Go_Parser – Yet Another Golang Binary Parser For IDAPro

But An additional Golang Binary Parser For IDAPro



Be aware:

This master department is prepared in Python2 for IDAPython, and analyzed only on IDA7.2/IDA7.. If you use IDAPython with Python3 and bigger variation of IDAPro, please use Python3 Department for go_parser.

Encouraged by golang_loader_aid and jeb-golang-analyzer, I wrote a a lot more comprehensive Go binaries parsing tool for IDAPro.

Primary Features：

1. Identify and parse firstmoduledata structure in Go binary file, and make comment for each individual subject
2. Find pclntab(Personal computer Line Desk) in accordance to the firstmoduledata and parse it. Then locate and parse and recover function names and supply file paths in the pclntab. Supply file paths will be printed in the output window of IDAPro；
3. Parse strings and string pointers, make remark for just about every string, and make dref for each individual string pointer；
4. According to firstmoduledata, find every sort and parse it, meke remark for every attribute of variety, which will be quite handy for malware researcher to assess a complicated form or information structure definition；
5. Parse itab(Interface Desk).

Handy information to RE perform for Go binaries:

And there are two handy feature in go_parser:

1. It also work fine for binaries with malformed File Header facts, specially malformed Segment Headers info
2. All individuals characteristics above are valid for binaries built with buildmode=pie.

A config details structure in DDGMiner v5029 (MD5: 95199e8f1ab987cd8179a60834644663) parsing final result as below：

And the user-outlined resource file paths list:

Undertaking files：

• go_parser.py ：Entry file, press [Alt+F7] , find and execute this file；
• typical.py: Popular variables and functions definition；
• pclntbl.py: Parse pclntab(Computer Line Desk)
• strings.py: Parse strings 和 string pointers；
• moduldata.py: Parse firstmoduledata；
• varieties_builder.py: Parse kinds ；
• itab.py: Parse itab(Interface Desk).

In addition, the str_ptr.py will parse string ideas by specify the start off handle and conclusion handle of string ideas manually.

Take note

1. This department is published in Python2 for IDAPython, and examined only on IDA7.2/IDA7.
2. The strings parsing module was migrated from golang_loader_assist, and I extra the feature of string pointers parsing. It only supports x86(32little bit & 64little bit) architecture for now.

Refer

1. Examining Golang Executables
2. Reversing GO binaries like a pro
3. Reconstructing System Semantics from Go binaries.pdf
4. Go二进制文件逆向分析从基础到进阶——综述
5. Go二进制文件逆向分析从基础到进阶——MetaInfo、函数符号和源码文件路径列表
6. Go二进制文件逆向分析从基础到进阶——数据类型
7. Go二进制文件逆向分析从基础到进阶——itab与strings
8. Go二进制文件逆向分析从基础到进阶——Tips与实战案例

Impression and Short article Source website link

Read through Extra on Pentesting Resources