goresolver 1.1.0

A tool generating and comparing control flow graphs of GO samples.

GoResolver

GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary.

This tool supports all three major operating systems, Windows, MacOS and Linux as well as their respective executables formats, PE, ELF and Mach-O for the X86, AMD64, ARM and ARM64 architectures.

Dependencies

GoResolver depends on the "GoGrapher" and "GoStrap" projects. The latter also depending on "GoProjectManager". Please make sure the above dependencies are installed before using GoResolver.

Build & Install

To build GoResolver use Hatch's usual build command :

hatch build

The built archive will be placed in the "dist" directory as a .whl file. To install GoResolver, simply install the .whl file using pip.

pip install dist/goresolver-*.whl

Command Line Usage

Once installed, a new utility goresolver will be available.

usage: goresolver [-h] [-l [LIBS ...]] [-v [VERSIONS ...]] [-f] [-s] [-r COMPARE_REPORT] [-b BACKUP_PATH] [-o OUTPUT] [-t THRESHOLD] [-q] [-x] [-g] sample_path [reference_path]

positional arguments:
  sample_path                          Path to the GO sample to analyze.
  reference_path                       Path to the GO reference sample to compare to (if any).

options:
  -h, --help                           show this help message and exit
  -l, --libs [LIBS ...]                List of GO libs to include in the generated samples.
  -v, --go-version VERSION             The GO version to build the reference samples with.
  -f, --force                          Force build existing samples.
  -s, --show                           Show available go versions.
  -r, --compare-report COMPARE_REPORT  Path to an already generated GoGrapher report.
  -b, --backup-path BACKUP_PATH        Path where to save the intermediary GoGrapher report.
  -o, --output OUTPUT                  Path of the output JSON report.
  -t, --threshold THRESHOLD            Value at which matches are considered significant.
  -q, --quiet                          Reduce the amount of logs.
  -x, --extract                        Extract symbols from the Go sample.
  -g, --graph                          Compare the Go sample against generated references.

Here is a typical workflow using GoResolver :

goresolver "path/to/sample.exe" -o "path/to/report.json"

Options

-l, --libs [LIBS ...]                List of GO libs to include in the generated samples.
-v, --go-version VERSION             The GO version to build the reference samples with.

The --libs and --go-version options allows you to tweak which Go version and libraries are used to generate the reference sample.

By default, GoResolver will attempt to identify to GoVersion used to generate the sample and failing that test a range of Go version and select the closest one.

-t, --threshold THRESHOLD            Value at which matches are considered significant.

The --threshold allow you to tweak the confidence threshold necessary to consider symbols obtained through the graph algorithm in a range of 0.0 to 1.O. The default value is 0.9.

-x, --extract                        Extract symbols from the Go sample.
-g, --graph                          Compare the Go sample against generated references.

The --extract and --graph options allow you to toggle either algorithm in isolation. Best result are achieved when both options are turned on, which is the default behavior.

Plugins

GoResolver comes with plugins for both IDA and Ghidra in the Plugin directory of this repository. Theses plugins make using GoResolver in conjunction with theses tools easier, by giving an easy way to import reports generated by the CLI tool into their respective databases.

Both plugins share the same common directory. When installing one or the other be sure to copy the accompanying ida or ghidra files as well.

IDA

To install the IDA plugin copy the following files to the ~/.idapro/plugins/goresolver directory :

common/
goresolver_ida.py
ida-plugin.json
ida_config_form.py

Ghidra

To Install the Ghidra plugin copy the following files to your choosed plugin directory, Ex: ~/.ghidra/plugins/goresolver :

common/
goresolver_ghidra.py

Then add the directory to Ghidra's Script Manager.