Skip to content

Add -strings flag to extract Go strings from binaries #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kami922 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add -strings flag to extract Go strings from binaries #77

kami922 wants to merge 6 commits into from
+2,525 −8

Conversation

@kami922
Copy link
Contributor

@kami922 kami922 commented Dec 29, 2025

fix Issue #45

Add -strings flag to extract Go strings from binaries

Summary

Implements Issue #45 by adding a -strings command-line flag that extracts embedded Go strings from compiled binaries. The implementation uses the FLOSS-inspired algorithm to detect and extract strings from the Go compiler's string internment table.

Changes

Commit 1: Infrastructure (07ee507)

  • Add Strings []string field to ExtractMetadata struct
  • Add -strings command-line flag with help text
  • Update function signatures to pass flag through call chain
  • Add string output section to printForHuman() for human-readable display
  • Wire up flag parsing and placeholder logic

Commit 2: Implementation (e2bdeb7)

  • Create objfile/strings.go (318 lines) with complete extraction algorithm
  • Implement string candidate detection (scan for pointer+length pairs)
  • Implement monotonic run detection to find string internment table
  • Add UTF-8 validation and printability filtering (min 4 chars, 80% printable)
  • Add helper methods to objfile/elf.go: getSections(), is64Bit(), isLittleEndian()
  • Replace placeholder with actual extraction call in main.go

Commit 3: Documentation (5a2eaf1)

  • Update README.md with -strings flag documentation
  • Add Strings field to example JSON output

Algorithm

Based on FLOSS floss/language/go/extract.py with adaptations:

  1. Scan binary sections for Go string structures (pointer + length pairs)
  2. Sort candidates by length to identify the pattern
  3. Find longest monotonically increasing run - Go's compiler stores strings sorted by length
  4. Extract and validate strings - UTF-8 validation, printability checks, minimum length filter
  5. Output in JSON or human-readable format

Testing

Tested with testproject/testproject (ELF binary):

  • ✅ Successfully extracts 512 strings
  • ✅ Includes runtime symbols: "bool", "func", "chan", "mheap", "gccheckmark"
  • ✅ Includes error messages: "broken pipe", "bad address", "file exists"
  • ✅ Proper filtering (no binary garbage, minimum length 4 characters)
  • ✅ Works with both JSON and -human output formats

Example usage:

# JSON output
./GoReSym -strings binary | jq '.Strings | length'

# Human-readable output
./GoReSym -strings -human binary

Current Limitations
ELF only: Currently only ELF binaries (Linux) are fully supported. Helper methods for PE (Windows) and Mach-O (macOS) can be added in follow-up if needed.
Standard strings only: Does not extract stack-constructed or encrypted strings (as discussed in issue, out of initial scope)
No deduplication: Same string may appear multiple times (user can pipe through sort -u if needed)

@kami922
Add -strings flag and ExtractMetadata field
07ee507 
- Add Strings []string to ExtractMetadata struct
- Add -strings command-line flag for string extraction
- Update main_impl and main_impl_tmpfile signatures to accept printStrings parameter
- Add placeholder string extraction logic with TODO marker
- Update printForHuman to display extracted strings section
- Verified flag appears in help and outputs correctly in both JSON and human format

Part of mandiant#45
@kami922
Implement Go string extraction algorithm
e2bdeb7 
- Create objfile/strings.go with core extraction logic
- Implement FLOSS-based string internment table detection
- Add string candidate scanning (pointer + length pairs)
- Implement findLongestMonotonicRun() for pattern detection
- Add UTF-8 validation and printability filtering
- Minimum string length: 4 characters, 80% printable
- Add helper methods to elfFile: getSections(), is64Bit(), isLittleEndian()
- Update main.go to call file.ExtractStrings() instead of placeholder
- Tested with testproject/testproject: extracts 512 strings successfully
- Extracts real Go strings: type names, runtime symbols, error messages

Based on FLOSS floss/language/go/extract.py algorithm
Part of mandiant#45
@kami922
Update README with -strings flag documentation
5a2eaf1 
- Add -strings flag to available flags list
- Add Strings field to example JSON output
- Document purpose: extract embedded Go strings from binary

Part of mandiant#45
@williballenthin
Copy link
Contributor

williballenthin commented Dec 29, 2025

i think it's important to add some tests cases, ideally corroborated with FLOSS's output, to show this works as expected

@stevemk14ebr
Copy link
Collaborator

stevemk14ebr commented Dec 29, 2025

Thanks for your contribution! I am on holiday this week and will review likely next week or the following. In the meantime tests would be welcome as Willi suggests.

