I’d like to generate an alert for Go binaries for Windows platforms. Looks like there’s a .symtab section and I’d like to pattern match in that section. I’d like to do something like below.
event pe_section_header(f: fa_file, h: PE::SectionHeader)
if ( /symtab/ in h$name )
if ( /Go build ID/ in h$data ) #h$data not available yet?
Raise notice.
Has anyone done anything like this yet?