Skip to content

Commit

Permalink
Update identify.py
Browse files Browse the repository at this point in the history
identify Go samples with stomped PCLNTAB magic bytes
  • Loading branch information
sara-rn authored Sep 21, 2023
1 parent 152316f commit 1591674
Showing 1 changed file with 26 additions and 0 deletions.
26 changes: 26 additions & 0 deletions floss/language/identify.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,17 @@ def is_go_bin(pe: pefile.PE) -> bool:
b"\xf1\xff\xff\xff\x00\x00",
]

go_functions = [
b"runtime.main",
b"main.main",
b"runtime.gcWork",
b"runtime.morestack",
b"runtime.morestack_noctxt",
b"runtime.newproc",
b"runtime.gcWriteBarrier",
b"runtime.Gosched",
]

# look for the .rdata section first
for section in pe.sections:
try:
Expand All @@ -104,6 +115,8 @@ def is_go_bin(pe: pefile.PE) -> bool:
logger.info("Go binary found with version %s", get_go_version(magic))
return True



# if not found, search in all the available sections

for magic in go_magic:
Expand All @@ -117,6 +130,19 @@ def is_go_bin(pe: pefile.PE) -> bool:
# just for testing
logger.info("Go binary found with version %s", get_go_version(magic))
return True

# if not found, the magic bytes are patched, search for common Go functions present in all Go samples incl. obfuscated
for go_function in go_functions:
for section in pe.sections:
section_va = section.VirtualAddress
section_size = section.SizeOfRawData
section_data = section.get_data(section_va, section_size)
if go_function in section_data:
logger.debug("Go binary found, function name %s", go_function)
return True



return False


Expand Down

0 comments on commit 1591674

Please sign in to comment.