2026-04-14 –, Room 2
Every time you open a malware sample in your favourite analysis tool and you are greeted with hundreds or thousands of functions with unknown names, you know it is time to find shortcuts and automate renaming steps whenever possible. This workshop dives into the recovery of function symbols. The examples in this workshop are all Golang related as the static compilation of Golang binaries serve as excellent examples.
During this four hour workshop, you will dive into two different malware families which were used in the wild by threat actors, and find out how function symbol recovery works and how to apply the theory in practice. You will also learn how to create your own symbol databases, allowing you to use your privately analysed malware as the starting point for further research into the development of those malware families. Additionally, you will better understand how source code and compiled code relate, especially with regards to Golang files.
Note that the taught techniques are applicable for any binary supported by Ghidra. You can reuse the techniques in other tools, albeit with (minor) changes depending on the specifics.
Max Kersten is a senior malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. He then worked at Trellix in the Advanced Research Center, where he dove into APT malware and campaigns. Currently, Max works as an analyst at Politie (Dutch law enforcement). Over the past few years, Max spoke at international conferences, such as DEFCON, Black Hat (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for DEFCON, Botconf, several universities, and private entities.