A command-line companion to GoReSym that helps analysts quickly understand what a Go binary is doing by analyzing its JSON output.
GoReSym extracts raw metadata from Go binaries. This tool takes that JSON and simulates how a malware analyst thinks detecting suspicious strings, classifying function behaviour, inferring capabilities, and producing a human-readable verdict.
Given a GoReSym JSON output file, the toolkit produces a structured report covering:
- Binary metadata — Go version, architecture, OS, build ID
- Risk score — weighted 0–100 score with a LOW / MEDIUM / HIGH / CRITICAL label
- Inferred capabilities — what the binary is likely doing (network comms, encryption, command execution, etc.)
- Function behaviour classification — categorizes functions from
UserFunctionsandStdFunctionsinto behavioural groups - Suspicious strings / IOCs — detects hardcoded URLs, public IPs, private IPs, and shell command references
- Analyst summary — a single plain-English paragraph verdict
Python 3.10 or newer. No external dependencies — uses only the standard library.
Step 1 — Run GoReSym against a Go binary to get the JSON output:
GoReSym -t -d -p /path/to/binary > output.json
Step 2 — Run this tool against that JSON:
python triage.py output.json
Optional — emit machine-readable JSON instead of the terminal report (useful for piping into other tools):
python triage.py output.json --json
Help:
python triage.py --help
╔══════════════════════════════════════════════════════════╗
║ GO BINARY TRIAGE TOOLKIT (GoReSym companion) ║
╚══════════════════════════════════════════════════════════╝
BINARY METADATA
────────────────────────────────────────────────────────
Go Version : 1.21.3
Architecture: amd64
OS : linux
RISK SCORE
────────────────────────────────────────────────────────
██████████████████████████████ 100/100 [CRITICAL]
INFERRED CAPABILITIES
────────────────────────────────────────────────────────
▸ Network communication (HTTP/TCP/TLS)
▸ Encryption / cryptographic operations
▸ Command or process execution
▸ File system access (read/write)
▸ Persistence mechanism (registry / scheduled tasks)
FUNCTION BEHAVIOUR CLASSIFICATION
────────────────────────────────────────────────────────
NETWORK 3 functions matched
└─ net/http.Get
└─ net/http.Post
└─ net.Dial
CRYPTO 2 functions matched
└─ crypto/aes.NewCipher
└─ crypto/cipher.NewCFBEncrypter
EXECUTION 2 functions matched
└─ os/exec.Command
└─ os/exec.(*Cmd).Run
SUSPICIOUS STRINGS / IOCs
────────────────────────────────────────────────────────
URLs (2 found):
└─ http://185.220.101.45/gate.php
└─ https://pastebin.com/raw/xK9mZ3qA
Shell Commands (2 found):
└─ cmd.exe /c whoami
└─ powershell -NoP -NonI -W Hidden -Exec Bypass
ANALYST SUMMARY
────────────────────────────────────────────────────────
Go 1.21.3 binary (amd64). Detected capabilities: Network
communication (HTTP/TCP/TLS); Encryption / cryptographic
operations; Command or process execution; and 2 more.
IOC indicators: 2 suspicious URL(s), 3 hardcoded IP(s),
2 shell command reference(s). Overall risk assessment: CRITICAL.
A sample GoReSym JSON file is included so you can try the tool without needing a real binary:
python triage.py sample_output.json
go-binary-triage/
├── triage.py # main tool
├── sample_output.json # sample GoReSym output for testing
├── requirements.txt # no external dependencies
└── README.md # this file
This tool is designed as a companion to GoReSym by Mandiant. GoReSym handles the hard part — extracting symbols, types, and metadata from stripped Go binaries. This toolkit handles the analyst layer on top — turning that raw JSON into actionable triage output.
It mirrors the same philosophy as the existing IDAPython/goresym_rename.py and GhidraPython/goresym_rename.py scripts in the GoReSym repo: take GoReSym output and make it immediately useful inside a specific workflow.
MIT