Home

Awesome

AlphaGolang

by Juan Andres Guerrero-Saade (JAG-S @ SentinelLabs)

<img src="docs/logo/gopher_plays_go.png" width="600" height="400" />

Description:

AlphaGolang is a collection of IDAPython scripts to help malware reverse engineers master Go binaries. The idea is to break the scripts into concrete steps, thus avoiding brittle monolithic scripts, and mimicking the methodology an analyst might follow when tackling a Go binary.

Scripts are released under GPL license (honoring Tim Strazzere's original GolangLoaderAssist which we refactored and updated for python3, props to Tim :) ). Contributions are welcome and encouraged!

Requirements: IDA Pro (ideally v7.6+) and Python3 (ew) The first two steps (recreate_pclntab and function_discovery_and_renaming) will work on IDA v7.5- but scripts beyond that require IDAv7.6+. Newer versions are the ideal target for newer scripts going forward.

Original Reference: Mandiant Cyber Defense Summit 2021 talk (Video Pending)

AlphaGolang Analysis Methodology

Pending fixes and room for contributions:

Next steps:

Credit to: