# Rust Reversing Basics![images](https://hackmd.io/_uploads/SJa1vODFA.png =5%x) ## Main Function Identification - Characteristics - “main“ string ![1](https://hackmd.io/_uploads/ByDXuuvFC.png =65%x) *`Fig.1 Malware stripped version of std::rt::lang_start_internal`* This would be the entry point recognized by IDA Pro, but it is not the true main function in the rust binary. - std::rt::lang_start_internal runtime function ![2](https://hackmd.io/_uploads/ryjTudDYA.png =75%x) *`Fig.2 Fully symbol version of std::rt::lang_start_internal`* You may observe the difference between the fully symbol version and the stripped version. They’re the same function, but most of the time, the true main function would be compiled into std::rt::lang_start_internal function in the malware stripped version due to the optimization. - main function address would be passed as parameter ![3](https://hackmd.io/_uploads/ryBQKODYA.png) *`Fig.3 hello::main (true main function) is passed as parameter`* ![4](https://hackmd.io/_uploads/BJUVYdwFR.png =50%x) *`Fig.4 sub_40751D (true main function) is passed as parameter`* The true main function in the rust binary would be passed as parameter into the runtime function. Thus, we can easily recognize the true main function in the malware stripped version. ## Structs - If the program is writing data to stack only to apparently never use it again, you’re probably dealing with a struct - If the program is conversely reading data from the stack that apparently had not been written to before, you’re probably dealing with a struct ![5](https://hackmd.io/_uploads/H1VoKOPtC.png =45%x) *`Fig.5 Struct in assembly`* ![6](https://hackmd.io/_uploads/HyG0FOPtR.png =45%x) *`Fig.6 Struct in decompiled code`* Structs in the rust binary is a difficult problem being solved. We usually define **`*ptr = malloc(sizeof(someStruct))`** to manage the structs in C/C++. However, rust uses stack to store the structs instead of heap. This mechanism may lead to a problem when we’re trying to fix the struct’s size and define the start address of the struct. The auto script analysis of identifying structs in the rust binary is unstable due to the problem. For the efficient analysis, we can only identify the structs by human for now (I think so). ## Std & Core Crate Rust uses “Crate” to call the modules. Std & Core crate are automatically compiled into the rust binary. The strings will not miss during the “normal“ compile time. Thus, we can identify some default crates through the existing strings in the rust binary. - Std & Core crate are just like stdio.h or stdint.h in C/C++ - Function table would be compiled into .pdata segment, something like vtable in C++ - That means some inner functions can be recovered by comparing the code similarity ![7](https://hackmd.io/_uploads/rkjn9OPFC.png) *`Fig.7 Core strings in the malware stripped version`* ![8](https://hackmd.io/_uploads/BJ8RcOPY0.png) *`Fig.8 .pdata function table in the fully symbol version`* ![9](https://hackmd.io/_uploads/ry71juDtA.png) *`Fig.9 .pdata function table in the malware stripped version`* ## Identifiable Crate As we introduced crate above, rust will not wipe the strings during the normal compile time. Thus we can identify some custom crate through the strings. - Information from the strings - E.g. “TOKIO_WORKER_THREADS”, “Client::new()“ - Some code segment can be ignored once we identified it ![10](https://hackmd.io/_uploads/ByW4oOPYC.png) *`Fig.10 Code segment about TOKIO_WORKER_THREADS crate`* ![11](https://hackmd.io/_uploads/rkdEiuPFA.png) *`Fig.11 Code segment about Client::new() crate (reqwest)`* ## Tools Please read the [README.md](https://github.com/r3dhun9/IDARustler) in the repository to get the usage of the tools. Github link: https://github.com/r3dhun9/IDARustler ![12](https://hackmd.io/_uploads/By-e6_DYC.png) *`Fig.12 True main function is fixed with a long name`* ![13](https://hackmd.io/_uploads/Hk9xpuvKC.png) *`Fig.13 Function name being fixed the longer the suspicious`*