Unfortunately, the contents of the structure passed as an argument to runtime.newobject does not immediately appear to contain useful information: However, Go malware following different coding practices could be littered with this kind of objects, to a point where the reverse engineer has no choice but to understand their nature to figure out what the code is supposed to do. With the help of a debugger, it is easy to obtain the arguments and mentally reconstruct the original source code of the application. In the videos, I recommend ignoring these calls and instead focusing on documented Golang API functions. The malware presented in the workshop (Sunshuttle, from the DarkHalo APT, MD5 5DB340A70CB5D90601516DB89E629E43) is straightforward to the extent that it can be understood without paying too much attention to these objects. In this screenshot taken from IDA Pro, we can see a call to the runtime.newobject function, which receives a structure as an argument (here, in the RDX register, two lines above the call). One particular topic I brushed aside was related to the way that Go creates objects. Of course, the drawback of providing entry-level or immediately actionable information is that a few subtleties must be omitted. A YouTube version of the workshop was released around the same time. The goal of the workshop was to share basic knowledge that would allow analysts to immediately start looking into malware written in Go. During the 2021 edition of the SAS conference, I had the pleasure of delivering a workshop focused on reverse-engineering Go binaries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |