Add Go decoded stackstring extraction via runtime.slicebytetostring callsites#1232
Add Go decoded stackstring extraction via runtime.slicebytetostring callsites#1232kunalsz wants to merge 1 commit intomandiant:masterfrom
Conversation
…allsites Signed-off-by: kunalsz <kunalavengers@gmail.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances Go binary analysis capabilities by introducing a mechanism to identify and extract decoded stackstrings. It achieves this by intelligently locating calls to Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a robust mechanism for identifying runtime.slicebytetostring callsites in Go binaries, which is a crucial first step for extracting decoded stackstrings. A new module, pclntab.py, is added to parse Go's pclntab data structure, enabling function symbol resolution even in stripped or obfuscated binaries. This new capability is integrated into extract.py. The changes are well-structured, include comprehensive unit tests for the new parser, and a helpful debug script. My feedback includes a couple of suggestions to improve maintainability and code clarity by replacing a magic number with a constant and avoiding variable shadowing.
| _pe = pe | ||
| if _pe is None: | ||
| # Derive PE path from the vivisect workspace file list | ||
| files = vw.getFiles() | ||
| if not files: | ||
| logger.debug("vw.getFiles() returned nothing, cannot open PE for pclntab scan") | ||
| return out | ||
| sample_path = files[0] | ||
| _pe = pefile.PE(sample_path, fast_load=True) | ||
|
|
||
| hits = find_runtime_functions(_pe, _SLICEBYTETOSTRING_TOKENS) |
There was a problem hiding this comment.
The local variable _pe shadows the function parameter pe. This can be confusing and is generally discouraged. It's better to use a different name for the local variable to make the code clearer.
| _pe = pe | |
| if _pe is None: | |
| # Derive PE path from the vivisect workspace file list | |
| files = vw.getFiles() | |
| if not files: | |
| logger.debug("vw.getFiles() returned nothing, cannot open PE for pclntab scan") | |
| return out | |
| sample_path = files[0] | |
| _pe = pefile.PE(sample_path, fast_load=True) | |
| hits = find_runtime_functions(_pe, _SLICEBYTETOSTRING_TOKENS) | |
| pe_to_use = pe | |
| if pe_to_use is None: | |
| # Derive PE path from the vivisect workspace file list | |
| files = vw.getFiles() | |
| if not files: | |
| logger.debug("vw.getFiles() returned nothing, cannot open PE for pclntab scan") | |
| return out | |
| sample_path = files[0] | |
| pe_to_use = pefile.PE(sample_path, fast_load=True) | |
| hits = find_runtime_functions(pe_to_use, _SLICEBYTETOSTRING_TOKENS) |
| return {} | ||
|
|
||
| nfunctab = _uptr(data, 8, ptrsize) | ||
| if nfunctab == 0 or nfunctab > 1_000_000: |
There was a problem hiding this comment.
The magic number 1_000_000 is used as a heuristic limit for the number of functions. It would be better to define this as a constant at the module level (e.g., _MAX_FUNCTIONS_HEURISTIC = 1_000_000) to improve readability and maintainability. This number is also used in _parse_v116 (line 264) and _parse_v118 (line 340).
|
@mr-tz A small surface level review for the direction of the PR would be helpful! 🙃 |
1 participant
Resolves #828
This PR aims to implement :
Note that generally decoding strings such as this involves converting a byte array back into a string, so stackstrings are typically followed by a call to runtime_slicebytetostringas discussed in Update Stackstrings Algorithm in Go Extraction Code #828Till now a module has been added(
pclntab.py) to parse Go metadata (pclntab/moduledata) for function names and addresses as the repo doesnt have Go runtime symbol resolution helpers.This is used to locate
runtime.slicebytetostring, function VA ofruntime.slicebytetostringand list of call sites.Next steps would be to , recover the decoded bytes at each identified call site and hence the runtime stackstrings.
References/Inspirations for the work :
Note : For
test_language_go_pclntab.pyhelp of copilot was taken to build version specific minimal pclntab blob