ELF: Detect OS from Go binaries

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.

https://mandiant.github.io/capa/

Apache License 2.0

4.07k stars 512 forks source link

ELF: Detect OS from Go binaries #1987

Closed williballenthin closed 2 months ago

williballenthin commented 6 months ago

use the strategies pioneered by GoReSym to detect the target OS for ELF binaries compiled by Go:

find the GOOS configuration, and
find embedded Go source filenames

closes #1978 FYI @C0d3R3ad3r FYI @stevemk14ebr

Checklist

[ ] No CHANGELOG update needed
[ ] No new tests needed
[x] No documentation update needed

williballenthin commented 6 months ago

thank you for the feedback - i was being lazy. i'll add some test files and some test cases.

stevemk14ebr commented 6 months ago

I would recommend testing on old go versions prior to 1.18 when buildinfo was added. I would also recommend testing with binaries emitted by garble and gobfuscate which can mess with symbol names. Otherwise LGTM with the above notes in mind

mr-tz commented 5 months ago

Tests are TODO / in progress? Getting the following when trying to resolve conflicts:

Failed to merge submodule tests/data (commits don't follow merge-base)
CONFLICT (submodule): Merge conflict in tests/data
Recursive merging with submodules currently only supports trivial cases.
Please manually handle the merging of each conflicted submodule.
This can be accomplished with the following steps:
 - go to submodule (tests/data), and either merge commit 9f7f3c5
   or update to an existing commit which has merged those changes
 - come back to superproject and run:

      git add tests/data

   to record the above merge or update
 - resolve any other conflicts in the superproject
 - commit the resulting index in the superproject

Before continuing, I wanted to confirm what the status here was/is.

williballenthin commented 5 months ago

Yeah, I owe tests here. I believe the implementation is solid but without tests I can't prove it.

At a comfortable effort level, I could have this done in maybe two weeks. If there's a pending deadline, let me know and I can squeeze it in sooner.

mr-tz commented 5 months ago

This is not urgent at all! I just thought I may be able to lend a hand.

williballenthin commented 2 months ago

This is ready to go, but I had pulled in #2146 (instead of master), so we should merge that PR before this one.

mr-tz commented 2 months ago

one issue with black: https://github.com/mandiant/capa/actions/runs/9496141307/job/26169887389?pr=1987#step:7:32