{"id":"https://openalex.org/W7161240339","doi":"https://doi.org/10.48550/arxiv.2605.14020","title":"Memory Forensics Techniques for Automated Detection and Analysis of Go Malware","display_name":"Memory Forensics Techniques for Automated Detection and Analysis of Go Malware","publication_year":2026,"publication_date":"2026-05-13","ids":{"openalex":"https://openalex.org/W7161240339","doi":"https://doi.org/10.48550/arxiv.2605.14020"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.14020","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.14020","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.14020","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5136236259","display_name":"Hala Ali","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ali, Hala","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037056160","display_name":"Andrew Case","orcid":"https://orcid.org/0000-0002-1557-044X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Case, Andrew","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5063509441","display_name":"Irfan Ahmed","orcid":"https://orcid.org/0000-0001-5648-388X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ahmed, Irfan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.5899999737739563,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.5899999737739563,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.26420000195503235,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.05689999833703041,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.6225000023841858},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.6173999905586243},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.6061999797821045},{"id":"https://openalex.org/keywords/malware-analysis","display_name":"Malware analysis","score":0.5324000120162964},{"id":"https://openalex.org/keywords/memory-safety","display_name":"Memory safety","score":0.4763999879360199},{"id":"https://openalex.org/keywords/state","display_name":"State (computer science)","score":0.46880000829696655},{"id":"https://openalex.org/keywords/parsing","display_name":"Parsing","score":0.45190000534057617},{"id":"https://openalex.org/keywords/symbolic-execution","display_name":"Symbolic execution","score":0.4465999901294708},{"id":"https://openalex.org/keywords/reverse-engineering","display_name":"Reverse engineering","score":0.3671000003814697},{"id":"https://openalex.org/keywords/system-call","display_name":"System call","score":0.3377000093460083}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8553000092506409},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.6225000023841858},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.6173999905586243},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.6100999712944031},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.6061999797821045},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.5324000120162964},{"id":"https://openalex.org/C28180684","wikidata":"https://www.wikidata.org/wiki/Q4080983","display_name":"Memory safety","level":3,"score":0.4763999879360199},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.46880000829696655},{"id":"https://openalex.org/C186644900","wikidata":"https://www.wikidata.org/wiki/Q194152","display_name":"Parsing","level":2,"score":0.45190000534057617},{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.4465999901294708},{"id":"https://openalex.org/C207850805","wikidata":"https://www.wikidata.org/wiki/Q269608","display_name":"Reverse engineering","level":2,"score":0.3671000003814697},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.3377000093460083},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.3278000056743622},{"id":"https://openalex.org/C93518851","wikidata":"https://www.wikidata.org/wiki/Q180160","display_name":"Metadata","level":2,"score":0.3264000117778778},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.3237000107765198},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.3160000145435333},{"id":"https://openalex.org/C102379954","wikidata":"https://www.wikidata.org/wiki/Q2589940","display_name":"Call graph","level":2,"score":0.3158999979496002},{"id":"https://openalex.org/C2780870223","wikidata":"https://www.wikidata.org/wiki/Q1004415","display_name":"Runtime system","level":2,"score":0.31349998712539673},{"id":"https://openalex.org/C14036430","wikidata":"https://www.wikidata.org/wiki/Q3736076","display_name":"Function (biology)","level":2,"score":0.3109000027179718},{"id":"https://openalex.org/C65620979","wikidata":"https://www.wikidata.org/wiki/Q7661176","display_name":"Symbolic data analysis","level":2,"score":0.30979999899864197},{"id":"https://openalex.org/C98184364","wikidata":"https://www.wikidata.org/wiki/Q1780131","display_name":"Argument (complex analysis)","level":2,"score":0.30959999561309814},{"id":"https://openalex.org/C202973057","wikidata":"https://www.wikidata.org/wiki/Q7380130","display_name":"Runtime