mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
91 lines
2.5 KiB
Markdown
91 lines
2.5 KiB
Markdown
# API Reference: Go Malware Analysis with Ghidra
|
|
|
|
## Ghidra Go Analysis Setup
|
|
|
|
### GoResolver Script (Volexity)
|
|
```bash
|
|
# Install GoResolver for stripped Go binary function recovery
|
|
git clone https://github.com/volexity/GoResolver
|
|
# Run against Ghidra project
|
|
analyzeHeadless /ghidra_projects MyProject -process go_malware.exe \
|
|
-postScript GoResolver.java
|
|
```
|
|
|
|
### Ghidra Built-in Go Support (10.3+)
|
|
```
|
|
File > Import > Select Go binary
|
|
Analysis > Auto Analyze (includes GolangAnalyzer)
|
|
Window > Function Tags > Filter "go."
|
|
```
|
|
|
|
## Go Binary Characteristics
|
|
|
|
### Build Info Magic
|
|
```
|
|
Offset in .go.buildinfo section: "\xff Go buildinf:"
|
|
```
|
|
|
|
### gopclntab Magic Bytes
|
|
| Go Version | Magic |
|
|
|------------|-------|
|
|
| 1.2-1.15 | `FB FF FF FF 00 00` |
|
|
| 1.16-1.17 | `FA FF FF FF 00 00` |
|
|
| 1.18-1.19 | `F0 FF FF FF 00 00` |
|
|
| 1.20+ | `F1 FF FF FF 00 00` |
|
|
|
|
### String Format
|
|
Go strings are length-prefixed (not null-terminated):
|
|
```
|
|
struct GoString {
|
|
char *ptr; // pointer to string data
|
|
int64 length; // string length
|
|
};
|
|
```
|
|
|
|
## Go-Specific Ghidra Scripts
|
|
|
|
### GoReSym (Mandiant)
|
|
```bash
|
|
GoReSym -t -d -p /path/to/binary
|
|
# -t: Recover type information
|
|
# -d: Dump function metadata
|
|
# -p: Print package listing
|
|
```
|
|
|
|
### redress (Go Reverse Engineering)
|
|
```bash
|
|
redress -src binary.exe # Reconstruct source tree
|
|
redress -pkg binary.exe # List packages
|
|
redress -type binary.exe # Type information
|
|
redress -string binary.exe # Go string extraction
|
|
redress -interface binary.exe # Interface types
|
|
```
|
|
|
|
## Go Obfuscation Tools
|
|
|
|
| Tool | Technique | Detection |
|
|
|------|-----------|-----------|
|
|
| garble | Function name hashing, literal obfuscation | Hash-like symbols, missing debug info |
|
|
| gobfuscate | Package/function renaming | Random 8-char names |
|
|
| go-strip | Symbol table removal | Missing gopclntab entries |
|
|
|
|
## Common Go Malware Families
|
|
|
|
| Family | Type | Notable Packages |
|
|
|--------|------|-----------------|
|
|
| Sliver | C2 implant | protobuf, grpc, mtls |
|
|
| Merlin | C2 agent | http2, jose, websocket |
|
|
| Sunlogin/Cobalt | RAT | screenshot, clipboard, keylog |
|
|
| BianLian | Ransomware | crypto/aes, filepath.Walk |
|
|
| Royal | Ransomware | goroutine-based parallel encryption |
|
|
|
|
## Key Ghidra Analysis Steps
|
|
```
|
|
1. Search > For Strings > "go1." (version identification)
|
|
2. Search > For Bytes > FB FF FF FF (gopclntab)
|
|
3. Symbol Table > Filter "main." (entry points)
|
|
4. Navigation > Go To "runtime.main" (program start)
|
|
5. Decompiler > Check goroutine spawns (runtime.newproc)
|
|
6. Data Types > Apply GoString struct to string references
|
|
```
|