How to Reverse Engineer Go Binaries – GoLang Malware Analysis

Comments off | script By · 09/09/2023



How to Reverse Engineer Go Binaries – GoLang Malware Analysis

How to Reverse Engineer Go Binaries - GoLang Malware Analysis

🔥 Learn How to Reverse Engineer Go Binaries for Malware Analysis
👨‍💻 Buy Our Courses: https://guidedhacking.com/register/
💰 Donate on Patreon: https://patreon.com/guidedhacking
❤️ Follow us on Social Media: https://linktr.ee/guidedhacking

🔗 GH Article Link: https://guidedhacking.com/threads/how-to-reverse-engineer-go-binaries.20392/

❤️Reversing Golang Binaries with Ghidra by CUJO AI at VB2021❤️
We couldn’t have made this video without these great resources:
1️⃣ Video: https://www.youtube.com/watch?v=oeWSWD5avZo
2️⃣Slides: https://vblocalhost.com/uploads/2021/09/VB2021-04.pdf
3️⃣Article: https://cujo.com/reverse-engineering-go-binaries-with-ghidra/
4️⃣https://twitter.com/albertzsigovits
5️⃣https://twitter.com/pad0rka

📜 Video Description:
Reverse Engineering Go Binaries: A Comprehensive Walkthrough
The process of reverse engineering Go (or GoLang) binaries can be a complex task due to their inherent properties. This guide will provide a comprehensive walkthrough on how to simplify this process, employing scripts for both Ida Pro and Ghidra to reverse engineer GoLang strings and symbols.

Introduction to GoLang Binaries
GoLang, a programming language designed by Google in 2007 and made public in 2012, is known for its simplicity and cross-compilation capabilities for Windows, Linux, and MacOS. Go binaries are statically linked by default, which means all necessary libraries are included within the binary itself, ensuring no dependency issues. However, this characteristic also leads to larger binary sizes, making reverse engineering or GoLang malware analysis more challenging.

Understanding Go Binary Size through Comparative Analysis
To highlight the challenge posed by the size of Go binaries, consider a simple “Hello, World!” program written in both C and GoLang. The C version results in a 16-kilobyte binary when compiled, while the GoLang version produces a hefty two-megabyte file. This significant size difference is due to Go binaries including all necessary libraries. This means to analyze a single function, you might have to parse through two megabytes of code. For example, a GoLang binary for a “Hello, World!” program can contain up to 1800 functions, as opposed to just 19 functions in the C equivalent.

Stripping GoLang Binaries
Stripping a Go binary can help mitigate its size by discarding debugging symbols, routine names, and variable names. This technique makes the binary harder to debug and reverse engineer. However, it is commonly used in GoLang malware files to make them smaller and harder to detect and analyze. A stripped Go binary reduces the “Hello, World!” binary size from two megabytes to 1.3 megabytes. While this approach results in a smaller binary, it also limits the information available for reverse engineering.

Identifying GoLang Binaries
GoLang binaries can be identified by inspecting their strings. These strings often contain functions and other elements indicative of GoLang. If these elements are present within a binary’s strings, it’s reasonable to suspect that the binary could be written in GoLang.

Recovering Information from Stripped Go Binaries
Despite the limitations of stripped binaries, it is possible to recover information through specific scripts, which can aid in the process of Go reverse engineering.

Ida Pro: Employing GoReSymand, GoReSymRename and GoLang Malware.

GoReSym
Mandiant’s GoReSym is a GoLang symbol parser that extracts metadata from Go binaries. This data includes CPU architecture, OS, compiler version, function metadata, filenames, line number metadata, and embedded structures and types.

By running GoReSym with flags -t (to recover type names), -d (to get Go package names), and -p (to get input file paths), you can generate an output detailing comprehensive information about the GoLang malware.

GoReSymRename
After extracting the information using GoReSym, the GoReSymRename Python script is utilized within the Ida Pro GoLang decompiler (or Go decompiler) to import the function names. You can execute this script by navigating to “File” in the Ida Pro interface, clicking on “Script File”, and selecting the JSON file generated by GoReSym.

This script will rename all the functions in your Go binary, significantly simplifying your analysis process. When the script finishes running, you’ll find the main part of the sample much cleaner and easier to understand, with functions properly named and more readable for Golang malware analysis.

📝 Timestamps:
0:00 – GoLang Introduction
0:31 – Difficulties with Malware Analysis
0:44 – Using Ida Pro and Ghidra
1:06 – Comparing C and Go Binaries
1:49 – Stripping GoLang Binaries
2:40 – Identifying Go Malware
2:58 – GuidedHacking.com Is The Best
3:24 – Debugging Stripped Binaries
4:01 – Using GoReassembler
5:08 – Go Symbols in IDA Pro
6:01 – Ghidra Scripts

✏️ Tags:
#golang
#fr3dhk
#malwareanalysis
GoLang reverse engineering
Go reverse engineering
GoLang binary
reverse engineering Go language
GoLang Malware Analysis

53GB.COM GPTSTORE CPU Yougpt Gptsio Gpt-store-Nav