Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ELF: Detect OS from Go binaries #1987

Merged
merged 27 commits into from
Jun 13, 2024
Merged

ELF: Detect OS from Go binaries #1987

merged 27 commits into from
Jun 13, 2024

Conversation

williballenthin
Copy link
Collaborator

@williballenthin williballenthin commented Feb 14, 2024
edited
Loading

use the strategies pioneered by GoReSym to detect the target OS for ELF binaries compiled by Go:

  • find the GOOS configuration, and
  • find embedded Go source filenames

closes #1978
FYI @C0d3R3ad3r
FYI @stevemk14ebr

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

@williballenthin williballenthin added the enhancement New feature or request label Feb 14, 2024
mr-tz

This comment was marked as resolved.

Sign in to view

@williballenthin

This comment was marked as outdated.

Sign in to view
stevemk14ebr
stevemk14ebr approved these changes Feb 14, 2024
View reviewed changes
capa/features/extractors/elf.py Show resolved Hide resolved
capa/features/extractors/elf.py Show resolved Hide resolved
@stevemk14ebr
Copy link
Contributor

I would recommend testing on old go versions prior to 1.18 when buildinfo was added. I would also recommend testing with binaries emitted by garble and gobfuscate which can mess with symbol names. Otherwise LGTM with the above notes in mind

yelhamer
yelhamer approved these changes Mar 8, 2024
View reviewed changes
Copy link
Collaborator

@yelhamer yelhamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

capa/features/extractors/elf.py Show resolved Hide resolved
@mr-tz

This comment was marked as resolved.

Sign in to view
@williballenthin

This comment was marked as outdated.

Sign in to view
@mr-tz

This comment was marked as outdated.

Sign in to view
@williballenthin williballenthin added this to the v7.1 milestone Jun 7, 2024
@williballenthin williballenthin mentioned this pull request Jun 7, 2024
Closed
@williballenthin williballenthin self-assigned this Jun 7, 2024
@williballenthin williballenthin marked this pull request as draft June 7, 2024 07:21
@williballenthin williballenthin mentioned this pull request Jun 13, 2024
Merged
@williballenthin

This comment was marked as outdated.

Sign in to view
@williballenthin williballenthin marked this pull request as ready for review June 13, 2024 08:18
@mr-tz

This comment was marked as resolved.

Sign in to view
mr-tz
mr-tz reviewed Jun 13, 2024
View reviewed changes
pyproject.toml Show resolved Hide resolved
mr-tz
mr-tz approved these changes Jun 13, 2024
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM besides the black fail and the question on using PyGithub

@williballenthin williballenthin merged commit 8726de0 into master Jun 13, 2024
23 checks passed
@williballenthin williballenthin deleted the go-elf-os-detection branch June 13, 2024 11:23
ygasparis pushed a commit to ygasparis/capa that referenced this pull request Jun 18, 2024
@williballenthin @ygasparis
ELF: Detect OS from Go binaries (mandiant#1987)
c6d976e 
* elf: read segment memory size

* elf: add routine to read mapped memory

* elf: better detect OS for binaries compiled by Go

* elf: guess OS from Go source filenames

* changelog

* elf: mypy

* merge

* elf: add OS detection based on vDSO strings

* elf: document VTGrep searches

* elf: describe further technique to identify Go binaries

* elf: search for `.go.buildinfo` section via @yelhamer

* black

* elf: detect Alpine Linux ident

* elf: log interest symtab entries

* tests: add test for OS detection by Go buildinfo

* loader: handle missing viv modules

* pre-commit: run deptry before tests (which are slow)

* loader: describe removing viv symbolic switch solver

* pyproject: add PyGithub for deptry

* black
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevemk14ebr stevemk14ebr stevemk14ebr approved these changes

@mr-tz mr-tz mr-tz approved these changes

@yelhamer yelhamer yelhamer approved these changes

@mike-hunhoff mike-hunhoff Awaiting requested review from mike-hunhoff

Assignees

@williballenthin williballenthin

Labels
enhancement New feature or request
Projects
None yet
Milestone
v7.1
Development

Successfully merging this pull request may close these issues.

Capa v7.01 Not recognizing Linux x64 file
4 participants
@williballenthin @stevemk14ebr @mr-tz @yelhamer