How to Reverse Engineer Go Binaries - GoLang Malware Analysis

Channel:
United States Guided Hacking
Subscribers:
178,000
Published on ● Video Link: https://www.youtube.com/watch?v=cBdY5Y16OR4


Binaries
Game:
Binaries (2016)
Duration: 7:43
12,224 views
0

🔥 Learn How to Reverse Engineer Go Binaries for Malware Analysis
👨‍💻 Buy Our Courses: https://guidedhacking.com/register/
💰 Donate on Patreon:   / guidedhacking  
❤️ Follow us on Social Media: https://linktr.ee/guidedhacking

🔗 GH Article Link: https://guidedhacking.com/threads/how...

❤️Reversing Golang Binaries with Ghidra by CUJO AI at VB2021❤️
We couldn't have made this video without these great resources:
1️⃣ Video:    • Reversing Golang Binaries with Ghidra  
2️⃣Slides: https://vblocalhost.com/uploads/2021/...
3️⃣Article: https://cujo.com/reverse-engineering-...
4️⃣  / albertzsigovits  
5️⃣  / pad0rka  

📜 Video Description:
Reverse Engineering Go Binaries: A Comprehensive Walkthrough
The process of reverse engineering Go (or GoLang) binaries can be a complex task due to their inherent properties. This guide will provide a comprehensive walkthrough on how to simplify this process, employing scripts for both Ida Pro and Ghidra to reverse engineer GoLang strings and symbols.

Introduction to GoLang Binaries
GoLang, a programming language designed by Google in 2007 and made public in 2012, is known for its simplicity and cross-compilation capabilities for Windows, Linux, and MacOS. Go binaries are statically linked by default, which means all necessary libraries are included within the binary itself, ensuring no dependency issues. However, this characteristic also leads to larger binary sizes, making reverse engineering or GoLang malware analysis more challenging.

Understanding Go Binary Size through Comparative Analysis
To highlight the challenge posed by the size of Go binaries, consider a simple "Hello, World!" program written in both C and GoLang. The C version results in a 16-kilobyte binary when compiled, while the GoLang version produces a hefty two-megabyte file. This significant size difference is due to Go binaries including all necessary libraries. This means to analyze a single function, you might have to parse through two megabytes of code. For example, a GoLang binary for a "Hello, World!" program can contain up to 1800 functions, as opposed to just 19 functions in the C equivalent.

Stripping GoLang Binaries
Stripping a Go binary can help mitigate its size by discarding debugging symbols, routine names, and variable names. This technique makes the binary harder to debug and reverse engineer. However, it is commonly used in GoLang malware files to make them smaller and harder to detect and analyze. A stripped Go binary reduces the "Hello, World!" binary size from two megabytes to 1.3 megabytes. While this approach results in a smaller binary, it also limits the information available for reverse engineering.

Identifying GoLang Binaries
GoLang binaries can be identified by inspecting their strings. These strings often contain functions and other elements indicative of GoLang. If these elements are present within a binary's strings, it's reasonable to suspect that the binary could be written in GoLang.

Recovering Information from Stripped Go Binaries
Despite the limitations of stripped binaries, it is possible to recover information through specific scripts, which can aid in the process of Go reverse engineering.

Ida Pro: Employing GoReSymand, GoReSymRename and GoLang Malware.

GoReSym
Mandiant's GoReSym is a GoLang symbol parser that extracts metadata from Go binaries. This data includes CPU architecture, OS, compiler version, function metadata, filenames, line number metadata, and embedded structures and types.

By running GoReSym with flags -t (to recover type names), -d (to get Go package names), and -p (to get input file paths), you can generate an output detailing comprehensive information about the GoLang malware.

GoReSymRename
After extracting the information using GoReSym, the GoReSymRename Python script is utilized within the Ida Pro GoLang decompiler (or Go decompiler) to import the function names. You can execute this script by navigating to "File" in the Ida Pro interface, clicking on "Script File", and selecting the JSON file generated by GoReSym.

This script will rename all the functions in your Go binary, significantly simplifying your analysis process. When the script finishes running, you'll find the main part of the sample much cleaner and easier to understand, with functions properly named and more readable for Golang malware analysis.

📝 Timestamps:
0:00 - GoLang Introduction
0:31 - Difficulties with Malware Analysis
0:44 - Using Ida Pro and Ghidra
1:06 - Comparing C and Go Binaries
1:49 - Stripping GoLang Binaries
2:40 - Identifying Go Malware
2:58 - GuidedHacking.com Is The Best
3:24 - Debugging Stripped Binaries
4:01 - Using GoReassembler
5:08 - Go Symbols in IDA Pro
6:01 - Ghidra Scripts

✏️ Tags:
#golang
#fr3dhk
#malwareanalysis
GoLang reverse engineering
Go reverse engineering
GoLang binary
reverse engineering Go language
GoLang Malware Analysis



Other Videos By Guided Hacking


2023-08-24How to Find Velocity Address in Cheat Engine - GHS108
2023-08-18How To Identify File Types - File Format Analysis Tools
2023-08-11How to Hook Steam Overlay Tutorial - 64-bit IMGUI Hook
2023-08-04Best SysInternals Tools for Malware Analysis
2023-07-29x64 Virtual Address Translation
2023-07-18Binary Comparisons for Patch Diffing - BinDiff Tutorial
2023-07-04vTables for Game Hacking & VMT Hooking
2023-06-27YARA Rules for Malware Detection
2023-06-25Learn Game Hacking at GuidedHacking.com
2023-06-20How To Find Cheat Engine Coordinates 🔥 GHS107
2023-06-13How to Reverse Engineer Go Binaries - GoLang Malware Analysis
2023-06-06Return Address Spoofing For Game Hacking
2023-06-03Reverse Engineering Skid Malware
2023-05-30Cheat Engine Movement Speed Hack Tutorial 🔥 GHS211
2023-05-24Beginner Malware Analysis CTF ⭐️ CyberDefenders RE101
2023-05-20C++ IMGUI Menu Tutorial - MEGA GUIDE
2023-05-13👨‍💻 How to Find Malware C2 Panels 🔎 Skid Hunting 👀
2023-05-10🛠️ Windows Virtual Memory Explained 📚 Windows Internals 💻
2023-05-06👨‍💻 North Korean Malware Analysis 🚨 ROKRAT KillChain 📡
2023-05-02👨‍💻 PolyGlot Malware Analysis​ - IcedID Stager 💾
2023-04-25WhiteSnake Stealer Malware Analysis


Tags:
guidedhacking
malware analysis
GoLang binary
reverse engineer GoLang strings
GoLang decompiler
Go Decompiler
GoLang symbols
GoLang reverse engineering
Go reverse engineering
reverse engineering Go language
fr3dhk
golang malware
golang malware analysis
golang malware development
reverse engineering golang
golang binary decompile
golang symbols explained
golang api
golang tutorial
reverse engineering golang binary
golang binary version
go lang


Other Statistics

Binaries Statistics For Guided Hacking

At this time, Guided Hacking has 18,360 views for Binaries spread across 2 videos. Less than an hour worth of Binaries videos were uploaded to his channel, less than 0.22% of the total video content that Guided Hacking has uploaded to YouTube.