Golang binaries are by default statically linked and full of metadata therefore a lot can be gained from annotating a Golang binary's contents using recovered metadata.
Index
| Previous topic
| Next topic
Detection
The golang plugin's analysis only happens by default if the input file is detected as a Golang file. There are multiple mechanisms in place to detect that:
- if a Golang startup signature matches the entry point (PC-only) - if the Golang plugin detects a Golang-specific segment name - if the elf loader finds a "Go" note in the input file - on PE files: if certain Golang symbol names or a Go build id signature is found
Analysis
The metadata parsed by the golang plugin falls under two main categories:- function information (e.g. name, package, range) retrieved from the pclntab - type information (e.g. name, package, layout, size) retrieved from the typelinks tableThe package paths of functions and types are used to create folders. This analysis will occur upon `ev_newfile` (when a new file has been loaded) if Golang has been detected.
Actions
`golang:detect_and_parse` (Edit>Other)This action is useful to force a full search of the binary for Golang metadata. It will first attempt to parse a pclntab at the current address, if this is unsuccessful it will perform a full search of the binary for the pclntab's signature and parse it if found. In addition, it will also attempt to locate and parse the type information.
Calling Conventions
Golang has its own calling convention(s), denoted in IDA as `__golang`. In fact, Golang has two different calling conventions: a stack-based CC (abi0) and a newer register-based CC (abiinternal). The version of Golang and thus which calling convention to use will be automatically inferred from metadata structures; It is also controllable through the `force_regabi` command line option.
List of `-Ogolang` options
Command line options take precedence over config file options.
force try to force the analysis (no detection step needed) off disable the plugin no_rtypes do not import any types rname_len2 force the reflect type name format to go1.17 and later (varint encoding: 1-10 bytes) rname_len1 force the reflect type name format to before go1.17 (2 bytes) import_lnnums recover file names & line numbers from pclntab no_func_end_from_pcval_tabs do not derive a function's end from pclntab metadata force_regabi[=on|=off] override calling convention version `=off`: will force the stack-based CC `=on`/no value: will force the register-based CCSee cfg/golang.cfg for available configuration options.
Examples
forcing analysis and register-based calling convention
-Ogolang:force:force_regabidisabling the plugin
-Ogolang:off