Zxilly
commented
5 months ago This is certainly possible, and in fact existing methods based on decompilation already recognise some of them. But I discarded the results that could not be recognised as strings when I processed the results obtained from decompilation. Because false positives can be very disturbing. There is an additional difficulty, gsa currently supports three platforms, pe/macho/elf, and writing a parser for each platform or even each go version might be too much work. I would expect a parser based on dwarf to handle this, after all, at runtime the embedded content is just a string of bytes. golang uses dwarf on all platforms including pe, so the workload is relatively acceptable.
gudvinr
go:embedstores its data in.rodatasection of the binary file.I am not sure if it's possible to extract all of the content of
.rodatabut it would be useful to at least have some idea about embedded content.As for example, lingua-go stores tremendous amounts of embeds, so
.rodatawill take up ~100Mb of the file.Information on the exact data structure is rather sparse but it's somewhat simple because we know what does the embedding (it is https://pkg.go.dev/embed)
See also: