mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.5 KiB
2.5 KiB
API Reference: Go Malware Analysis with Ghidra
Ghidra Go Analysis Setup
GoResolver Script (Volexity)
# Install GoResolver for stripped Go binary function recovery
git clone https://github.com/volexity/GoResolver
# Run against Ghidra project
analyzeHeadless /ghidra_projects MyProject -process go_malware.exe \
-postScript GoResolver.java
Ghidra Built-in Go Support (10.3+)
File > Import > Select Go binary
Analysis > Auto Analyze (includes GolangAnalyzer)
Window > Function Tags > Filter "go."
Go Binary Characteristics
Build Info Magic
Offset in .go.buildinfo section: "\xff Go buildinf:"
gopclntab Magic Bytes
| Go Version | Magic |
|---|---|
| 1.2-1.15 | FB FF FF FF 00 00 |
| 1.16-1.17 | FA FF FF FF 00 00 |
| 1.18-1.19 | F0 FF FF FF 00 00 |
| 1.20+ | F1 FF FF FF 00 00 |
String Format
Go strings are length-prefixed (not null-terminated):
struct GoString {
char *ptr; // pointer to string data
int64 length; // string length
};
Go-Specific Ghidra Scripts
GoReSym (Mandiant)
GoReSym -t -d -p /path/to/binary
# -t: Recover type information
# -d: Dump function metadata
# -p: Print package listing
redress (Go Reverse Engineering)
redress -src binary.exe # Reconstruct source tree
redress -pkg binary.exe # List packages
redress -type binary.exe # Type information
redress -string binary.exe # Go string extraction
redress -interface binary.exe # Interface types
Go Obfuscation Tools
| Tool | Technique | Detection |
|---|---|---|
| garble | Function name hashing, literal obfuscation | Hash-like symbols, missing debug info |
| gobfuscate | Package/function renaming | Random 8-char names |
| go-strip | Symbol table removal | Missing gopclntab entries |
Common Go Malware Families
| Family | Type | Notable Packages |
|---|---|---|
| Sliver | C2 implant | protobuf, grpc, mtls |
| Merlin | C2 agent | http2, jose, websocket |
| Sunlogin/Cobalt | RAT | screenshot, clipboard, keylog |
| BianLian | Ransomware | crypto/aes, filepath.Walk |
| Royal | Ransomware | goroutine-based parallel encryption |
Key Ghidra Analysis Steps
1. Search > For Strings > "go1." (version identification)
2. Search > For Bytes > FB FF FF FF (gopclntab)
3. Symbol Table > Filter "main." (entry points)
4. Navigation > Go To "runtime.main" (program start)
5. Decompiler > Check goroutine spawns (runtime.newproc)
6. Data Types > Apply GoString struct to string references