Go_Parser : Yet Another Golang Binary Parser For IDAPro

This master branch is written in Python2 for IDAPython, and tested only on IDA7.2/IDA7.0. If you use IDAPython with Python3 and higher version of IDAPro, please use Python3 Branch for Go_Parser.

Inspired by golang_loader_assist and jeb-golang-analyzer, I wrote a more complete Go binaries parsing tool for IDAPro.

Main Features

  • Locate and parse firstmoduledata structure in Go binary file, and make comment for each field;
  • Locate pclntab(PC Line Table) according to the firstmoduledata and parse it. Then find and parse and recover function names and source file paths in the pclntab. Source file paths will be printed in the output window of IDAPro;
  • Parse strings and string pointers, make comment for each string, and make dref for each string pointer;
  • According to firstmoduledata, find each type and parse it, meke comment for each attribute of type, which will be very convenient for malware researcher to analyze a complex type or data structure definition;
  • Parse itab(Interface Table).

Helpful information to RE work for Go binaries:

And there are two useful feature in go_parser:

  • It also work fine for binaries with malformed File Header information, especially malformed Section Headers information;
  • All those features above are valid for binaries built with buildmode=pie.

A config data structure in DDGMiner v5029 (MD5: 95199e8f1ab987cd8179a60834644663) parsing result as below:

And the user-defined source file paths list:

Project Files

  • go_parser.py :Entry file, press [Alt+F7] , select and execute this file;
  • common.py: Common variables and functions definition;
  • pclntbl.py: Parse pclntab(PC Line Table);
  • strings.py: Parse strings 和 string pointers;
  • moduldata.py: Parse firstmoduledata
  • types_builder.py: Parse types
  • itab.py: Parse itab(Interface Table).

Additionally, the str_ptr.py will parse string pointers by specify the start address and end address of string pointers manually.

Note

  1. This branch is written in Python2 for IDAPython, and tested only on IDA7.2/IDA7.0;
  2. The strings parsing module was migrated from golang_loader_assist, and I added the feature of string pointers parsing. It only supports x86(32bit & 64bit) architecture for now.
Download
R K

Share
Published by
R K
Tags: Go_ParserGolangIDAProParser
4 years ago

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago