This repository contains the supplementary files for the Reversing Rust Binaries: One step beyond strings workshop at NorthSec 2024, presented on May 17, 2024.
-
The slides for this workshop are in the slides/ directory of this repository.
-
A recording of the livestream for this workshop is available on YouTube: NorthSec 2024 - Workshop 1 - Day 2
During the presentation, we will be building and reversing a very simple Rust binary - a benign downloader. The source code for the downloader is inside this repository, in the simple-downloader/ folder.
Read below for the pre-workshop setup instructions!
For easy setup, you can download a preconfigured Ubuntu VM which has all of the following:
- The Rust toolchain (Rust version 1.77.1)
- Visual Studio Code, with the
rust-analyzerextension preinstalled (for autocomplete and documentation tooltips) - The code in the
simple-downloader/folder of this repository - Ghidra (version 11.0.3)
- A Ghidra project with prebuilt Linux versions of the
simple-downloaderbinary
You can download the VM file (a .OVA file) here: https://drive.google.com/file/d/1pM1MwQf4Ccjt-KokbV1RFh8C9tv48jrt/view?usp=sharing
You can then import this OVA file into your VM software (e.g. VMware Workstation, VMWare Fusion, VirtualBox, etc.)
If you would like to do this workshop from the comfort of your own machine, you will need the following:
- A machine that can build a Rust binary. We'll be pulling dependencies to build the binary, so that machine should have internet access.
- For instructions on how to set up the Rust toolchain for building your binary, see the Installing the Rust Toolchain section below.
- A machine that can run the Rust binary you built. We'll be building a benign downloader in this workshop, so that machine should ideally also have internet access.
- The provided source code downloads and runs a shell script for macOS / Linux systems (
https://sh.rustup.rs/rustup-init.sh); however, the code is very easily adaptable for Windows as well.
- The provided source code downloads and runs a shell script for macOS / Linux systems (
- Your preferred reverse engineering tool, for reversing the Rust binary you built!
- A Ghidra project with some prebuilt Linux versions of the
simple-downloaderbinary is provided here: prebuilt-files/rust-reversing-workshop-2024_2024_05_17.gar - The prebuilt Linux
simple-downloaderbinaries in the Ghidra project are also available separately:
- A Ghidra project with some prebuilt Linux versions of the
The official toolchain setup instructions are at https://rustup.rs/. Follow the instructions there; the page will display specific instructions for your operating system.
Check, after installation, that you can run both the newly installed rustup and cargo tools:
$ rustup --version
rustup 1.27.0 (bbb9276d2 2024-03-08)
info: This is the version for the rustup toolchain manager, not the rustc compiler.
info: The currently active `rustc` version is `rustc 1.77.1 (7cf61ebde 2024-03-27)`
$ cargo --version
cargo 1.77.1 (e52e36006 2024-03-26)
We'll be using Rust version 1.77.1 in this workshop, so install that version, and switch your toolchain to that version as the default for all builds:
rustup install 1.77.1
rustup default 1.77.1
If you're building on Windows or macOS, you can skip this step.
If you're building on Linux: Parts of this build rely on gcc, ld, pkg-config, and the OpenSSL development headers. On Ubuntu, you can install these with
sudo apt install build-essential
sudo apt install pkg-config
sudo apt install libssl-dev