Find strings in Go binaries

Overview

gostringsr2

gostringsr2 extracts strings from a Go binary using radare2.

Tested with radare2 3.7.0, Python 3.7, r2pipe 1.4.1, on OS X and Linux.

Tested on Go binaries with architectures: x86 (32 and 64 bit), ARM (32 and 64 bit).

Tested on Go binaries with file formats: ELF (Linux), Mach-O (OS X), PE (Windows).

v1.0.0 code walkthrough - https://carvesystems.com/news/reverse-engineering-go-binaries-using-radare-2-and-python/

Installation

  1. Install radare2.
  2. Install gostringsr2 into your Python3 (virtual) environment

From Github:

pip install git+https://github.com/carvesystems/gostringsr2

or

Locally:

git clone https://github.com/carvesystems/gostringsr2
pip install -e gostringsr2

Usage

Usage: gostringsr2 [OPTIONS] FILE

Options:
  -n INTEGER  minimum length, default=4
  -v          verbose
  -u          utf8 encoding instead of ascii
  -s TEXT     save output as r2 script; load in r2 with: . [script-file]
  --help      Show this message and exit.

Example

Sample Go file:

$ cat <<SOURCE > helloworld.go
package main

func main() {
    print("hello world, how are you today?\n")
}
SOURCE

$ go build helloworld.go

$ ./helloworld
hello world, how are you today?

Basic output:

Find ASCII strings of at least length 8:

$ gostringsr2 -n 8 helloworld|grep -B5 -A5 hello
bad write barrier buffer bounds
call from within the Go runtime
casgstatus: bad incoming values
checkmark found unmarked object
entersyscallblock inconsistent 
hello world, how are you today?
inserting span already in treap
internal error - misuse of itab
non in-use span in unswept list
pacer: sweep done at heap size 
resetspinning: not a spinning m

Verbose output:

Shows debug messages and each string's virtual address and (decoded) length.

$ gostringsr2 -v -n 8 helloworld|grep -B5 -A5 hello
Loading file into r2: helloworld
file: helloworld
size: 1083 KB
executable: mach0
language: c
architecture: 64-bit x86
os: macos
stripped: False

Locating string table...
String table at 0x106cf20 thru 0x10713a2
Retrieving cross references...
Limited cross-ref check from 0x1001000 to 0x104ead0
Locating string references...
Retrieved 774 references to the string table
Found strings: 631
0x106f9c3 : [31] : bad write barrier buffer bounds
0x106f9e2 : [31] : call from within the Go runtime
0x106fa01 : [31] : casgstatus: bad incoming values
0x106fa20 : [31] : checkmark found unmarked object
0x106fa3f : [31] : entersyscallblock inconsistent 
0x106fa5e : [31] : hello world, how are you today?
0x106fa7d : [31] : inserting span already in treap
0x106fa9c : [31] : internal error - misuse of itab
0x106fabb : [31] : non in-use span in unswept list
0x106fada : [31] : pacer: sweep done at heap size 
0x106faf9 : [31] : resetspinning: not a spinning m

r2 script output

Writes an r2 script that creates:

  1. A string reference ("axs") to the string at each code locations
  2. A comment ("CCu") at each code reference, ([string length]) "[first 50 characters of the string]"
  3. A flag in the strings flag space starting with str.go.[first 20 chars of the string]
$ gostringsr2 -s helloworld.r2 -v -n 8 -helloworld|grep hello
Loading file into r2: helloworld
file: helloworld
size: 1083 KB
executable: mach0
language: c
architecture: 64-bit x86
os: macos
stripped: False

Locating string table...
String table at 0x106cf40 thru 0x1071403
Retrieving cross references...
Limited cross-ref check from 0x1001000 to 0x104eaf0
Locating string references...
Retrieved 775 references to the string table
Found strings: 632
+ r2 script written to hello.r2. Load in r2 with '. [scriptfile]'
0x106fbf7 : [32] : hello world, how are you today?


$ r2 helloworld
 -- It's not you, it's me.
[0x0104a4d0]> . hello.r2
[0x0104a4d0]> axt 0x106fbf7
(nofunc); (32) "hello world, how are you today?//" 0x104ea42 [STRING] lea rax, str.go.hello_world__how_are
[0x0104a4d0]> pd 6 @0x104ea42
            0x0104ea42      488d05ae1102.  lea rax, str.go.hello_world__how_are ; (32) "hello world, how are you today?//"
            0x0104ea49      48890424       mov qword [rsp], rax
            0x0104ea4d      48c744240820.  mov qword [rsp + 8], 0x20
            0x0104ea56      e87557fdff     call sym.runtime.printstring
            0x0104ea5b      e8c04efdff     call sym.runtime.printunlock
            0x0104ea60      e83b4efdff     call sym.runtime.printlock
[0x0104a4d0]>
You might also like...
Find in Go repeated strings that could be replaced by a constant

goconst Find repeated strings that could be replaced by a constant. Motivation There are obvious benefits to using constants instead of repeating stri

A file find utility modeled after the unix find written in Go

gofind A file find utility modeled after the unix find written in Go. Why This p

Cf-cli-find-app-plugin - CF CLI plugin to find applications containing a search string

Overview This cf cli plugin allows users to search for application names that co

Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

Type-agnostic partitioning for Go's indexable collections and strings.

Go Type-Agnostic Collection Partitioning Type-agnostic partitioning for anything that can be indexed in Go - slices, arrays,strings. Inspired by Guava

GoLang Parse many date strings without knowing format in advance.

