ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

Feature request: standard library definitions for Go

Open monoidic opened this issue 1 year ago • 1 comments

There has been some excellent progress on handling Go binaries in the latest releases of Ghidra. However, as of now, Ghidra is left to deduce the types of function arguments. A good chunk of them come from the standard library and are therefore known ahead of time. A good chunk of internal functions are also directly exposed in decompiled code when exported functions are small one-two line wrappers for unexported functions.

I made a small plugin for Ghidra before these updates composed of these parts:

  • the actual plugin (written in Python) that somewhat fixes up the calling conventions of functions (unneeded now) based on function name and fills in the type parameters on functions (and creates type definitions as needed)
  • a Go binary that parses the Go source code and generates the above-mentioned json file with type info (e.g function signatures/struct definitions) from the official Go source code, for each of the Go "first-class" target architectures, with deduplication between them
  • helper scripts to run the binary on all tagged Go versions starting with 1.14 and dedupe output There is also some deduplication between the json files corresponding to the different Go versions, and some logic in the plugin to reconstruct the data corresponding to some version foo from these deltas.

The work I did could be considered "proof-of-concept" level, though it does end up with a <1MB .zip file (<10MB unzipped) with the type definitions and function signatures for everything in the Go standard library from go1.14 up to go1.22.0. If function/type definitions based on this work were to be introduced in Ghidra, in a similar way to generic_clib for C, then it would make unobfuscated Go binaries simpler to analyze with Ghidra. An alternative implementation of this idea is fully welcome, though I think this general idea is workable and there is a proof of concept already.

Link to my PoC repository. It also generates the .zip files with GitHub Actions, as can be seen here.

monoidic avatar Mar 30 '24 22:03 monoidic

Interesting.

There has been some work toward a similar goal, which can be seen in https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/data/typeinfo/golang/runtimesnapshot.go.

At first glance your code seems to generate signatures without all the manual work that runtimesnapshot.go takes. That seems nice. I will take a closer look during the week.

dev747368 avatar Mar 31 '24 06:03 dev747368