From ec53165a706f3cadff6c8813200ffc257d4d90d3 Mon Sep 17 00:00:00 2001 From: NtWriteCode Date: Wed, 28 Aug 2024 15:23:31 +0200 Subject: [PATCH] Improved GoLang handling --- db/PE/Go.4.sg | 86 +++++++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 40 deletions(-) diff --git a/db/PE/Go.4.sg b/db/PE/Go.4.sg index f116b0b9a..8333b8334 100644 --- a/db/PE/Go.4.sg +++ b/db/PE/Go.4.sg @@ -6,48 +6,54 @@ init("compiler", "Go"); function detect(bShowType, bShowVersion, bShowOptions) { - // All go compiled PE binaries have a .symtab section + bDetected = false; + + // All **UNMODIFIED** go compiled PE binaries have a .symtab section if (!PE.section[".symtab"]) { - bDetected = false; - return result(bShowType, bShowVersion); + // If it doesn't have, let's try a heuristic only, no pattern matching + // Who knows if pattern matching is good enough + if (PE.isSignatureInSectionPresent(0, "ff20'Go build ID: '")) { + sVersion = "1.15.0-X.XX.X"; + bDetected = true; + } } - - bDetected = 1; - - if (PE.compareEP("488d742408488b3c24488d0510000000ffe0cccccccccccccccccccccccccccc") || - PE.compareEP("83ec0c8b44240c8d5c241089442404895c2408c70424ffffffffe901000000cc")) { - sVersion = "1.7.x-1.9.x"; - } else if (PE.compareEP("e90bd8ffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || - PE.compareEP("e92bc7ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c")) { - sVersion = "1.10"; - } else if (PE.compareEP("e98bc8ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || - PE.compareEP("e90bd9ffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { - sVersion = "1.10.x"; - } else if (PE.compareEP("e98bdbffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || - PE.compareEP("e9dbc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c")) { - sVersion = "1.11-1.11.x"; - } else if (PE.compareEP("e9ebc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || - PE.compareEP("e99bdbffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { - sVersion = "1.12 or 1.12.2-1.12.9"; - } else if (PE.compareEP("e98bc4ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || - PE.compareEP("e99bdaffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { - sVersion = "1.12.1"; - } else if (PE.compareEP("e92bc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || - PE.compareEP("e9cbdaffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { - sVersion = "1.13 or 1.13.2"; - } else if (PE.compareEP("e9cbc3ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || - PE.compareEP("e9cbd9ffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { - sVersion = "1.13.1 or 1.13.3-9"; - } else if (PE.compareEP("e9cbd8ffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || - PE.compareEP("e9cbc1ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c")) { - sVersion = "1.14 or 1.14.x"; - } else if (PE.compareEP("e9....ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c2530000000c7476800000000") || - PE.compareEP("e9....ffffcccccccccccccccccccccc8b5c240464c705340000000000000089e58b4b0489c8c1e00229c489e78b7308fcf3")) { - sVersion = "1.x"; - } else if (PE.isSignatureInSectionPresent(0, "ff20'Go build ID: '")) { - sVersion = "1.15.0-X.XX.X"; - } else { - bDetected = false; + else { + bDetected = true; + if (PE.compareEP("488d742408488b3c24488d0510000000ffe0cccccccccccccccccccccccccccc") || + PE.compareEP("83ec0c8b44240c8d5c241089442404895c2408c70424ffffffffe901000000cc")) { + sVersion = "1.7.x-1.9.x"; + } else if (PE.compareEP("e90bd8ffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || + PE.compareEP("e92bc7ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c")) { + sVersion = "1.10"; + } else if (PE.compareEP("e98bc8ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || + PE.compareEP("e90bd9ffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { + sVersion = "1.10.x"; + } else if (PE.compareEP("e98bdbffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || + PE.compareEP("e9dbc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c")) { + sVersion = "1.11-1.11.x"; + } else if (PE.compareEP("e9ebc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || + PE.compareEP("e99bdbffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { + sVersion = "1.12 or 1.12.2-1.12.9"; + } else if (PE.compareEP("e98bc4ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || + PE.compareEP("e99bdaffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { + sVersion = "1.12.1"; + } else if (PE.compareEP("e92bc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || + PE.compareEP("e9cbdaffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { + sVersion = "1.13 or 1.13.2"; + } else if (PE.compareEP("e9cbc3ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || + PE.compareEP("e9cbd9ffffcccccccccccccccccccccc8b5c240464c705340000000000000089")) { + sVersion = "1.13.1 or 1.13.3-9"; + } else if (PE.compareEP("e9cbd8ffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || + PE.compareEP("e9cbc1ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c")) { + sVersion = "1.14 or 1.14.x"; + } else if (PE.compareEP("e9....ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c2530000000c7476800000000") || + PE.compareEP("e9....ffffcccccccccccccccccccccc8b5c240464c705340000000000000089e58b4b0489c8c1e00229c489e78b7308fcf3")) { + sVersion = "1.x"; + } else if (PE.isSignatureInSectionPresent(0, "ff20'Go build ID: '")) { + sVersion = "1.15.0-X.XX.X"; + } else { + bDetected = false; + } } //final check for exact version of golang used embedded inside binary