Post-patch Postmortem

ppp is now intentionally narrow. The public CLI only supports two workflows:

• ppp list <target>
• ppp diff <target>

<target> can be either a Windows binary name such as tcpip.sys or a KB identifier such as KB5041578.

Installation

pip install -e .

Required / recommended external tools:

• cabextract for extracting .cab / .msu packages on macOS or Linux
• Ghidra
• BinExport Ghidra extension
• BinDiff

Optional environment variables:

• GHIDRA_HOME
• BINDIFF_HOME

CLI

List recent Winbindex versions for a single binary:

ppp list tcpip.sys
ppp list tcpip.sys --arch x64 --limit 25
ppp list tcpip.sys --window-version "Windows 10 1809"

List binaries present in a KB:

ppp list KB5041578
ppp list KB5041578 --arch x64 --limit 50
ppp list KB5041578 --window-version 1809

For KB listing, the tool uses cached extraction data when available. If the KB has not been downloaded yet, it will pull the update package, extract binaries, and then enrich each file with Winbindex metadata when possible.

Diff the newest binary version against its previous distinct version:

ppp diff tcpip.sys --arch x64
ppp diff tcpip.sys --window-version "Windows 10 1809"

Force a clean rerun for a binary diff:

ppp diff tcpip.sys --arch x64 --force

Compare two exact SHA256 versions of a binary:

ppp diff tcpip.sys --compare <sha256_a>,<sha256_b>

When --compare is used, --arch and --window-version are ignored.

Diff every matched binary in a KB against its previous version:

ppp diff KB5041578 --arch x64
ppp diff KB5041578 --arch x64 --window-version 1809
ppp diff KB5041578 --arch x64 --force

License

MIT