Golang plugin

Golang binaries are by default statically linked and full of metadata therefore a lot can be gained from annotating a Golang binary's contents using recovered metadata.

Detection

The golang plugin's analysis only happens by default if the input file is detected as a Golang file. There are multiple mechanisms in place to detect that:

 - if a Golang startup signature matches the entry point (PC-only)
 - if the Golang plugin detects a Golang-specific segment name
 - if the elf loader finds a "Go" note in the input file
 - on PE files: if certain Golang symbol names or a Go build id signature is found

Analysis

The metadata parsed by the golang plugin falls under two main categories:

 - function information (e.g. name, package, range) retrieved from the pclntab
 - type information (e.g. name, package, layout, size) retrieved from the typelinks table

The package paths of functions and types are used to create folders. This analysis will occur upon `ev_newfile` (when a new file has been loaded) if Golang has been detected.

Actions

  `golang:detect_and_parse` (Edit>Other)

This action is useful to force a full search of the binary for Golang metadata. It will first attempt to parse a pclntab at the current address, if this is unsuccessful it will perform a full search of the binary for the pclntab's signature and parse it if found. In addition, it will also attempt to locate and parse the type information.

Calling Conventions

Golang has its own calling convention(s), denoted in IDA as `__golang`. In fact, Golang has two different calling conventions: a stack-based CC (abi0) and a newer register-based CC (abiinternal). The version of Golang and thus which calling convention to use will be automatically inferred from metadata structures; It is also controllable through the `force_regabi` command line option.

List of `-Ogolang` options

Command line options take precedence over config file options.

  force                         try to force the analysis
                                (no detection step needed)
  off                           disable the plugin
  no_rtypes                     do not import any types
  rname_len2                    force the reflect type name format to go1.17
                                and later (varint encoding: 1-10 bytes)
  rname_len1                    force the reflect type name format to before
                                go1.17 (2 bytes)
  import_lnnums                 recover file names & line numbers from pclntab
  no_func_end_from_pcval_tabs   do not derive a function's end from pclntab
                                metadata
  force_regabi[=on|=off]        override calling convention version
                                 `=off`: will force the stack-based CC
                                 `=on`/no value: will force
                                 the register-based CC

See cfg/golang.cfg for available configuration options.

Examples

forcing analysis and register-based calling convention

  -Ogolang:force:force_regabi

disabling the plugin

  -Ogolang:off

Last updated 9 months ago

Was this helpful?