Identify Go binaries with custom magics

[mr-tz]

Thank you for letting me know, I was not aware!

I took a look at the identification used for go just now, it may be nice to extend the Go detections to include binaries with custom magics. This can be the case for garble obfuscated Go binaries. Here https://github.com/mandiant/flare-floss/blob/master/floss/language/identify.py#L85

Using strings from the linked go runtime may be good to signature off of in addition, or perhaps signature scans on runtime code for each arch x version. A strings based approach may be sufficient though.

Originally posted by @stevemk14ebr in #830 (comment)

[stevemk14ebr]

I suspect a first pass improvement would be quite simple. A string based approach using strings we already signature on for capa is a great start: https://github.com/stevemk14ebr/capa-rules/blob/6822e748a97bb8b8cd91627fb7a46280193f3222/compiler/go/compiled-with-go.yml

Additional testing against garble obfuscator in particular is necessary. I would potentially suggest the following as well in case the prior is insufficient:

runtime.morestack
runtime.morestack_noctxt
runtime.newproc
runtime.deferproc
runtime.gcWriteBarrier
runtime.Gosched

These are core internal strings that are present in all binaries I've tested, obfuscated and non.

[stevemk14ebr]

PR by Sara #908!

[mr-tz]

closed via #908 - please reopen if there's other things we should add