https://mac.sploit.dk/tags/pclntab/ Recent content in Pclntab on Martin's Blog Hugo en-us Fri, 29 May 2026 00:00:00 +0000 https://mac.sploit.dk/blog/go-binaries-that-hide-from-gos-own-tools/ Fri, 29 May 2026 00:00:00 +0000 https://mac.sploit.dk/blog/go-binaries-that-hide-from-gos-own-tools/ <p>I have been building a small C tool that fingerprints Go binaries (version, build metadata, function names, the lot) and pointing it at a corpus of malware samples. A few of them confused an early, naïve version of it: the detector keyed on the <code>pclntab</code> magic number, and these samples did not have the magic it expected. The obvious next question is whether they are Go at all, and if so, how much they are trying to hide. The answer turned out to have two layers, and only one of them does what its author probably hoped.</p>