This document discusses analyzing and reversing Go binaries. It shows that Go binaries contain the Go runtime, main code, and imported libraries. The .gopclntab section contains function information like addresses and name offsets that can be used to recover function names in stripped binaries. Analyzing the .gopclntab section is one way to reverse engineer stripped Go binaries along with using the debug/gosym Go package.

1. Reverse on Go
frozenkp@BambooFox

2. Why Go?
❖ More Big
❖ More Complicated
❖ More malwares written in Go
■ GoBot
■ GoBot2
■ GoAT

3. Why Go?
❖ More Big
❖ More Complicated
❖ More malwares written in Go
❖ Applications in Go
■ Docker
■ Blockchain

4. Hello World in C

5. Hello World in Go

6. Take “Hello World” as example
❖ runtime: 911
❖ main: 2
❖ imported library: 1187
What’s in Go binary ?
Executable
Go Runtime
Main Code
Imported
Library

7. Stripped Go Binary
Executable
Go Runtime
Main Code
Imported
Library
ExecutableExecutable
? ? ?
Strip

8. Something interesting

9. ❖ .gosymtab (Null after go1.3)
❖ .gopclntab
What’s in section ?

10. .gopclntab

11. .gopclntab (section header)

12. .gopclntab (size)

13. .gopclntab (function information)

14. .gopclntab (function address)

15. .gopclntab (name offset)

16. name_offset = (dword)[ .gopclntab + 8 + offset ]
name = (string)[ .gopclntab + name_offset]
Offset ?

17. .gopclntab = 0x0052f780
func_addr = 0x4010b0
offset = 0x8460

18. offset + 0x8 + .gopclntab = 0x537be8
name_offset = 0x84a0

19. .gopclntab + name_offset = 0x537c20
name = “runtime.memhash8”
0x4010b0 → “runime.memhash8”

20. Use .gopclntab to recover stripped go binary.
❖ Go pkg: debug/gosym
❖ By yourself
Conclusion

21. Reference
❖ Bsides-GO-Forth-And-Reverse
❖ Reversing GO binaries like a pro
❖ debug/gosym