Golang for Offensive Security
What is Golang?
GoLang is a programming language developed by Google, released in 2012. It’s known for its simplicity, efficiency, and performance, making it a popular choice for building fast and reliable software. Go is designed to handle tasks like concurrent processing and network programming with ease, and it compiles to a single binary file, simplifying deployment.
Why Go is relevant:
Adversaries are increasingly using Go to create malware due to its efficiency and cross-platform capabilities, making it more challenging to detect and analyze. Red teamers, blue teamers, and penetration testers need to understand Go to effectively identify and model these threats. By learning Go, they can better anticipate adversary tactics and develop countermeasures, enhancing their ability to detect and respond to emerging Go-based malware.
What makes Go ideal for developing exploits?
Easy to Learn: Due to its easy to read syntax similar to that of Python, it’s easy for previously experienced or new individuals to learn how to adapt Go to their needs. It is even easier for those who have experience writing in C due it’s reminiscent syntax, but it has automatic garbage collection so there is no need to manually manage memory.
Cross Compilation: You’re able to develop your exploits on a Linux machine and target Windows or MacOS, the inverse of these is also true. You can develop on the others and target the opposite platform. Android and iOS is also an option given GoMobile packages.
No Installation Dependencies: Where running a Python exploit will require some imported modules or other dependencies, Go has everything it needs in the created executable binary. Once your exploit is transferred to the target, you’re good to go (no pun intended).
Larger Binaries: There is a duality between pro and con here. Static linking all the dependencies creates larger binaries, more often than not adversaries try to create small binaries. A benefit to marginally larger binaries could be a harder to examine binary due to more confusing outputs for defenders to sift through when using tools like GDB (GNU Debugger).
Why Go is great for obfuscation:
Ability to Import C: Go’s ability to seamlessly integrate C code through cgo allows developers to incorporate complex, low-level operations directly into Go programs. This can further complicate reverse engineering, as attackers can mix Go and C code, adding an additional layer of complexity for those trying to dissect the malware. This can be useful in creating DLLs which are even better at staying undetected.
Obscurity: The Go compiler provides options to omit debug symbols and strip the symbol table from the compiled binary. This means that variable names, function names, and other identifiers are converted into memory addresses, significantly obscuring the original source code. Without these symbols, it becomes nearly impossible for defenders to reverse-engineer the code into a readable format. Additionally, stripping these symbols often results in a smaller binary, which can aid in avoiding detection by making the malware appear more innocuous.
Hiding Console Windows: Go allows for the creation of Windows executables that can run without displaying a console window, effectively hiding the malware's execution from users. This feature is particularly useful for malware developers, as it reduces the chances of detection by end-users who might otherwise notice a suspicious command prompt or terminal window. By operating silently in the background, Go-based malware can carry out its malicious activities without drawing attention.
Together, these features make Go an appealing choice for adversaries looking to create obfuscated, hard-to-detect malware. Security professionals need to be aware of these capabilities to better understand and defend against the evolving threat landscape.
Want to keep up with what I am learning, making, and using? Here is a link to my GitHub repository: https://github.com/CommodoreAlex/
