Imphash-like calculation on Golang binaries

Overview

gimphash

gimphash is a proposed method to calculate an imphash equivalent for Go binaries. It's name stands for Go-import-hash.

Golang binaries contain their dependencies as part of the executable. These dependencies include both standard library packages and third party dependencies and can be used, analogous to a classical imphash, to identify a Golang project.

The dependencies can be listed using the pclntab that is part of each Golang binary (also see this blog post by Mandiant). The pclntab contains a number of interesting elements for reverse engineering; for the gimphash we will use the function names that are contained there.

Calculation

  1. Locate the pclntab within a Golang binary
  2. Enumerate golang functions using the functab within the pclntab:
    1. Ignore functions starting with go. or type. (compile artefacts, runtime internals)
    2. Ignore functions starting with internal/ or vendor/ ('vendoring' of the standard library)
    3. Find the last / in the function name. If no / is found, use the start instead. Starting from that position, find the next .. Discard the . and everything after it. (e.g. golang.org/x/sys/windows.CloseHandle becomes golang.org/x/sys/windows, main.init becomes main)
    4. If the part before the first / contains a . and is NOT in the following list, ignore the function name: (ignoring private repositories; often serve as source code instead of 'imports' that we'd like to hash here)
      • golang.org
      • github.com
      • gitlab.com
      • gopkg.in
      • google.golang.org
      • cloud.google.com
    5. Discard the function name if it was already encountered
  3. Calculate the SHA-256 hash over the concatenated names (no delimiter)

Proof of Concept Implementations

This repository contains proof-of-concept code in the following languages:

  • C
  • Go

The release section contains prebuilt binaries for Windows and Linux.

Feedback

This specification and the related code are a draft. Please use the Discussions section for comments or feedback.

Alternative Specifications

Step 2 IV

As an alternative to the step 2 iv, we could identify the filepath of the main module and use this to exclude packages that are part of the built project. Feedback on whether this might be better than the current whitelist approach is appreciated.

Step 3

We could sort the package names before calculating the hash. However, since the Golang linker seems to generate the pclntab deterministically, this is apparently not necessary to have a stable hash. Also, since import order can affect the order in the pclntab, the hash is more specific when not ordered.

You might also like...
「👾」Some binaries for you to crack

「 👾 」Crackme Hello visitor! I'll leave some binaries made by me for you to try to crack. I'm not experienced in this area but I'm taking the opportun

StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting
StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

A tool for analyzing x86-64 binaries.

reopt Reopt is a general purpose decompilation and recompilation tool for repurposing application logic. It does this by analyzing machine code to rec

OS X command line tool to inject Frameworks and dylibs on mach-o binaries (iOS & Mac Apps).

macho-inject OS X command line tool to inject Frameworks and dylibs on mach-o binaries. It does the injection of the framework and the codesigning. It

Invoke functions with a spoofed return address. For 32-bit Windows binaries

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Automatically de-obfuscate ollvm and generate binaries

AntiOllvm Automatically deobfuscate binaries and generate new binaries. Chinese Help 中文帮助点击 帮助 Decriptor Software obfuscation protection is very commo

Vimb - the vim like browser is a webkit based web browser that behaves like the vimperator plugin for the firefox and usage paradigms from the great editor vim.

Vimb - the vim like browser is a webkit based web browser that behaves like the vimperator plugin for the firefox and usage paradigms from the great editor vim. The goal of vimb is to build a completely keyboard-driven, efficient and pleasurable browsing-experience.

A ZX Spectrum-like library built for
A ZX Spectrum-like library built for "dos-like" by Mattias Gustavsson.

ZX-Like A ZX Spectrum-like library built for "dos-like" by Mattias Gustavsson. It allows for the creation of ZX Spectrum like screens for demos, games

multi-sdr-gps-sim generates a IQ data stream on-the-fly to simulate a GPS L1 baseband signal using a SDR platform like HackRF or ADLAM-Pluto.

multi-sdr-gps-sim generates a GPS L1 baseband signal IQ data stream, which is then transmitted by a software-defined radio (SDR) platform. Supported at the moment are HackRF, ADLAM-Pluto and binary IQ file output. The software interacts with the user through a curses based text user interface (TUI) in terminal.

Comments
  • c: Add Makefile for self-contained builds if YARA, OpenSSL are available

    c: Add Makefile for self-contained builds if YARA, OpenSSL are available

    We need to add some PE-specific YARA 4.0 headers because they are not copied when using "make install".

    (ABI-wise, things have not changed substantially between YARA 4.0 and 4.2.1, as far as I can tell.)

    opened by hillu 0
  • Outfile option

    Outfile option

    Thanks for all the work on this project -- it's great! Would it be considered to add an option for writing hashes/filenames to a file (natively as opposed to piping/etc) as opposed to stdout?

    opened by weslambert 0
  • JSON Output

    JSON Output

    Thanks for all the work on this project -- it's great! Would it be considered to add a JSON output option for more easily parsing the output of stdout for a directory containing many files, etc?

    opened by weslambert 0
Releases(0.2.0)
Owner
Nextron Systems GmbH
We Detect Hackers
Nextron Systems GmbH
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.4k Nov 20, 2022
Port of Golang channels to C++

Copper is a C++ library of a powerful queue object for communication between threads. It is based on Go's channels and follows the quote: Don't commun

null 155 Jul 18, 2022
Standalone MinHook wrapper for Golang.

Standalone version of GoMinHook! Credit to https://github.com/NaniteFactory/gominhook and https://github.com/TsudaKageyu/minhook as almost all of the

null 3 Jun 4, 2022
Sample module for FreeSWITCH using golang

freeswitch_module_golang_sample Sample module for FreeSWITCH using golang tl; dr

Iuri Diniz 2 Nov 5, 2022
Golang bindings of Sciter: the Embeddable HTML/CSS/script engine for modern UI development

Go bindings for Sciter Check this page for other language bindings (Delphi / D / Go / .NET / Python / Rust). Attention The ownership of project is tra

Terra Informatica Software, Inc 2.5k Nov 26, 2022
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 2k Nov 26, 2022
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

null 40 Oct 12, 2022
Universal binaries for Linux.

FatELF The latest information about FatELF can be found at https://icculus.org/fatelf/ What is this? FatELF is a simple file format that allows you to

Ryan C. Gordon 38 Oct 20, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem-CP-M This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so ev

null 11 Aug 31, 2022
Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem4CPM This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so eve

null 11 Aug 31, 2022