#HITBCW2021 D1 - Reversing GO Binaries With Ghidra - Albert Zsigovits and Dorka Palotay

Golang is Google’s open-source programming language, which in recent years has gained attention among developers. It is not only used for good purposes but, in a developing trend, malicious intent is often observed in Golang code. The fact that Golang supports cross-compiling makes it a tempting option for IoT malware attacks. This has resulted in a proliferation of IoT malware written in Go. For this reason, we decided to dive deeper and develop our own toolset to become more effective at combating Go malware. When it came to dissecting Go malware, reverse engineers found themselves faced with a hurdle. Go presents new challenges that make the binary analysis more difficult. Go binaries are usually statically linked, requiring analysts to do a lot of manual work in figuring out which function is a system library. In order to aid and automate this process, we have created custom scripts for Ghidra. When compiling a Go binary, debug information such as strings, variable and function names and method names a