Deconstructing Rust Binaries // Cindy Xiao

Virtual | March 23-27 | 16 Hours

BOOK NOW

ABSTRACT

Deconstructing Rust Binaries is the first comprehensive training course focused solely on reverse engineering Rust binaries. This course is for any reverse engineer who needs a rapid, practical upskill in your ability to analyze Rust binaries. You will learn how to effectively triage Rust binaries, how to trace data flow through Rust binaries, and how to tackle common techniques found in the Rust malware ecosystem.

This course is aimed at malware reverse engineers, but vulnerability researchers and software reverse engineers who have Rust targets will also find the course valuable. This course is taught and written by an experienced malware reverse engineer, Cindy Xiao, with extensive experience specifically in reversing Rust binaries. Real Rust malware samples will be used in the course for practice.

Deconstructing Rust Binaries takes a "language-centric" approach: in order to reverse Rust binaries, we must understand the Rust programming language. We will be learning how to read basic Rust code, learning about Rust language concepts and data structures, and then applying that knowledge to demystify what we see in Rust binaries.

Binary Ninja will be used in the course as the primary disassembler and decompiler tool. Students will receive a Binary Ninja student license as part of the course ($74 USD value).

KEY LEARNING OBJECTIVES

At the end of this course, you should be able to do the following:

• Have a basic understanding of the Rust language toolchain, software development ecosystem, and malware ecosystem.
• Know how to quickly triage interesting code, data, and metadata inside Rust binaries.
• Recognize common Rust language constructs and data types in their compiled form inside binaries.
• Trace the data flow of variables in compiled Rust binaries.

COURSE DETAILS

Part 1: Triage

You just got a new binary to reverse. All you know is that it's written in Rust, and your other colleagues are afraid of handling it. What do you do, to get as much information from it as quickly as possible?

• The Rust build toolchain and software ecosystem.
• Strings inside Rust binaries, and their meanings.
• Finding the entry point in a Rust binary.
• Pitfalls to avoid when triaging Rust binaries.
• Rust language-specific metadata and artifacts.

Part 2: Data

Programs manipulate data. They do things like reading files, parsing inputs, and loading payloads. If there's a payload inside some Rust malware, how do we extract it? How do we find out, inside Rust binaries, how data flows?

• Rust's primitive data types.
• Rust's standard library data types.
• Variable allocation and deallocation.
• Passing data as arguments between functions.
• Common data manipulation patterns inside Rust binaries.

Prerequisites

The recommended background for this course is reverse engineers or malware analysts with experience in reversing C or C++ binaries, but who have trouble with reversing Rust binaries.

Specific prerequisite skills for this course are:

• Familiarity with reading x86_64 assembly.
• Familiarity with reading C pseudocode.
• Basic experience with disassembly and decompilation tools such as IDA Pro, Ghidra, Binary Ninja, or Radare2.
• Basic knowledge on how to handle malware samples is recommended.
• Binary Ninja will be used in the course as the primary disassembler and decompiler tool. However, no previous experience with specifically Binary Ninja is required.
• No previous experience with reading or writing the Rust programming language is required.

System Requirements

• A working laptop or desktop (no Netbooks, no Tablets, no iPads)
• Intel Core i5 (equivalent or superior) required
• 8GB RAM required, at a minimum
• 50 GB free hard disk space, at a minimum

Software Requirements

• The training will be conducted using the reverse engineering software Binary Ninja. Student machines must fulfill the system requirements for Binary Ninja (https://binary.ninja/faq#minimum-requirements).
• The training will involve handling Windows malware samples. The samples will mostly be analyzed statically. However, to limit the potential damage of accidental execution, setting up a virtual machine or a non-Windows machine is recommended.
• MacOS machines with Apple Silicon (i.e. those with ARM64/AArch64 processors) can be used in this course! All tools used in this course support being run on Apple Silicon.

YOUR INSTRUCTOR: Cindy Xiao

Cindy Xiao is an experienced malware analyst, security researcher, and software developer. She has given talks and workshops on malware and Rust reverse engineering at leading cybersecurity conferences, including RECon, RE//verse, and NorthSec.

Cindy is the founder of Decoder Loop, a specialty firm created to raise the bar for binary reverse engineering training. The tools, techniques, and resources that reverse engineers have were built for the era of C. Meanwhile, malware authors and software developers alike are rapidly switching to modern programming languages such as Rust. Decoder Loop offers expert training that levels the playing field for reverse engineers facing modern binaries.

Ringzer0’s Virtual Training Experience & FAQ

What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.

Ringzer0Ringzer0

OTHER VIRTUAL TRAINING COURSES