Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update identify.py #908

Merged
merged 15 commits into from
Nov 16, 2023
Merged

update identify.py #908

merged 15 commits into from
Nov 16, 2023

Conversation

sara-rn
Copy link
Contributor

@sara-rn sara-rn commented Nov 14, 2023
edited
Loading

identify Go samples with stomped PCNLTAB magic bytes
reused function get_rdata_section from language.rust

mr-tz
mr-tz reviewed Nov 14, 2023
View reviewed changes
floss/language/utils.py Show resolved Hide resolved
floss/language/identify.py Outdated
b"runtime.newproc",
b"runtime.gcWriteBarrier",
b"runtime.Gosched",
]
# look for the .rdata section first
for section in pe.sections:
try:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use get_rdata_section here as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

floss/language/identify.py Show resolved Hide resolved
mr-tz
mr-tz reviewed Nov 14, 2023
View reviewed changes
floss/language/identify.py Outdated Show resolved Hide resolved
mr-tz
mr-tz reviewed Nov 14, 2023
View reviewed changes
floss/language/identify.py Outdated Show resolved Hide resolved
mr-tz
mr-tz reviewed Nov 14, 2023
View reviewed changes
floss/language/identify.py Outdated
except ValueError:
logger.debug(".rdata section not found")

section_va = section.VirtualAddress
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this now needs to be in an else clause so we don't end up here even if there's no .rdata section

@stevemk14ebr stevemk14ebr mentioned this pull request Nov 15, 2023
Closed
@stevemk14ebr
Copy link

The concept of how this should work seems solid to me. I like that .rdata is checked first, but that all sections are scanned after, this is important for obfuscated binaries with garbled section names.

If we ever discover actors begin to zero out the strings we search for, we can migrate to signature scanning assembly per architecture as I do in GoReSym https://github.com/mandiant/GoReSym/blob/master/objfile/scanner.go but I don't believe this is neccessary at all for now. And I quite like the simpler string based scanning approach to start with.

mr-tz
mr-tz requested changes Nov 16, 2023
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please apply the black code style formatting black -l 120 on all files

can you please share a sample hash? I'd like to add a test as well (or feel free to do that yourself).

floss/language/rust/extract.py Show resolved Hide resolved
@mr-tz mr-tz merged commit 0f4e27e into mandiant:master Nov 16, 2023
19 checks passed
@mr-tz
Copy link
Collaborator

mr-tz commented Nov 16, 2023

Thanks, @sara-rn!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mr-tz mr-tz mr-tz requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sara-rn @stevemk14ebr @mr-tz