Decompiling Go : Using metadata to improve decompilation readability

Abstract: Malware written in Go is on the rise, and yet, tools for investigating Go programs, such as decompilers, are limited. A decompiler takes a compiled binary and tries to recover its source code. Go is a high-level language that requires runtime metadata to implement many of its features, such as garbage collection and polymorphism. While decompilers have to some degree used this metadata to benefit manual reverse engineering, there is more that can be done. To remedy this, we extend the decompiler Ghidra with improvements that increase the readability of the decompilation of Go binaries by using runtime metadata. We make progress towards enabling Ghidra to represent Go's assembly conventions. We implement multiple analyses: some which reduce noise for the reverse engineer to filter through, some which enhance the decompilation by adding types, etc. The analyses are a mix of reimplementations of previous work and novel improvements. The analyses use metadata known beforehand but in new ways: applying data types at polymorphic function call sites, and using function names to import signatures from source code. We also discover previously unused metadata, which points to promising future work. Our experimental evaluation compares our extension against previously existing extensions for decompilers using multiple readability metrics. Our extension improves on metrics measuring the amount of code, such as lines of code. It also decreases the number of casts. However, the extension performs worse on other metrics, producing more variables and glue functions. In conclusion, our extension produces more compact code while also increasing its informativeness for the reverse engineer.