• Stars
    star
    577
  • Rank 77,363 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 3 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

IDApython Scripts for Analyzing Golang Binaries

AlphaGolang

by Juan Andres Guerrero-Saade (JAG-S @ SentinelLabs)

Description:

AlphaGolang is a collection of IDAPython scripts to help malware reverse engineers master Go binaries. The idea is to break the scripts into concrete steps, thus avoiding brittle monolithic scripts, and mimicking the methodology an analyst might follow when tackling a Go binary.

Scripts are released under GPL license (honoring Tim Strazzere's original GolangLoaderAssist which we refactored and updated for python3, props to Tim :) ). Contributions are welcome and encouraged!

Requirements: IDA Pro (ideally v7.6+) and Python3 (ew) The first two steps (recreate_pclntab and function_discovery_and_renaming) will work on IDA v7.5- but scripts beyond that require IDAv7.6+. Newer versions are the ideal target for newer scripts going forward.

Original Reference: Mandiant Cyber Defense Summit 2021 talk (Video Pending)

AlphaGolang Analysis Methodology

  • Step 0: YARA rule to identify Go binaries (PE/ELF/MachO)

    • identify_go_binaries.yara
      • Simple header check + regex for Go build ID string.
      • Could probably improve the build ID length range.
  • Step 1: Recreate pcln table

    • recreate_pclntab.py (IDA v7.5- compatible)
      • Recreates the gopclntab section from heuristics
      • Mostly useful for IDA v7.5-
  • Step 2: Discover functions by walking pcln table and add names to all

    • function_renaming.py (IDA v7.5- compatible)
      • Split from golang loader assist
      • Bruteforces discovery of missing functions based on the pcln table
      • Fixed some function name cleaning issues from the py3 transition
      • Refactored to add improvements for Go v1.18 based on Akamai's Panchan! Thanks to Alex (CycleOfTheAbsurd).
  • Step 3: Surface user-generated functions

    • categorize_go_folders.py (Requires IDA v7.6+)
      • Automagically categorizes functions into folders
      • Requires IDAv7.6 + 'show folders' to be enabled in functions view
      • UPDATE 05.16.2022: Fixed conflict with IDA v7.7 folder sort
      • Highly recommend reverting metadata from Lumina before running this plugin.
  • Step 4: Fix string references

    • fix_string_cast.py
      • Split from golang loader assist
      • Added logic to undefine previously existing string blobs before defining new string
      • New sanity checks make it far more effective
  • Step 5: Extract type information (by Ivan Kwiatkowski)

    • extract_types.py
      • Comments the arguments of all calls to newobject, makechan, etc.
      • Applies the correct C type to these objects and renames them
      • Obtains the human-readable name and adds it as a comment

Pending fixes and room for contributions:

  • fix_string_cast.py - Still needs refactoring + better string load heuristics - Can lead to lock up in massive binaries. - Missing some indirect string load mechanisms.
  • extract_types.py
    • Works on PE and Mach-O files currently by looking for the hardcoded .rdata or __rodata section names.
    • A proper check / implementation for varint-encoded sizes is needed

Next steps:

  • Track strings references by user-generated functions
  • Auto generate YARA signatures based on user-generated functions
  • Generate hex-rays pseudocode output for user-generated functions
  • Automatically set breakpoints for dynamic analysis of arguments
  • ???

Credit to:

  • Tim Strazzere for releasing the original golang_loader_assist
  • Milan Bohacek (Avast Software s.r.o.) for his invaluable help figuring out the idatree API.
  • Joakim Kennedy (Intezer)
  • Ivan Kwiatkowski (Kaspersky GReAT) for step 5.
  • Igor Kuznetsov (Kaspersky GReAT)
  • Alex (a.k.a. CycleOfTheAbsurd) from ESET for refactoring Step 2 for Go v1.18 support.

More Repositories

1

SentinelLabs_RevCore_Tools

The Windows Malware Analysis Reversing Core Tools
PowerShell
89
star
2

XProtect-Malware-Families

Mapping XProtect's obfuscated malware family names to common industry names.
YARA
82
star
3

aevt_decompile

This is a work-in-progress command line tool for reversing run-only AppleScripts. It will help parse the output of applescript-disassembler.py into something more human-readable.
Objective-C
62
star
4

S1QL-Queries

52
star
5

macos-ttps-yara

A ruleset to find potentially malicious code in macOS malware samples
YARA
39
star
6

Memloader

Memory Loader Open Source Project by Sentinel-Labs.
C++
20
star
7

PowerTrick

This is a repository for the public blog with Labs indicators of compromise and code
PowerShell
18
star
8

log4j_response

Python
15
star
9

Cl0p-ELF-Decryptor

Python3 script which decrypts files encrypted by flawed Cl0p ELF variant.
Python
15
star
10

TrickBot-Anchor

This is a repository for the public blog with Labs indicators of compromise.
10
star
11

aeon

Repository containing Aeon Timeline templates and example projects
7
star
12

SolarWinds_Countermeasures

This tool is designed to identify processes, services, and drivers that SUNBURST attempts to identify on the victim's machine.
C#
5
star
13

TrickBot-Deobfuscator

Code and data related to TrickBot-Deobfuscator blog
Python
4
star
14

Gamaredon-APT

This is a collection of relevant indicators of compromise for the main blog.
4
star
15

Yara

Public SentinelLabs Yara Rules
YARA
3
star
16

Shadowpad

Technical Indicators for SentinelLabs ShadowPad research
2
star
17

IOCs

A Collection of IOC's
2
star
18

aoqin_dragon

Python
2
star
19

meteor-express

Hashes and Yara hunting rules for MeteorExpress Wiper
YARA
1
star
20

Crypt1_IOCs

Massive unpacking of CryptOne samples
1
star