Documentation
¶
Index ¶
- type ExtractedString
- func Classify(strs []ExtractedString) []ExtractedString
- func CrossReference(strs []ExtractedString, funcs []functions.Function, textData []byte, ...) []ExtractedString
- func CrossReferenceSimple(strs []ExtractedString, funcs []functions.Function, textData []byte, ...) []ExtractedString
- func Extract(rodataData []byte, rodataVA uint64) []ExtractedString
- func SplitConcatenatedURLs(strs []ExtractedString) []ExtractedString
- type StringType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ExtractedString ¶
type ExtractedString struct {
Value string
Type StringType
Offset uint64 // VA of string start
ReferencedBy []string // function names that reference this string
}
ExtractedString is a string found in the binary with metadata.
func Classify ¶
func Classify(strs []ExtractedString) []ExtractedString
Classify assigns a StringType to each extracted string based on content patterns.
func CrossReference ¶
func CrossReference( strs []ExtractedString, funcs []functions.Function, textData []byte, textVA uint64, rodataData []byte, rodataVA uint64, rodataEnd uint64, ) []ExtractedString
CrossReference annotates each string with the names of functions whose disassembly references the string's virtual address via LEA instructions (RIP-relative addressing in x86_64). It also emits new strings for LEA targets not found by the header-pair scan (e.g. strings only referenced from code and not stored with an adjacent header in .rodata).
func CrossReferenceSimple ¶
func CrossReferenceSimple( strs []ExtractedString, funcs []functions.Function, textData []byte, textVA uint64, ) []ExtractedString
CrossReferenceSimple uses raw 64-bit address scanning as a fallback for non-PIE binaries where addresses appear literally in .text.
func Extract ¶
func Extract(rodataData []byte, rodataVA uint64) []ExtractedString
Extract scans rodataData for Go string header pairs (ptr uint64, len uint64) at 8-byte aligned offsets. Only emits strings where ptr points back into .rodata, len is in range [minStringLen, 4096], and all bytes are printable ASCII.
func SplitConcatenatedURLs ¶
func SplitConcatenatedURLs(strs []ExtractedString) []ExtractedString
SplitConcatenatedURLs breaks apart any URL-typed string that contains multiple embedded URL starts (e.g. "https://a.com/...https://b.com/..."). This handles the CMOVNE compiler pattern where adjacent .rodata strings have no separator and our length inference falls back to a 512-byte printable run.
Only strings that start with "https?://" and contain at least one additional "https?://" are split. Non-URL strings and strings with a single URL are returned unchanged. The original blob is replaced by its individual components.
type StringType ¶
type StringType string
StringType classifies what kind of string was extracted.
const ( StringTypeURL StringType = "url" StringTypeIP StringType = "ip" StringTypePath StringType = "path" StringTypeSecret StringType = "secret" StringTypePkgPath StringType = "pkgpath" StringTypePlain StringType = "plain" )
Source Files