GuidedHacking

Reverse Engineering Go Binaries

Added 2023-06-14 21:19:22 +0000 UTC

💻 How to Reverse Go Binaries
👾 Increasingly popular for malware
💾 GoLang vs C binaries: size matters
🔍 Detect GoLang via string inspection
🔧 Stripped binaries? Recover info with scripts
💡 GoLang scripts for IDA Pro and Ghidra

In the realm of GoLang reverse engineering, one needs to navigate the challenges that come with the size of Go binaries. For instance, a simple "Hello, World!" program written in GoLang is considerably larger than its C counterpart due to the inclusion of necessary libraries in Go binaries. When trying to analyze a single function, you might end up parsing through two megabytes of code, a stark contrast to C's leaner structure. If you're new to malware analysis, this guide might help you get started.

To mitigate the size, one can opt for stripping Go binaries, a process that discards debugging symbols, routine names, and variable names. This technique is commonly used in GoLang malware files, as it not only reduces the file size but also makes it harder to detect and analyze. It's interesting to note how such practices can impact even the analysis of North Korean malware.

Despite the challenges of identifying and recovering information from stripped Go binaries, it's possible to do so by inspecting their strings or using specific scripts. For instance, GoReSym can extract vital information from the binary, and a script like goresym_rename can reimport the function names, easing the process of understanding the binary. You can learn more about reverse engineering tools for malware like Skid malware and how to find malware C2 panels on these respective links.

CUJO also offers useful Ghidra scripts that recover function names and find both statically allocated and dynamic string structures. All these tools and techniques significantly contribute to the Go reverse engineering process.

Recent Malware Analysis Tutorials