@kami922
Add tests validated against FLOSS output
99633f0 
Per maintainer request, added comprehensive test suite:

- strings_floss_test.go: Validates GoReSym against FLOSS reference output
  * 99.2% match rate (648/653 strings match FLOSS)
  * Uses FLOSS output from testproject.exe as ground truth
  * Reference saved in testdata/floss_reference.txt

- strings_test.go: Additional unit tests for:
  * ELF and PE binary string extraction
  * Monotonic run detection algorithm
  * String filtering (printability, minimum length)

- pe.go: Added helper methods (getSections, is64Bit, isLittleEndian)
  to enable string extraction from PE binaries

All tests pass.
@kami922
Copy link
Contributor Author

kami922 commented Dec 31, 2025

@williballenthin @stevemk14ebr I have added test corroborated with Floss output as per review request.

@kami922
Copy link
Contributor Author

kami922 commented Jan 2, 2026

Hello i was working on issue #55 and accidentally pushed that commit to this branch i am working to solve this blunder sorry for inconvenience.

@kami922 kami922 force-pushed the feature/strings-command branch from bb7034e to 99633f0 Compare January 2, 2026 13:08
stevemk14ebr
stevemk14ebr reviewed Jan 5, 2026
View reviewed changes
objfile/elf.go Outdated
}

// getSections returns all sections for string extraction
func (f *elfFile) getSections() ([]Section, error) {
Copy link
Collaborator

@stevemk14ebr stevemk14ebr Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since we include the section data in the returned sections array this could be potentially a very very large array (gigabytes in degenerate cases). We should use a generator here instead to help with memory pressures.

objfile/pe.go Outdated
}

// getSections returns all sections for string extraction
func (f *peFile) getSections() ([]Section, error) {
Copy link
Collaborator

@stevemk14ebr stevemk14ebr Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same, generator

objfile/strings.go Outdated
func (e *Entry) getSections() ([]Section, error) {
// Use the rawFile interface to get sections
if sectioner, ok := e.raw.(interface {
getSections() ([]Section, error)
Copy link
Collaborator

@stevemk14ebr stevemk14ebr Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're missing a getSections implementation for macho I believe.

@kami922
Address PR mandiant#77 review comments
e6106fc 
- Convert getSections() to iterateSections() using callback pattern to avoid memory pressure
- Add Strings field to GoReSym.proto for external parsers
- Implement iterateSections() for Mach-O format (previously missing)

Changes requested by @stevemk14ebr in review:
1. Memory optimization: Replace array-based section loading with generator pattern
2. Proto definition: Add 'repeated string strings = 13' field
3. Mach-O support: Add missing iterateSections() implementation
@stevemk14ebr
Copy link
Collaborator

stevemk14ebr commented Jan 13, 2026
edited
Loading

I get a few test failures now that we have a new main argument. Can we extend the string testing to cover a few more binaries, these could be the test binaries we have already with checks that strings are correctly extracted from each and a reasonable number of strings, all printable.

# github.com/mandiant/GoReSym [github.com/mandiant/GoReSym.test]
./main_test.go:33:66: not enough arguments in call to main_impl
	have (string, bool, bool, bool, bool, number, string)
	want (string, bool, bool, bool, bool, int, string, bool)
./main_test.go:122:63: not enough arguments in call to main_impl
	have (string, bool, bool, bool, bool, number, string)
	want (string, bool, bool, bool, bool, int, string, bool)
./main_test.go:217:61: not enough arguments in call to main_impl
	have (string, bool, bool, bool, bool, number, string)
	want (string, bool, bool, bool, bool, int, string, bool)
./main_test.go:231:61: not enough arguments in call to main_impl
	have (string, bool, bool, bool, bool, number, string)
	want (string, bool, bool, bool, bool, int, string, bool)
FAIL	github.com/mandiant/GoReSym [build failed]

@kami922
Fix test failures and expand string extraction testing per PR mandian…
07a35c2 
…t#77 feedback

- Fixed 4 test compilation errors by adding missing printStrings parameter to main_impl() calls
- Added comprehensive TestStringExtraction function with 7 test cases covering Linux/macOS/Windows binaries
- Implemented isPrintable() helper for ASCII validation (range 32-126)
@stevemk14ebr
Copy link
Collaborator

stevemk14ebr commented Jan 20, 2026
edited
Loading

The current code ensures that >80% of characters are printable. We'd prefer to instead ensure all strings are fully printable. Can we align with the logic in FLOSS a little better for the string internment table locating, validation, and final string extraction?

At https://github.com/mandiant/flare-floss/blob/39c22434279f1c48045132077eba60453bf0dda8/floss/language/go/extract.py#L253 FLOSS finds the boundary of the string table and then it walks this table to get all the strings https://github.com/mandiant/flare-floss/blob/39c22434279f1c48045132077eba60453bf0dda8/floss/language/go/extract.py#L325. The closer we keep this logic to FLOSS the more confidence I will have in its correctness.

I'm still ok with not extracting stack strings, which will be an acceptable difference compared to FLOSS.

cc @mr-tz for visibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevemk14ebr stevemk14ebr stevemk14ebr left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kami922 @williballenthin @stevemk14ebr