Reverse engineering Golang was considered a nightmare. Over time, our understanding of Go has evolved and it turns out that with the right tooling, Go may be one of the easiest languages to reverse engineer. We released AlphaGolang as a way to tackle reversing Go binaries, recovering as much information as possible and surfacing user generated code. Where do we go from here? How about using the understanding we can glean from Go malware to automate hunting and clustering?
We released a project called AlphaGolang – a series of IDAPython scripts to automatically reconstruct IDBs and recover as much information as possible from Go malware. This talk will first showcase was AlphaGolang can do for reverse engineers, then we'll take it a step further by introducing new forms of hunting based on the information that AlphaGolang programmatically derives. That includes automated generation of code similarity rules that avoid Go's abundance of boilerplate code, auto-generating YARA rules with no false-positives (based on relinking of strings to user-generated functions), and profiling for development environments to find malware created by the same developer (with their chosen development environment).
While people may think that reversing Go sucks, in reality it may be one of the most rewarding languages to reverse engineer and we are going to showcase its unique advantages.