Go Date Parser Parse many date strings without knowing format in advance. Uses a scanner to read bytes and use a state machine to find format. Much fa

A Golang library to manipulate strings according to the word parsing rules of the UNIX Bourne shell.

shellwords A Golang library to manipulate strings according to the word parsing rules of the UNIX Bourne shell. Installation go get github.com/Wing924

i18n (Internationalization and localization) engine written in Go, used for translating locale strings.

go-localize Simple and easy to use i18n (Internationalization and localization) engine written in Go, used for translating locale strings. Use with go

[UNMANTEINED] Extract values from strings and fill your structs with nlp.

nlp nlp is a general purpose any-lang Natural Language Processor that parses the data inside a text and returns a filled model Supported types int in

[Go] Package of validators and sanitizers for strings, numerics, slices and structs

govalidator A package of validators and sanitizers for strings, structs and collections. Based on validator.js. Installation Make sure that Go is inst

Supporting your devops by shortening your strings using common abbreviations and clever guesswork

abbreviate Shorten your strings using common abbreviations. Supported by Tidelift Motivation This tool comes out of a frustration of the name of resou

[Go] Package of validators and sanitizers for strings, numerics, slices and structs

govalidator A package of validators and sanitizers for strings, structs and collections. Based on validator.js. Installation Make sure that Go is inst

Package sanitize provides functions for sanitizing text in golang strings.

sanitize Package sanitize provides functions to sanitize html and paths with go (golang). FUNCTIONS sanitize.Accents(s string) string Accents replaces

go-querystring is Go library for encoding structs into URL query strings.

go-querystring go-querystring is a Go library for encoding structs into URL query parameters. Usage import "github.com/google/go-querystring/query" go

 A library for parsing ANSI encoded strings
A library for parsing ANSI encoded strings

Go ANSI Parser converts strings with ANSI escape codes into a slice of structs that represent styled text

Package mafsa implements Minimal Acyclic Finite State Automata in Go, essentially a high-speed, memory-efficient, Unicode-friendly set of strings.

MA-FSA for Go Package mafsa implements Minimal Acyclic Finite State Automata (MA-FSA) with Minimal Perfect Hashing (MPH). Basically, it's a set of str

Storing strings without GC overhead

stringbank stringbank allows you to hold large numbers of strings without bothering the garbage collector. For small strings storage is reduced as the

Small, fast library to create ANSI colored strings and codes. [go, golang]

ansi Package ansi is a small, fast library to create ANSI colored strings and codes. Install Get it go get -u github.com/mgutz/ansi Example import "gi

Library for easy named formatting strings

go-celsium Library for easy named formatting translations Documentation All translations with named parameters are stored in next format: Hello, {name

Comments
  • Typo? dst_addr instead of src_addr

    Typo? dst_addr instead of src_addr

    This looks like a typo to me dst_addr >= code_section["vaddr"], I suspect you meant src_addr >= code_section["vaddr"] https://github.com/CarveSystems/gostringsr2/blob/84d5adc7a74075185c327f170e4642c77eeb7cc0/gostringsr2/gostringsr2.py#L222

    Can you also share which version of radare2 you are using? I'm using 3.7.0.0 with Python 3.7.4 and r2.cmd("pr") returns ASCII strings instead of byte strings. I kind of suspect that this is a regression in radare2 or r2pipe.

    Thanks for sharing this!

    opened by sir-ragna 4
Owner
Carve Systems
Carve Systems
PKSUID is a small extension for KSUID (K-Sortable Globally Unique IDs) which allows prefixing it with arbitrary up to 16 bytes strings

PKSUID is a small extension for KSUID (K-Sortable Globally Unique IDs) which allows prefixing it with arbitrary up to 16 bytes strings

Velmie 1 Feb 6, 2022
repin is a tool to replace strings between keyword pair.

repin repin is a tool to replace strings between keyword pair. tl;dr repin is a tool that makes it easy to write operations that can be written in GNU

Ken’ichiro Oyama 3 Mar 8, 2022
Filter out multiple strings from stdin.

minus The minus tool accepts data from stdin and filters out any arguments passed. It simplifies something like this: some_command | grep -vF thing1 |

Shawn Milochik 1 Dec 20, 2021
The forgotten go tool that executes and caches binaries included in go.mod files.

The forgotten go tool that executes and caches binaries included in go.mod files. This makes it easy to version cli tools in your projects such as gol

Dustin Blackman 24 Sep 27, 2022
A framework for constructing self-spreading binaries

A framework that aids in creation of self-spreading software Requirements go get -u github.com/redcode-labs/Coldfire go get -u github.com/yelinaung/go

Red Code Labs 916 Sep 27, 2022
Ghdl - A much more convenient way to download GitHub release binaries on the command line, works on Win & Unix-like systems

ghdl Memorize ghdl as github download ghdl is a fast and simple program (and als

beet 48 Aug 26, 2022
Find hidden information in JS files for golang

findsecret Find hidden information in JS files Installation Download findsecret.

null 2 Dec 26, 2021
Via Cep Wrapper is a api wrapper used to find address by zipcode (Brazil only)

Viacep Wrapper Viacep Wrapper is an API wrapper built with Golang used to find address by zipcode (Brazil only). This project was developed for study

PATRICK SEGANTINE 1 Jan 25, 2022
A program to create assembly 8086 strings to print without using any printing/strings related function but only mov-xchg-int and loops

Assembly String builder tool A program to create assembly 8086 strings to print without using any printing/strings related function but only mov-xchg-

Reg 2 Feb 1, 2022
Static binary analysis tool to compute shared strings references between binaries and output in JSON, YAML and YARA

StrTwins StrTwins is a binary analysis tool, powered by radare, that is capable to find shared code string references between executables and output i

Anderson 2 May 3, 2022