GoResolver: New Tool for Analyzing Golang Malware & Extracting Obfuscated Functions

Cybersecurity is witnessing a significant shift as malware developers increasingly adopt the Go programming language (Golang) to create sophisticated and obfuscated malware.

To counter this trend, Volexity has introduced GoResolver, an innovative open-source tool designed to simplify the reverse engineering of obfuscated Golang binaries.

The Challenge of Analyzing Obfuscated Golang Malware

Golang’s popularity among malware developers stems from its embedded libraries and the large size of its compiled binaries, which make static analysis challenging.

The difficulty is further compounded when obfuscation tools like Garble are used.

Garble, an open-source Golang obfuscator, randomizes function and package names, stripping binaries of symbol tables and making reverse engineering tedious.

Despite its effectiveness, Garble’s obfuscation has exploitable weaknesses. For instance, due to Golang’s resolution mechanism, randomized names must remain consistent across all functions in a package.

This allows analysts to infer package names once a single function is identified. However, manual analysis remains labor-intensive, necessitating advanced tools like GoResolver.

Introducing GoResolver

GoResolver addresses these challenges by leveraging control-flow graph (CFG) similarity techniques to recover obfuscated function and package names.

Unlike existing tools, such as Mandiant’s GoReSym, which extracts symbols from Golang runtime structures, GoResolver goes further by comparing CFGs of obfuscated binaries with clean reference samples.

This approach enables the recovery of original symbol names with greater accuracy.

Key Features of GoResolver:

1. Control-Flow Graph Similarity: By analyzing execution paths within binaries, GoResolver identifies similarities between obfuscated and clean samples, even across different compiler versions.
2. Integration with SRE Tools: Plugins for IDA Pro and Ghidra allow seamless import of resolved symbols into their respective symbol databases.
3. Efficiency in Version Detection: GoResolver fingerprints the Golang runtime embedded in malware samples to identify the compiler version used, even when direct version information is stripped by obfuscators like Garble.

Technical Implementation

The GoResolver toolchain comprises four components:

• GoResolver: The core tool for symbol recovery using CFG similarity.
• GoGrapher: Computes CFG similarity between binaries.
• GoStrap: This generates clean Golang reference samples for comparison.
• GitToolFetcher: Manages multiple versions of GitHub-hosted projects.

To install GoResolver, users need Go version 1.20.6+ and Python 3.12+. Installation is straightforward via pip install goresolver.

The tool also supports plugins for IDA Pro (version 9+) and Ghidra (version 11.3+), enhancing its usability for security researchers.

Case Study: Stowaway Agent Analysis

In a recent investigation, Volexity analyzed a malware sample built with Garble using GoResolver. Initially, disassembly in IDA Pro revealed generic function names like sub_OFFSET, typical of Garble-obfuscated binaries.

By submitting the sample to GoResolver (goresolver /path/to/sample.exe), the tool identified the Golang version and matched the binary against clean reference data.

The result was a detailed symbol report that resolved numerous obfuscated names into meaningful identifiers.

Even partially resolved symbols provided critical insights into the binary’s structure, enabling analysts to focus on the malware’s core logic rather than runtime or library functions.

Future Enhancements

Volexity plans to expand GoResolver’s capabilities with features like automatic string parsing and enhanced support for Golang binaries.

These updates will further streamline malware analysis workflows.

As malware authors continue to exploit Golang’s features for obfuscation, tools like GoResolver are essential for cybersecurity professionals.

By combining CFG similarity with traditional symbol extraction methods, GoResolver represents a major advancement in reversing obfuscated malware, empowering analysts to uncover hidden threats more efficiently.

Also Read: