I solved this to an extent.
Currently we have build system that makes sure all new builds are on the path of constant length (builds/001, builds/002, etc), thus avoiding shifts in the PE layout. After build a tool compares old and new binaries ignoring relevant PE fields and other locations with known superficial changes. It also runs some simple heuristics to detect dynamic ignorable changes. Here is full list of things to ignore:
- PE timestamp and checksum
- Digital signature directory entry
- Export table timestamp
- Debugger section timestamp
- PDB signature, age and file path
- Resources timestamp
- All file/product versions in VS_VERSION_INFO resource
- Digital signature section
- MIDL vanity stub for embedded type libraries (contains timestamp string)
- __FILE__, __DATE__ and __TIME__ macros when they are used as literal strings (can be wide or narrow char)
Once in a while linker would make some PE sections bigger without throwing anything else out of alignment. Looks like it moves section boundary inside the padding — it is zeros all around anyway, but because of it I’ll get binaries with 1 byte difference.
UPDATE: we recently opensourced the tool on GitHub. See Compare section in documentation.