Deconstructing Rust Binaries

Description

Since the rise of several Rust-based ransomware families in 2022, Rust has become an increasingly popular language for malware development. New Rust malware families are no longer rare sightings for reverse engineers; now, they are a regular occurrence. Similarly, Rust is becoming an established systems programming language for legitimate software, with major operating systems, foundational software libraries, and embedded devices all adopting Rust in the long term. Even though binaries are rapidly shifting towards being written in Rust, binary reverse engineers' knowledge of how to reverse Rust is still quite poor. Deconstructing Rust Binaries bridges that educational gap.

Deconstructing Rust Binaries takes a "language-centric" approach: in order to reverse Rust binaries, we must understand the Rust programming language. We will be learning how to read basic Rust code, learning about Rust language concepts and data structures, and then applying that knowledge to demystify what we see in Rust binaries.

Binary Ninja will be used in the course as the primary disassembler and decompiler tool. Students will receive a Binary Ninja student license as part of the course ($74 USD value).

Outline

Day 1: Triage

You just got a new binary to reverse. All you know is that it's written in Rust, and your other colleagues are afraid of handling it. What do you do, to get as much information from it as quickly as possible?

• The Rust build toolchain and software ecosystem.
• Strings inside Rust binaries, and their meanings.
• Finding the entry point in a Rust binary.
• Pitfalls to avoid when triaging Rust binaries.
• Rust language-specific metadata and artifacts.

Day 2: Data

Programs manipulate data. They do things like reading files, parsing inputs, and loading payloads. If there's a payload inside some Rust malware, how do we extract it? How do we find out, inside Rust binaries, how data flows?

• Rust's primitive data types.
• Rust's standard library data types.
• Variable allocation and deallocation.
• Passing data as arguments between functions.
• Common data manipulation patterns inside Rust binaries.

Day 3: Practice

Reversing real Rust binaries requires us to deal with all sorts of annoying, practical problems. Common problems that reversers run into include distinguishing between business logic and library code, dealing with dynamic dispatch, and dealing with string obfuscation. How do we tackle these problems in the most efficient way possible?

• Common techniques and libraries used in the Rust malware ecosystem.
• Generating and using library signature databases.
• Dynamic dispatch in Rust binaries.
• Practice with a real malware sample.

Objectifs clés d'apprentissage

At the end of this course, you should be able to do the following: - Have a basic understanding of the Rust language toolchain, software development ecosystem, and malware ecosystem. - Know how to quickly triage interesting code, data, and metadata inside Rust binaries. - Recognize common Rust language constructs and data types in their compiled form inside binaries. - Trace the data flow of variables in compiled Rust binaries. - Identify basic functionality inside most Rust malware families.

À qui s'adresse cette formation ?

Reverse engineers or malware analysts with experience in reversing C or C++ binaries, but who have trouble with reversing Rust binaries.

Connaissances prérequises

• Familiarity with reading x86_64 assembly.
• Familiarity with reading C pseudocode.
• Basic experience with disassembly and decompilation tools such as IDA Pro, Ghidra, Binary Ninja, or Radare2.
• Basic knowledge on how to handle malware samples is recommended.
• No previous experience with specifically Binary Ninja is required.
• No previous experience with reading or writing the Rust programming language is required.

Exigences matérielles

• The training will be conducted using the reverse engineering software Binary Ninja. Student machines must fulfill the system requirements for Binary Ninja. - The training will involve handling Windows malware samples. The samples will mostly be analyzed statically. However, to limit the potential damage of accidental execution, setting up a virtual machine or a non-Windows machine is recommended. - MacOS machines with Apple Silicon (i.e. those with ARM64/AArch64 processors) can be used in this course! All tools used in this course support being run on Apple Silicon.

Bio