Add -strings flag to extract Go strings from binaries#77
Add -strings flag to extract Go strings from binaries#77stevemk14ebr merged 11 commits intomandiant:masterfrom
Conversation
- Add Strings []string to ExtractMetadata struct - Add -strings command-line flag for string extraction - Update main_impl and main_impl_tmpfile signatures to accept printStrings parameter - Add placeholder string extraction logic with TODO marker - Update printForHuman to display extracted strings section - Verified flag appears in help and outputs correctly in both JSON and human format Part of mandiant#45
- Create objfile/strings.go with core extraction logic - Implement FLOSS-based string internment table detection - Add string candidate scanning (pointer + length pairs) - Implement findLongestMonotonicRun() for pattern detection - Add UTF-8 validation and printability filtering - Minimum string length: 4 characters, 80% printable - Add helper methods to elfFile: getSections(), is64Bit(), isLittleEndian() - Update main.go to call file.ExtractStrings() instead of placeholder - Tested with testproject/testproject: extracts 512 strings successfully - Extracts real Go strings: type names, runtime symbols, error messages Based on FLOSS floss/language/go/extract.py algorithm Part of mandiant#45
- Add -strings flag to available flags list - Add Strings field to example JSON output - Document purpose: extract embedded Go strings from binary Part of mandiant#45
|
i think it's important to add some tests cases, ideally corroborated with FLOSS's output, to show this works as expected |
|
Thanks for your contribution! I am on holiday this week and will review likely next week or the following. In the meantime tests would be welcome as Willi suggests. |
Per maintainer request, added comprehensive test suite: - strings_floss_test.go: Validates GoReSym against FLOSS reference output * 99.2% match rate (648/653 strings match FLOSS) * Uses FLOSS output from testproject.exe as ground truth * Reference saved in testdata/floss_reference.txt - strings_test.go: Additional unit tests for: * ELF and PE binary string extraction * Monotonic run detection algorithm * String filtering (printability, minimum length) - pe.go: Added helper methods (getSections, is64Bit, isLittleEndian) to enable string extraction from PE binaries All tests pass.
|
@williballenthin @stevemk14ebr I have added test corroborated with Floss output as per review request. |
|
Hello i was working on issue #55 and accidentally pushed that commit to this branch i am working to solve this blunder sorry for inconvenience. |
kami922
force-pushed
the
feature/strings-command
branch
from
bb7034e to
99633f0
Compare
objfile/elf.go
Outdated
| } | ||
|
|
||
| // getSections returns all sections for string extraction | ||
| func (f *elfFile) getSections() ([]Section, error) { |
There was a problem hiding this comment.
since we include the section data in the returned sections array this could be potentially a very very large array (gigabytes in degenerate cases). We should use a generator here instead to help with memory pressures.
objfile/pe.go
Outdated
| } | ||
|
|
||
| // getSections returns all sections for string extraction | ||
| func (f *peFile) getSections() ([]Section, error) { |
objfile/strings.go
Outdated
| func (e *Entry) getSections() ([]Section, error) { | ||
| // Use the rawFile interface to get sections | ||
| if sectioner, ok := e.raw.(interface { | ||
| getSections() ([]Section, error) |
There was a problem hiding this comment.
We're missing a getSections implementation for macho I believe.
- Convert getSections() to iterateSections() using callback pattern to avoid memory pressure - Add Strings field to GoReSym.proto for external parsers - Implement iterateSections() for Mach-O format (previously missing) Changes requested by @stevemk14ebr in review: 1. Memory optimization: Replace array-based section loading with generator pattern 2. Proto definition: Add 'repeated string strings = 13' field 3. Mach-O support: Add missing iterateSections() implementation
|
I get a few test failures now that we have a new main argument. Can we extend the string testing to cover a few more binaries, these could be the test binaries we have already with checks that strings are correctly extracted from each and a reasonable number of strings, all printable. |
…t#77 feedback - Fixed 4 test compilation errors by adding missing printStrings parameter to main_impl() calls - Added comprehensive TestStringExtraction function with 7 test cases covering Linux/macOS/Windows binaries - Implemented isPrintable() helper for ASCII validation (range 32-126)
|
The current code ensures that >80% of characters are printable. We'd prefer to instead ensure all strings are fully printable. Can we align with the logic in FLOSS a little better for the string internment table locating, validation, and final string extraction? At https://github.com/mandiant/flare-floss/blob/39c22434279f1c48045132077eba60453bf0dda8/floss/language/go/extract.py#L253 FLOSS finds the boundary of the string table and then it walks this table to get all the strings https://github.com/mandiant/flare-floss/blob/39c22434279f1c48045132077eba60453bf0dda8/floss/language/go/extract.py#L325. The closer we keep this logic to FLOSS the more confidence I will have in its correctness. I'm still ok with not extracting stack strings, which will be an acceptable difference compared to FLOSS. cc @mr-tz for visibility. |
Rewrite string extraction to match FLOSS (extract.py) logic: - Sort candidates by address (not length) to fix monotonic run detection - Add image VA range and max section size filtering for candidates - Use candidate (pointer, length) pairs for direct extraction from blob - Replace 80% printable threshold with 100% fully printable check - Fix PE section addresses to include ImageBase for correct VA comparison Results: 648 strings extracted from PE test binary, 100% match with FLOSS.
