Open recvfrom opened 6 years ago
I guess the problem is because of endianness - when I search for gopclntab I try to locate "fb ff ff ff ..." when in MIPS64 this should be "ff ff ff fb" actually I'll fix it tomorrow I hope
Seems working now on my hello-world sample binary. Will make some test on more binaries later
Here's the binary I was analyzing (if you create an account you should be able to download the sample):
https://detux.org/report.php?sha256=9d6809571bec7429098bcb7ca0b12f8cb094d9079c6765b10a9c90b881ee9d37
BTW, your scripts were a big help in analyzing this malware! Thank you! https://blog.talosintelligence.com/2018/03/goscanssh-analysis.html
Yes, now script is able to reconstruct function names in that binary, but it fails on finding moduledata because IDA analysis doesn't find xref to gopclntab, so structure recreating won't work until I manually find moduledata location(0x43bf00) and make ptr by hand. I will add some additional logic for searching that ptr.
== That's cool! Initially I started to create this scripts while doing analysis of linux golang malware like Linux.rex or Linux.lady. Glad to see that it now helps not only me ;)
The script has some issues when run against MIPS64 Go binaries:
Trying to determine the Go version from module data:
Trying to rename functions: