Exploration of GoLang in Windows Environment

The file go1.11.1.windows-386.zip is copied to d:\projects\go. Then perform set environment variable GOPATH to d:\projects\go.

Then perform compilation of the simple program of HelloWorld.go:

But it failed to create a proper executable file because the Sophos anti virus program recognized it as virus/spyware Mal/Zbot-FG:

I hope this is a false positive, so try to disable the anti virus for the moment, and I have:

The size of nearly 1 MB is rather bloated, maybe it contains debugging information and many static routines needed by the compiled program.

Try to perform debugging with WinDBG and it is totally blind to the existing debugging symbols. But using IDA Disassembler reveals tons of the runtime symbols information:

There’s a debugger for this kind of beast called Delve, but I doubt whether it has a capability to perform memory read/write breakpoint in Windows environment. There’s also a gdb debugger but according to the official go website it is unreliable.

So, a combination of WinDBG for debugging session and IDA Disassembler for an important information about debugging information will be handy for Windows environment.

For locating the main function, I can use IDA to locate the address which is:

Since the image base is located at 0x400000, then I can perform calculation 0x443550 – 0x400000, that in WinDBG it should be image00400000+0x43550.

In windows, the implementation for print function in the helloworld.go sample program is using kernel32’s WriteFile which calls to WriteConsoleA.

The runtime implementation for native OS calls is using runtime_asmstdcall inside go source sys_windows_386.s’. runtimeĀ·asmstdcall. There’s ASCII hex 0xB7 (183) between the word “runtime” and “asmstdcall”. This construct will not be found in text search using runtime_asmstdcall into the source in Windows OS. Why this hideous and peculiar construct ? Only the expert of GoLang developer can answer.

On the assembly instruction side, go seems to use its own style of instruction which at first creates confusion (or is it deliberately to create confusion ?), for example “MOVL CX, AX” which is actually “mov eax, ecx” in the actual assembly instruction on Windows OS.

This concludes the preliminary exploration of GoLang in Windows OS.

Some update: using 64 bit version of go compiler (go1.11.1.windows-amd64) will solve the Sophos’ Mal/Zbot-FG false positive virus problem.

You can leave a response, or trackback from your own site.

Leave a Reply

Powered by WordPress and Bootstrap4