|
This fails to extract strings from a few of the test binaries. Please see how I've extended the unit tests and work to resolve the errors |
…check 1. Add .text to data sections for old Go Windows binaries (1.7-1.10) that store strings in the code section instead of .rdata 2. Add maxReasonableStringLength (64KB) to filter out garbage candidates with huge lengths that cause incorrect blob boundary detection 3. Update TestIsDataSection to reflect .text being a valid data section Fixes string extraction failures on: - Old Windows PE binaries (Go 1.7-1.10): 0 -> 256 strings - Modern Windows: 574 strings - macOS: 284 strings All tests pass including TestWeirdBins on 15 real binaries.
|
@stevemk14ebr Hello, just dropping by to remind you about the pr. |
|
I'm still getting lots of test failures, can you please ensure all tests pass manually. |
…typo 1. main_test.go: Skip Strings check for Go 1.5/1.6 Pre-SSA C-based linker does not produce length-sorted string blobs, so findLongestMonotonicRun never reaches the minimum threshold of 10. Pattern mirrors the existing interface-parsing guard. 2. objfile/strings.go: Handle prevNull == -1 in findStringBlobRange Apple's linker on newer Go/macOS (1.22+) packs sections without leading padding, so no null bytes exist before the first string candidate. bytes.LastIndex returns -1 in that case; treat it as offset 0 instead of bailing out with nil. 3. objfile/macho.go: Add missing is64Bit/isLittleEndian for machoFile elfFile and peFile already implement these interface methods; machoFile was the only rawFile implementation without them. Detect CPU type (CpuAmd64/Arm64 = 64-bit) and byte order from the macho.File struct. 4. build_test_files.sh: Fix $ver typo -> $GO_VER on mkdir line The directory was never created before Docker ran, causing Go 1.5 builds to produce no output. Now all 12 binaries are built for every version including 1.5 and 1.6.
|
@stevemk14ebr Hello Initially for some reason the test binaries for go 1.5 and 1.6 were not created i am not sure why when i ran build_test_files it made binaries for other versions but not for 1.5 and 1.6. however all tests are now passing on my machine. Lemme know your thoughts 
|
|
This now passes all the tests, and I have confirmed that version 1.5 does appear to not store strings sorted so the test condition disabling string verification for this version and 1.6 seems reasonable. Merging, thanks for your interest and contribution. |
|
Hi! I saw the suggestion about tagging extracted strings with their start/end addresses. I’m new to the codebase, but I’d be interested in exploring adding this if it’s still useful. Happy to propose a small, additive change building on the existing -strings implementation. |
|
I think adding the string addresses would be reasonable, you're free to take a shot at this. Please provide unit tests and ensure it works on all the architectures and platforms we support. We'd at minimum want the file offset or the resolved virtual address, virtual addresses would be preferable but file offsets to a lesser degree would be acceptable if accurate. |
4 participants
fix Issue #45
Add
-stringsflag to extract Go strings from binariesSummary
Implements Issue #45 by adding a
-stringscommand-line flag that extracts embedded Go strings from compiled binaries. The implementation uses the FLOSS-inspired algorithm to detect and extract strings from the Go compiler's string internment table.Changes
Commit 1: Infrastructure (07ee507)
Strings []stringfield toExtractMetadatastruct-stringscommand-line flag with help textprintForHuman()for human-readable displayCommit 2: Implementation (e2bdeb7)
objfile/strings.go(318 lines) with complete extraction algorithmobjfile/elf.go:getSections(),is64Bit(),isLittleEndian()main.goCommit 3: Documentation (5a2eaf1)
-stringsflag documentationStringsfield to example JSON outputAlgorithm
Based on FLOSS
floss/language/go/extract.pywith adaptations:Testing
Tested with
testproject/testproject(ELF binary):"bool","func","chan","mheap","gccheckmark""broken pipe","bad address","file exists"-humanoutput formatsExample usage: