Open monoidic opened 3 months ago
Interesting.
There has been some work toward a similar goal, which can be seen in https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/data/typeinfo/golang/runtimesnapshot.go.
At first glance your code seems to generate signatures without all the manual work that runtimesnapshot.go takes. That seems nice. I will take a closer look during the week.
There has been some excellent progress on handling Go binaries in the latest releases of Ghidra. However, as of now, Ghidra is left to deduce the types of function arguments. A good chunk of them come from the standard library and are therefore known ahead of time. A good chunk of internal functions are also directly exposed in decompiled code when exported functions are small one-two line wrappers for unexported functions.
I made a small plugin for Ghidra before these updates composed of these parts:
The work I did could be considered "proof-of-concept" level, though it does end up with a <1MB .zip file (<10MB unzipped) with the type definitions and function signatures for everything in the Go standard library from go1.14 up to go1.22.0. If function/type definitions based on this work were to be introduced in Ghidra, in a similar way to
generic_clib
for C, then it would make unobfuscated Go binaries simpler to analyze with Ghidra. An alternative implementation of this idea is fully welcome, though I think this general idea is workable and there is a proof of concept already.Link to my PoC repository. It also generates the .zip files with GitHub Actions, as can be seen here.