In this hands-on session, attendees will learn a three-step process to inspect unknown Go binaries: runtime observation with eBPF, structural insights via static analysis, and visualization with Ghidra.

We start with eBPF to observe syscalls at runtime, catching unexpected HTTP, filesystem, or network activity without modifying the binary. Demonstrate writing lightweight eBPF probes that work reliably with Go's runtime model.

Next, we apply static analysis to extract call graphs and library usage from Go's symbol information and pclntab data. You will see how tools like go tool objdump can reveal high-level intent fast.

Instead of full disassembly, Ghidra offers high-level binary visualization. This helps explain where runtime structures live and why certain analysis techniques work. We will cover minimal configuration to recognize Go patterns like goroutine spawns without getting lost in assembly.

Attendees walk away with a field-tested methodology, real-world examples, and reusable tools to analyze any Go binary confidently—even if they didn’t compile it themselves.

Received a Go binary with no source?

Learn to audit Go binaries without source via eBPF tracing and static analysis. We will cover a practical workflow to spot unexpected HTTP, filesystem, or network activity and explain how Go's binary structure aids analysis. We will briefly use Ghidra to visualize internal structures without deep reverse engineering skills.

Leave equipped to perform supply chain audits or debug binaries confidently.