A command line Windows API tracing tool for Golang binaries. Note: This tool is a PoC and a work-in-progress prototype so please treat it as such. Feedbacks are always welcome! How it works? Although Golang programs contains a lot of nuances regarding the way they are built and their behavior in runtime they still need to interact with the OS layer and that means at some point they do need to call functions from the Windows API. The Go runtime package contains a function called asmstdcall and this function is a kind of "gateway" used to interact with the Windows API. Since it's expected this function to call the Windows API functions we can assume it needs to have access to information such as the address of the function and it's parameters, and this is where things start to get more interesting. Asmstdcall receives a single parameter which is pointer to something similar to the following structure: struct LIBCALL { DWORD_PTR Addr; DWORD Argc; DWORD_PTR Argv; DWORD_PTR ReturnValue; […] } Some of these fields are filled after the API function is called, like the return value, others are received by asmstdcall, like the function address, the number of arguments and the list of arguments. Regardless when those are set it's clear that the asmstdcall function manipulates a lot of interesting information regarding the execution of programs compiled in Golang. The gftrace leverages asmstdcall and the way it works to monitor specific fields of the…Read More
Gftrace – A Command Line Windows API Tracing Tool For Golang Binaries
