Analyzing Golang Malware with Ghidra

What Is This

Analyzing Golang Malware with Ghidra is a specialized technical skill focused on reverse engineering malware compiled with the Go (Golang) programming language using Ghidra, the open-source disassembler and decompiler. This approach leverages custom scripts and plugins designed to address the unique challenges posed by Go binaries, such as complex function boundaries, stripped symbols, non-standard string formats, and Go-specific type systems. The skill enables analysts to recover function names, extract and reconstruct strings, and analyze the behavior of stripped or obfuscated Go binaries-tasks that are otherwise difficult due to Go's compilation and linking model.

Why Use It

Go has gained significant popularity among malware authors for several reasons. Go binaries are statically linked, meaning every dependency, including the Go runtime and standard library, is embedded in the final executable. This leads to very large binaries with thousands of functions and little to no reliance on system libraries. Additionally, Go binaries are often stripped of symbols and debug information, making traditional reverse engineering much more difficult. The default string handling in Go uses length-prefixed, non-null-terminated strings, further complicating string analysis with traditional tools.

Ghidra is a powerful and extensible reverse engineering suite, but out-of-the-box it does not natively handle Go’s unique binary structures. This skill bridges the gap by introducing procedures and scripts tailored for Go binaries, enabling analysts to:

• Recover function boundaries and names in stripped binaries
• Extract readable strings from Go's custom string format
• Reconstruct Go types and structures for improved code comprehension
• Analyze concurrency constructs such as goroutines and channels

These capabilities are essential for malware analysts, incident responders, and security engineers who encounter Go-based malware in their investigations.

How to Use It

To analyze Golang malware with Ghidra effectively, follow these structured steps:

1. Prepare Your

Environment

• Install Ghidra (version 10.0 or later recommended)
• Obtain the relevant Go-specific Ghidra scripts and plugins. These may include:
  • GolangLoader: A script to identify Go binaries and automate initial analysis.
  • GoReSym: Tools for function name recovery based on symbol similarity.
  • String Extractors: Python or Jython scripts to locate and decode Go string objects.

You can find example scripts and resources at the Happycapy Skills repository.

2. Load the Go

Binary

• Open Ghidra, create a new project, and import the suspected Golang malware binary.
• Allow Ghidra to analyze the binary, but do not expect high accuracy in function boundaries or symbol names at this stage.

3. Identify Go Binary

Characteristics

• Go binaries usually start with the Go build ID in the file header.
• Look for Go-specific sections, such as .gopclntab, which maps program counters to function metadata.
• Use the GolangLoader script to identify and label Go-specific segments.

4. Recover Functions and

Names

• Run GoReSym or similar scripts to scan the .gopclntab section and recover function boundaries.
• Attempt function name recovery using control flow graph (CFG) similarity or signature matching.

Example (Jython script snippet to extract Go function names):

## Access .gopclntab and parse function names
gopclntab = currentProgram.getMemory().getBlock(".gopclntab")
if gopclntab:
    bytes = gopclntab.getBytes(0, gopclntab.getSize())
    # Parse function table (simplified)
    for i in range(0, len(bytes), entry_size):
        func_addr = parse_func_addr(bytes[i:i+entry_size])
        func_name = parse_func_name(bytes[i:i+entry_size])
        createFunction(func_addr, func_name)

5. Extract and Decode

Strings

• Use custom string extractor scripts to handle Go’s length-prefixed string format.
• Identify string objects in memory and decode them for readable analysis.

Example (Python snippet for Go string extraction):

def extract_go_strings(binary_data):
    # Go string: [pointer][length]
    for offset in range(0, len(binary_data)-8, 8):
        ptr = int.from_bytes(binary_data[offset:offset+4], 'little')
        length = int.from_bytes(binary_data[offset+4:offset+8], 'little')
        if is_probable_string(ptr, length):
            print(binary_data[ptr:ptr+length].decode('utf-8', errors='ignore'))

6. Reconstruct Types and Analyze

Concurrency

• Use scripts or manual analysis to reconstruct Go types (structs, interfaces) and identify goroutine usage.
• Trace channel operations and goroutine spawns to understand concurrency in the malware logic.

When to Use It

Apply this skill in several security scenarios:

• Incident Response: When a security incident involves unknown or suspicious Go binaries, use this methodology to decompile, analyze, and understand their capabilities.
• Detection Engineering: Build YARA rules or SIEM queries based on function names, strings, or behavioral patterns observed in the malware.
• Threat Intelligence: Attribute malware families and campaigns by extracting unique function names, strings, or Go-specific constructs.
• SOC Playbook Development: Create repeatable procedures for junior analysts to rapidly triage and investigate Go-based threats.

Important Notes

• Golang binaries can be very large and may tax Ghidra’s memory and processing capabilities. Allocate sufficient resources when analyzing such files.
• Automatic scripts may not recover all function names, especially in heavily obfuscated or custom-compiled binaries. Manual analysis is often required for advanced threats.
• Keep your Ghidra installation and Go-specific plugins up to date, as Go’s binary format can change between compiler versions.
• Document all findings, including recovered strings, function names, and key behaviors, to aid in future investigations and knowledge sharing.
• Always analyze malware in a controlled, isolated environment to prevent accidental execution or infection.

By integrating these procedures and tools into your workflow, you can efficiently dissect and understand Golang malware, significantly enhancing your malware analysis and reverse engineering capabilities.