GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary.
This tool supports all three major operating systems, Windows, MacOS and Linux as well as their respective executables formats, PE, ELF and Mach-O for the X86, AMD64, ARM and ARM64 architectures.
GoResolver depends on the "GoGrapher" and "GoStrap" projects. The latter also depending on "GoProjectManager". Please make sure the above dependencies are installed before using GoResolver.
To build GoResolver use Hatch's usual build command :
hatch buildThe built archive will be placed in the "dist" directory as a .whl file. To install GoResolver, simply install the .whl file using pip.
pip install dist/goresolver-*.whlOnce installed, a new utility goresolver will be available.
usage: goresolver [-h] [-l [LIBS ...]] [-v [VERSIONS ...]] [-f] [-s] [-r COMPARE_REPORT] [-b BACKUP_PATH] [-o OUTPUT] [-t THRESHOLD] [-q] [-x] [-g] sample_path [reference_path]
positional arguments:
sample_path Path to the GO sample to analyze.
reference_path Path to the GO reference sample to compare to (if any).
options:
-h, --help show this help message and exit
-l, --libs [LIBS ...] List of GO libs to include in the generated samples.
-v, --go-version VERSION The GO version to build the reference samples with.
-f, --force Force build existing samples.
-s, --show Show available go versions.
-r, --compare-report COMPARE_REPORT Path to an already generated GoGrapher report.
-b, --backup-path BACKUP_PATH Path where to save the intermediary GoGrapher report.
-o, --output OUTPUT Path of the output JSON report.
-t, --threshold THRESHOLD Value at which matches are considered significant.
-q, --quiet Reduce the amount of logs.
-x, --extract Extract symbols from the Go sample.
-g, --graph Compare the Go sample against generated references.
Here is a typical workflow using GoResolver :
goresolver "path/to/sample.exe" -o "path/to/report.json"-l, --libs [LIBS ...] List of GO libs to include in the generated samples.
-v, --go-version VERSION The GO version to build the reference samples with.
The --libs and --go-version options allows you to tweak which Go version and libraries are used to generate the reference sample.
By default, GoResolver will attempt to identify to GoVersion used to generate the sample and failing that test a range of Go version and select the closest one.
-t, --threshold THRESHOLD Value at which matches are considered significant.
The --threshold allow you to tweak the confidence threshold necessary to consider symbols obtained through the graph algorithm in a range of 0.0 to 1.O. The default value is 0.9.
-x, --extract Extract symbols from the Go sample.
-g, --graph Compare the Go sample against generated references.
The --extract and --graph options allow you to toggle either algorithm in isolation. Best result are achieved when both options are turned on, which is the default behavior.
GoResolver comes with plugins for both IDA and Ghidra in the Plugin directory of this repository.
Theses plugins make using GoResolver in conjunction with theses tools easier, by giving an easy way to import reports generated by the CLI tool into their respective databases.
Both plugins share the same common directory. When installing one or the other be sure to copy the accompanying ida or ghidra files as well.
To install the IDA plugin copy the following files to the ~/.idapro/plugins/goresolver directory :
common/
goresolver_ida.py
ida-plugin.json
ida_config_form.py
To Install the Ghidra plugin copy the following files to your choosed plugin directory, Ex: ~/.ghidra/plugins/goresolver :
common/
goresolver_ghidra.py
Then add the directory to Ghidra's Script Manager.