verification","level":3,"score":0.30799999833106995},{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.3003000020980835},{"id":"https://openalex.org/C167822520","wikidata":"https://www.wikidata.org/wiki/Q176452","display_name":"Finite-state machine","level":2,"score":0.2964000105857849},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.2937000095844269},{"id":"https://openalex.org/C98183937","wikidata":"https://www.wikidata.org/wiki/Q2112188","display_name":"Program analysis","level":2,"score":0.28790000081062317},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.28380000591278076},{"id":"https://openalex.org/C156731835","wikidata":"https://www.wikidata.org/wiki/Q751740","display_name":"Memory leak","level":4,"score":0.2741999924182892},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.2671999931335449},{"id":"https://openalex.org/C34165917","wikidata":"https://www.wikidata.org/wiki/Q188267","display_name":"Programming paradigm","level":2,"score":0.2653999924659729},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.26339998841285706},{"id":"https://openalex.org/C42383842","wikidata":"https://www.wikidata.org/wiki/Q193076","display_name":"Functional programming","level":2,"score":0.25839999318122864},{"id":"https://openalex.org/C147346212","wikidata":"https://www.wikidata.org/wiki/Q5492632","display_name":"Trusted computing base","level":4,"score":0.2556999921798706}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.14020","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.14020","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.14020","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.14020","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.5845295190811157,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0,222],"Go":[1,127],"programming":[2],"language":[3],"has":[4],"become":[5],"increasingly":[6],"popular":[7],"among":[8],"malware":[9,200],"developers":[10],"due":[11],"to":[12,15,96,177],"its":[13],"ability":[14],"produce":[16],"statically":[17],"linked,":[18],"cross-platform":[19],"executables":[20],"that":[21,41,71,107,241],"challenge":[22],"traditional":[23],"analysis":[24,55,85,125,171],"techniques.":[25],"These":[26],"binaries":[27],"embed":[28],"a":[29,67],"substantial":[30],"runtime":[31,102,124,166,185,239],"and":[32,35,48,75,86,99,105,138,143,146,158,182,196,212,234],"compiler-generated":[33],"metadata":[34],"are":[36],"compiled":[37],"with":[38],"aggressive":[39],"optimizations":[40],"discard":[42],"type":[43,137],"information":[44],"for":[45,123,220],"function":[46,139],"parameters":[47],"local":[49],"variables.":[50],"Go's":[51,131],"design":[52],"further":[53],"complicates":[54],"by":[56],"representing":[57],"strings":[58],"as":[59,192,206,215,217],"pointer-length":[60],"pairs":[61],"rather":[62],"than":[63],"null-terminated":[64],"sequences,":[65],"employing":[66],"caller-allocated":[68],"stack":[69],"model":[70],"obscures":[72],"argument":[73,159,186],"boundaries,":[74],"fragmenting":[76],"program":[77],"state":[78,104,167],"across":[79],"concurrent":[80],"goroutines.":[81],"Although":[82],"existing":[83],"static":[84,144,170],"reverse":[87],"engineering":[88],"tools":[89],"provide":[90],"Go-specific":[91],"support,":[92],"they":[93],"remain":[94],"limited":[95],"compile-time":[97],"artifacts":[98,106,240],"cannot":[100],"recover":[101,183],"execution":[103,156,235],"persist":[108],"solely":[109],"in":[110,202],"memory.":[111],"To":[112,164],"address":[113],"this":[114],"gap,":[115],"we":[116],"present":[117],"the":[118,207],"first":[119],"memory":[120],"forensics":[121],"framework":[122,135,223],"of":[126],"binaries.":[128],"By":[129],"parsing":[130],"internal":[132],"structures,":[133],"our":[134],"reconstructs":[136],"metadata,":[140],"recovers":[141],"heap-allocated":[142],"strings,":[145],"distinguishes":[147],"application-level":[148],"functions.":[149],"Through":[150],"ABI-aware":[151],"backward":[152],"analysis,":[153],"it":[154,173],"derives":[155],"paths":[157],"values":[160],"from":[161,244],"call":[162],"sites.":[163],"capture":[165],"beyond":[168],"what":[169],"reveals,":[172],"analyzes":[174],"goroutine":[175],"stacks":[176],"identify":[178],"actively":[179],"executing":[180],"functions":[181],"their":[184],"values.":[187],"We":[188],"implemented":[189],"all":[190],"capabilities":[191],"Volatility":[193],"3":[194],"plugins":[195],"evaluated":[197],"them":[198],"against":[199],"seen":[201],"recent":[203],"incidents,":[204],"such":[205],"BRICKSTORM":[208],"backdoor,":[209],"Obscura":[210],"ransomware,":[211],"Pantegana":[213],"RAT,":[214],"well":[216],"open-source":[218],"samples":[219],"reproducibility.":[221],"successfully":[224],"recovered":[225],"C2":[226],"endpoints,":[227],"persistence":[228],"mechanisms,":[229],"encryption":[230],"keys,":[231],"ransom":[232],"notes,":[233],"state,":[236],"including":[237],"critical":[238],"were":[242],"absent":[243],"published":[245],"threat":[246],"intelligence.":[247]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-16T00:00:00"}
