Volexity Releases GoStringExtractor and Updates GoResolver to Combat Obfuscated Golang Malware
Volexity has released GoStringExtractor, a new plugin for IDA Pro and Ghidra, and updated GoResolver with runtime type information recovery to aid analysts in reverse-engineering obfuscated Golang malware.
Volexity has released two new tools to help security analysts reverse-engineer the growing wave of obfuscated Golang malware. The company announced GoStringExtractor, a plugin for IDA Pro and Ghidra that parses Go's unique string table, and an updated version of its GoResolver tool that now recovers runtime type information (RTTI) stripped by obfuscators like Garble. These releases address a significant challenge in malware analysis as Golang continues to gain popularity among both legitimate developers and malicious actors.
Golang's compiler organizes all strings in a contiguous, unterminated table, sorted first by length and then alphabetically. This structure, while efficient for the runtime, makes manual analysis difficult because the location and size of the string table are not recorded in runtime structures. GoStringExtractor automates the process by creating a JSON report of all referenced strings and their referencing functions, and can define the strings directly in the IDA Pro or Ghidra database. The plugin also allows analysts to filter strings by package name, helping them focus on attacker-written code rather than library code.
The updated GoResolver adds RTTI recovery, a feature that becomes critical when obfuscators like Garble strip build information. RTTI is used by Go's runtime for garbage collection and other features, and when preserved, it reveals a binary's organization and capabilities. Without RTTI, analysts see arbitrary addresses and unorganized data blocks; with GoResolver's new `-y` flag, the tool extracts all runtime types and adds them to the JSON report. The IDA Pro and Ghidra plugins have been updated to import this type information, producing clean, organized disassembly views.
Volexity noted that a significant portion of Golang samples it encounters are obfuscated with Garble or similar tools. The new tools are designed to reduce analyst workload by automating the recovery of string and type information that obfuscation attempts to hide. The company also parallelized helper tools GoStrap and GitToolFetcher to improve performance.
The release comes as Golang malware continues to proliferate. In April 2025, Volexity highlighted the trend, and the new tooling represents a direct response to the challenges posed by obfuscated binaries. The tools are available for download from Volexity's GitHub repository.
For analysts working with Golang samples, these updates provide a significant productivity boost. By automating the recovery of string tables and runtime type information, Volexity's tools enable faster identification of malware capabilities and behavior. The company encourages the security community to download and test the new features, which work across all operating systems and both 32- and 64-bit architectures.