- #Ida pro reverse engineering manual
- #Ida pro reverse engineering code
- #Ida pro reverse engineering series
However, the situation has changed in the past few years and we should reassess our collective abhorrence of Go malware. With all those inadvertent obstacles in mind, it’s perfectly understandable that reversers dreaded analyzing Go binaries. Good luck navigating that without symbols. For us it translates into a mess of runtime function prologues before any meaningful functionality. Go is peculiar in allocating a runtime stack owned by the caller function that will in turn handle arguments and allow for multiple return values. While a debugger certainly helps determine arguments at runtime, it’s important to understand how indirect that runtime is.
#Ida pro reverse engineering manual
The issue of arguments should prove disturbing for our dynamic analyst friends who were hoping that a debugger would spare them the trouble of manual analysis. That’s without getting into the complexities of recovering structures, accurately portraying function types, interfaces, and channels, or properly tracing argument references. “Hello World!” string lost in a sea of unrelated strings.Įven the better disassemblers and decompilers tend to display these unparsed string blobs confusing their intended purpose. That’s a much safer implementation but it means that even a cursory glance at a Go binary means dealing with giant blobs of unrelated strings. The linker places strings in incremental order of length and functions load these strings with a reference to a fixed length. To make things worse, Go doesn’t null-terminate strings.
#Ida pro reverse engineering code
Hello World source code Mach-o binary = 2.0mb
That bulky size entails a maze of standard code to confuse reverse engineers down long unproductive rabbit holes, steering them away from the sparse user-generated code that implements the actual functionality. The binaries are then easily stripped of debug symbols and can be UPX packed to mask their size quite effectively. Due to the approach of statically-linking dependencies, the simplest Go binary is multiple megabytes in size and one with proper functionality can figure in the 15-20mb range. Go binaries present multiple peculiarities that make our lives a little harder. Our hope is that members of the community will feel inspired to share additional resources to bolster our collective analysis powers.Ī Quick Intro to the Woes of Go Binary Analysis
#Ida pro reverse engineering series
In an attempt to further dispel that myth, we’ve set out to share a series of scripts that simplify the task of analyzing Go binaries using IDA Pro with a friendly methodology. While our tooling has generally improved, the perception that Go binaries are difficult to analyze remains. On the other hand, for analysts, it’s meant learning the inadequacies of our tooling and contending with a foreign programming paradigm. The language offers great benefits for malware developers: portability of statically-linked dependencies, speed of simple concurrency, and ease of cross-compilation. The increasing popularity of Go as a language for malware development is forcing more reverse engineers to come to terms with the perceived difficulties of analyzing these gargantuan binaries.