a `KB...` number for a patch. The path suffix used in filenames is `version_update_architecture`, e.g. `11-24H2_KB5074105_amd64`. - **Binaries** to compare. Default to the security-relevant core when the user is vague: `ntoskrnl.exe`, `ntdll.dll`, `win32k.sys`, `win32kbase.sys`, `win32kfull.sys`, `ci.dll`, `cng.sys`. See `references/windows-components.md` for what each one governs. - **Focus**: syscalls, mitigation flags, new attack surface, a specific component/feature, etc. This steers interpretation, not data generation. `ci/db_configuration.json` is the canonical list of tracked versions and binaries — consult it for valid `version`/`update` spellings. ### 2. Generate the databases wi...

Details

Author
ergrelet
Repository
ergrelet/windiff
Created
3 years ago
Last Updated
2 days ago
Language
Rust
License
GPL-3.0

Integrates with

Next.js · Frontend

Similar Skills

Semantically similar based on skill content — not just same category

Code & Development Solid

diff-analysis

Analyze changesets with risk scoring, categorization by type/impact, and release note preparation

308 Updated today
athola
Code & Development Listed

diff-profile

Compare two nyann profiles side-by-side and show what would change. TRIGGER ON: 'diff profiles', 'compare profiles', 'what's different between profiles', 'profile diff', 'diff default vs nextjs', 'compare default and python-cli', 'what would change if I switch profiles', 'show me the difference between profiles', 'how does X profile differ from Y', 'what hooks does X add over Y', 'profile comparison', '/nyann:diff-profile'. Do NOT trigger on "switch profile" / "migrate profile" — those are migrate-profile. Do NOT trigger on "inspect profile" / "what does this profile do" — those are inspect-profile.

6 Updated 5 days ago
thettwe
Code & Development Listed

diff-interrogation

Review a human or AI-generated diff as an untrusted claim. Use when merging, committing, or accepting changes that may hide regressions, missing tests, security risk, data loss, or unexplained behavior. NOT for formatting-only diffs or already-reviewed changes with no new code.

0 Updated 2 days ago
alinafe82