Skip to content

Go pclntab Parser for Stripped Binaries #6985

New issue
New issue
Open
Enhancement
Open
Go pclntab Parser for Stripped Binaries#6985
Enhancement
Labels
Component: DebugInfoIssue requires changes to the DebugInfo APIEffort: MediumIssue should take < 1 monthFile Format: ELFImpact: MediumIssue is impactful with a bad, or no, workaroundLanguage: GoIssues involving decompilation of Golang binaries
@martclau

Description

@martclau
martclau
opened on Jun 21, 2025

What is the feature you'd like to have?
I would like Binary Ninja to automatically detect, parse, and utilize the pclntab (PC line table) structure in Go binaries, especially when the binary has been stripped of debug symbols. The feature should:

  • Automatically locate the pclntab structure within Go binaries (both stripped and unstripped)
  • Parse the pclntab to extract function names, source file paths, and line number mappings
  • Restore function symbols and naming in the disassembly view
  • Provide source code line number information where available
  • Handle different Go compiler versions and their varying pclntab formats
  • Integrate seamlessly with Binary Ninja's existing Go binary analysis capabilities

Is your feature request related to a problem?
Yes, this addresses a significant challenge when analyzing stripped Go binaries. Without pclntab parsing, analysts must:

  • Manually identify and name functions
  • Lose valuable context about the original source structure
  • Spend significantly more time understanding the binary's functionality
  • Miss connections between related functions that would be obvious with proper naming

Are any alternative solutions acceptable?
External tool integration: The GoReSym plugin can be used manually, but this fails to resolve all symbols and creates an additional manual step.

Additional Information:

  • The pclntab structure varies between Go versions, with significant changes around Go 1.2, 1.16, and 1.18+
  • Tools like IDA parses the pclntab out of the box
  • The pclntab typically begins with a magic number (0xFFFFFFFB or 0xFFFFFFFA) making it relatively straightforward to locate
  • Go binaries also contain a moduledata structure that can provide additional metadata
  • This feature would complement Binary Ninja's existing Go string recovery and type analysis
  • Reference implementations exist in open-source tools like redress and GoReSym

Sample Go binary characteristics that could benefit from this feature:

  • Stripped binaries compiled with go build -ldflags="-s -w"
  • Production Go applications where symbol information is crucial for security analysis
  • Malware written in Go where function identification significantly aids analysis

Metadata

Metadata

Assignees

No one assigned

    Labels

    Component: DebugInfoIssue requires changes to the DebugInfo APIEffort: MediumIssue should take < 1 monthFile Format: ELFImpact: MediumIssue is impactful with a bad, or no, workaroundLanguage: GoIssues involving decompilation of Golang binaries

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions