![]() ![]() The malware presented in the workshop (Sunshuttle, from the DarkHalo APT, MD5 5DB340A70CB5D90601516DB89E629E43) is straightforward to the extent that it can be understood without paying too much attention to these objects. In this screenshot taken from IDA Pro, we can see a call to the runtime.newobject function, which receives a structure as an argument (here, in the RDX register, two lines above the call). One particular topic I brushed aside was related to the way that Go creates objects. Of course, the drawback of providing entry-level or immediately actionable information is that a few subtleties must be omitted. A YouTube version of the workshop was released around the same time. The goal of the workshop was to share basic knowledge that would allow analysts to immediately start looking into malware written in Go. During the 2021 edition of the SAS conference, I had the pleasure of delivering a workshop focused on reverse-engineering Go binaries.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |