{"id":874,"date":"2025-04-17T02:56:43","date_gmt":"2025-04-17T02:56:43","guid":{"rendered":"https:\/\/malwrforensics.com\/en\/?p=874"},"modified":"2025-04-17T02:56:43","modified_gmt":"2025-04-17T02:56:43","slug":"demystify-golang-malware-how-to-recognize-bishop-foxs-sliver","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2025\/04\/17\/demystify-golang-malware-how-to-recognize-bishop-foxs-sliver\/","title":{"rendered":"Demystify golang malware – how to recognize Bishop Fox’s Sliver"},"content":{"rendered":"\n

In this blog post we’ll look into how we can do a quick analysis of a golang<\/a> binary. You can download the sample from here<\/a> (thanks to Any.Run). I’ll only use two tools today (Far Manager<\/a> and Hiew), but you can use any file viewer\/editor you want (Notepad works too).<\/p>\n\n\n\n

First, let’s have a look at the PE header of a golang windows executable. From the start we can tell it’s a golang binary. The “Go build ID” (embedded into the compiled binary by the go build<\/code> tool) is pretty obvious.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Let’s look now at the PE sections.<\/p>\n\n\n\n

An interesting one is the .data<\/code> section. Here I’ve used Hiew to locate the start offset and view the content.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This section is interesting because it contains build information, which sometimes can give us a hint of what we’re dealing with.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The highlighted part tells us that we’re dealing with sliver<\/a>. <\/p>\n\n\n\n

For a definitive answer, let’s see if we can analyze the other sections. The only problem is that they look something like this:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The first hint is the ZLIB<\/code> string at the beginning of the section. If we look at the following bytes, we’ll stumble upon the 78 01<\/code> value (in other files this may be different). A zlib stream starting with 78 01<\/code> indicates that the data is compressed using the deflate method with a 32K window size and the fastest compression level. If you want to know more about ZLIB, here is the RFC<\/a>.<\/p>\n\n\n\n

What we need to do now is to remove everything from the beginning of the file until 78 01<\/code>. Once we have that, we just need to run this python script<\/a> to extract the compressed data. If you want to inspect all the compressed sections, you need to follow the steps outlined above for every compressed stream.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once we’re able to inspect the “real” data, we can say for sure that we’re dealing with Sliver. <\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

In this blog post we’ll look into how we can do a quick analysis of a golang binary. You can download the sample from here (thanks to Any.Run). I’ll only use two tools today (Far Manager and Hiew), but you can use any file viewer\/editor you want (Notepad works too). First, let’s have a look […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[144,18,38,143],"class_list":["post-874","post","type-post","status-publish","format-standard","hentry","category-security","tag-any-run","tag-malware","tag-reverse-engineering","tag-sliver"],"blocksy_meta":[],"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"

In this blog post we’ll look into how we can do a quick analysis of a golang binary. You can download the sample from here (thanks to Any.Run). I’ll only use two tools today (Far Manager and Hiew), but you can use any file viewer\/editor you want (Notepad works too). First, let’s have a look at the PE header of a golang windows executable. From the start we can tell it’s a golang binary. The “Go build ID” (embedded into the compiled binary by the go build tool) is pretty obvious. Let’s look now at the PE sections. An interesting…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=874"}],"version-history":[{"count":1,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/874\/revisions"}],"predecessor-version":[{"id":881,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/874\/revisions\/881"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}