{"id":10831,"date":"2023-03-08T05:12:29","date_gmt":"2023-03-08T05:12:29","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=10831"},"modified":"2023-05-19T10:33:29","modified_gmt":"2023-05-19T10:33:29","slug":"commsec-feeding-gophers-to-ghidra","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/","title":{"rendered":"COMMSEC: Feeding Gophers to Ghidra"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS #COMMSEC D2 - Feeding Gophers To Ghidra - Max Kersten\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/wsNfHqZfTfE?list=PLmv8T5-GONwTibHQJImf1kCiQ5XGNFg-l\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D2%20COMMSEC%20-%20Feeding%20Gophers%20to%20Ghidra%20-%20Max%20Kersten.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">Golang malware is becoming more and more prevalent, requiring analysts to understand how to effectively analyse such files, without diving into the myriad of rabbit holes that one encounters along the way. Based on Dorka Palotay her work, I&#8217;ve created several Java-based scripts to improve Ghidra\u2019s handling of Golang binaries. To be clear: no Gophers were harmed during this research.<\/p>\n<p style=\"text-align: justify;\">In April 2022 in Nantes (France) at the 9th edition of Botconf, Dorka Palotay gave a presentation about her Golang research, where her colleague Gy\u00f6rgy Lupt\u00e1k dove into the Sysrv mining botnet. The created Ghidra scripts recover static and dynamic strings, functions along with their original names, and Golang types. These scripts have been written in Python 2, which Ghidra executes via the Jython interpreter.<\/p>\n<p style=\"text-align: justify;\">While Ghidra allows users to script in Python 2, the Jython interpreter is currently only available for Python 2, which has been deprecated for a while. The native way of scripting for Ghidra is in Java. Now, it is no secret that Java isn\u2019t universally liked, but it\u2019s an open secret that I am one of the rare few who prefers it. An improvement of Dorka\u2019s work would be best written in Ghidra\u2019s native tongue, which I have created.<\/p>\n<p style=\"text-align: justify;\">This talk will dive into both Ghidra\u2019s, as well as Golang\u2019s, internals, while showing what improvement the scripts make. Additionally, the scripts themselves, along with a wrapper script, will be explained. The goal is to provide fellow analysts and researchers with ready-made scripts to deal with Golang binaries they encounter, be it during malware research or when looking for vulnerabilities. <strong>This talk includes a demo of the scripts, which will be publicly available at the time of the presentation.<\/strong><\/p>\n","protected":false},"template":"","class_list":["post-10831","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>COMMSEC: Feeding Gophers to Ghidra - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"COMMSEC: Feeding Gophers to Ghidra - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) Golang malware is becoming more and more prevalent, requiring analysts to understand how to effectively analyse such files, without diving into the myriad of rabbit holes that one encounters along the way. Based on Dorka Palotay her work, I&#8217;ve created several Java-based scripts to improve Ghidra\u2019s handling of Golang binaries. To be [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-19T10:33:29+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/\",\"name\":\"COMMSEC: Feeding Gophers to Ghidra - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2023-03-08T05:12:29+00:00\",\"dateModified\":\"2023-05-19T10:33:29+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"COMMSEC: Feeding Gophers to Ghidra\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"COMMSEC: Feeding Gophers to Ghidra - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/","og_locale":"en_US","og_type":"article","og_title":"COMMSEC: Feeding Gophers to Ghidra - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) Golang malware is becoming more and more prevalent, requiring analysts to understand how to effectively analyse such files, without diving into the myriad of rabbit holes that one encounters along the way. Based on Dorka Palotay her work, I&#8217;ve created several Java-based scripts to improve Ghidra\u2019s handling of Golang binaries. To be [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-19T10:33:29+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/","name":"COMMSEC: Feeding Gophers to Ghidra - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2023-03-08T05:12:29+00:00","dateModified":"2023-05-19T10:33:29+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-feeding-gophers-to-ghidra\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"COMMSEC: Feeding Gophers to Ghidra"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/10831"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=10831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}