Golang malware is becoming more and more prevalent, requiring analysts to understand how to effectively analyse such files, without diving into the myriad of rabbit holes that one encounters along the way. Based on Dorka Palotay her work, I’ve created several Java-based scripts to improve Ghidra’s handling of Golang binaries. To be clear: no Gophers were harmed during this research.
In April 2022 in Nantes (France) at the 9th edition of Botconf, Dorka Palotay gave a presentation about her Golang research, where her colleague György Lupták dove into the Sysrv mining botnet. The created Ghidra scripts recover static and dynamic strings, functions along with their original names, and Golang types. These scripts have been written in Python 2, which Ghidra executes via the Jython interpreter.
While Ghidra allows users to script in Python 2, the Jython interpreter is currently only available for Python 2, which has been deprecated for a while. The native way of scripting for Ghidra is in Java. Now, it is no secret that Java isn’t universally liked, but it’s an open secret that I am one of the rare few who prefers it. An improvement of Dorka’s work would be best written in Ghidra’s native tongue, which I have created.
This talk will dive into both Ghidra’s, as well as Golang’s, internals, while showing what improvement the scripts make. Additionally, the scripts themselves, along with a wrapper script, will be explained. The goal is to provide fellow analysts and researchers with ready-made scripts to deal with Golang binaries they encounter, be it during malware research or when looking for vulnerabilities. This talk includes a demo of the scripts, which will be publicly available at the time of the presentation.