During 2023 (mostly in the spring), I did my master's thesis project about
improving Go reversing. I did this by creating a Ghidra extension which you
can find in /extension.
You can find the thesis here: https://grenfeldt.dev/projects/masters-thesis/
During 2023, Ghidra got a lot better built-in support for reversing Go binaries. If you are faced with a Go binary, I would suggest that you use the built-in support first, instead of this extension.
-
It's very rough around the edges.
-
Only works for linux at the moment, since
../os/linux_x86_64/goretk_utilis hardcoded in/extension/src/main/java/extension/metadata/Metadata.java. -
You need to change
/path/to/go/srcinextension/src/main/java/extension/LibrarySignatureAnalyzer.javato point to your Go standard library source code directory. -
Run
./extension/build.sh -
Import in into Ghidra
-
Run the analyzers
To evaluate my extension, I compared it against some other extensions. The
code for doing the evaluation is in /eval_extension, /evaluation, and
/forked_plugins.
If you would want to run the evaluation, you need to change a couple of things:
- In
/evaluation/decompileAndEvaluate.shchangeGHIDRA_10_2_3_DIR,GHIDRA_10_3_DIR, andMONOIDIC_PARSE_JSON - In
/forked_plugins/Ghidra_GolangAnalyzerExtension/gradle.propertieschangeGHIDRA_INSTALL_DIRto point to your install of Ghidra 10.2.3. - In
/forked_plugins/golang-ghidra/gradle.propertieschangeGHIDRA_INSTALL_DIRto point to your install of Ghidra 10.2.3. - There are probably things you have to change in
/eval_extensionas well.
To find x86_64 Go binaries, I used a Yara rule to look for the assembly of
duffcopy. The rule is in /golang_duffcopy_amd64.yara.