Rust symbol recovery tool
Search for dependencies inside a compiled rust executable, download them and create a signature.
- Allows you to create a signature out of dependencies and proper rust stdlib, using the right toolchain.
- Give information about the version of the compiler used
- Give information about detected dependencies used
- Allows you to easily download a crate
| Before | After | | -------------- | ------------- | |
|
|
Install
git clone https://github.com/N0fix/rustbinsign
cd rustbinsign
poetry install
rustbinsign --help
Help
usage: rbs [-h] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}] {info,download,downloadsign,downloadcompile,compile,compiletarget,signstdlib,signtarget,signlibs,getstdlib,guessprojectcreation_timestamp} ...
This script aims at facilitate creation of signatures for rust executables. It can detect dependencies and rustc version used in a target, and create signatures using a signature provider.
options: -h, --help show this help message and exit -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log {DEBUG,INFO,WARNING,ERROR,CRITICAL} Set the logging level
mode: {info,download,downloadsign,downloadcompile,compile,compiletarget,signstdlib,signtarget,signlibs,getstdlib,guessprojectcreation_timestamp} Mode to use info Get information about an executable download Download a crate. Exemple: rand_chacha-0.3.1 downloadcompile Download a crate and compiles it. Exemple: randchacha-0.3.1 downloadsign Download a crate, compiles it and signs it. Exemple: randchacha-0.3.1 compile Compiles a crate. Exemple: rand_chacha-0.3.1 compile_target Compiles all dependencies detected in target compiled rust executable. sign_stdlib Sign standard lib toolchain. sign_target Generate a signature for a given executable, using choosed signature provider. sign_libs Generate a signature for a given list of libs, using choosed signature provider. getstdlib Download stdlib with symbols for a specific version of rustc. guessprojectcreation_timestamp Tries to guess the compilation date based on dependencies version.
Usage examples:
rustbinsign -l DEBUG info 'challenge.exe' rustbinsign -l DEBUG downloadsign --provider IDA hyper-0.14.27 1.70.0-x8664-unknown-linux-gnu rustbinsign -l DEBUG download hyper-0.14.27 rustbinsign -l DEBUG downloadcompile randchacha-0.3.1 1.70.0-x86_64-unknown-linux-gnu rustbinsign -l DEBUG compile --template ./profile/ctf.json /tmp/rustbininfo/randchacha-0.3.1/Cargo.toml 1.70.0-x8664-unknown-linux-gnu rustbinsign -l DEBUG signstdlib --template ./profiles/ivantirustsample.json -t 1.70.0-x8664-unknown-linux-musl --provider IDA rustbinsign -l DEBUG getstdlib 1.70.0-x86_64-unknown-linux-musl rustbinsign -l DEBUG sign_libs -l .\sha2-0.10.8\target\release\sha2.lib -l .\crypt-0.4.2\target\release\crypt.lib --provider IDA rustbinsign -l DEBUG signtarget -t stable-x8664-pc-windows-gnu --template ./profiles/target.json --provider IDA --target ./target.exe --no-std --signaturename targetsig
Example usage
Info
$ rbs info sample.bin
TargetRustInfo(
rustc_version='1.70.0',
rustccommithash='90c541806f23a127002de5b4038be731ba1458ca',
dependencies=[
Crate(name='addr2line', version='0.17.0', features=[], repository=None),
Crate(name='aes', version='0.7.5', features=[], repository=None),
Crate(name='bytes', version='1.4.0', features=[], repository=None),
Crate(name='cfb-mode', version='0.7.1', features=[], repository=None),
Crate(name='crossbeam-channel', version='0.5.8', features=[], repository=None),
Crate(name='crossbeam-deque', version='0.8.3', features=[], repository=None),
Crate(name='crossbeam-epoch', version='0.9.15', features=[], repository=None),
Crate(name='futures-channel', version='0.3.28', features=[], repository=None),
Crate(name='futures-core', version='0.3.28', features=[], repository=None),
Crate(name='futures-util', version='0.3.28', features=[], repository=None),
Crate(name='generic-array', version='0.14.7', features=[], repository=None),
Crate(name='gimli', version='0.26.2', features=[], repository=None),
Crate(name='hashbrown', version='0.12.3', features=[], repository=None),
Crate(name='hex', version='0.4.3', features=[], repository=None),
Crate(name='http', version='0.2.9', features=[], repository=None),
Crate(name='httparse', version='1.8.0', features=[], repository=None),
Crate(name='hyper', version='0.14.27', features=[], repository=None),
Crate(name='mio', version='0.8.8', features=[], repository=None),
Crate(name='once_cell', version='1.18.0', features=[], repository=None),
Crate(name='rayon', version='1.7.0', features=[], repository=None),
Crate(name='rayon-core', version='1.11.0', features=[], repository=None),
Crate(name='self-replace', version='1.3.5', features=[], repository=None),
Crate(name='socket2', version='0.4.9', features=[], repository=None),
Crate(name='sysinfo', version='0.29.2', features=[], repository=None),
Crate(name='tokio', version='1.29.0', features=[], repository=None),
Crate(name='want', version='0.3.1', features=[], repository=None)
],
rustdependenciesimphash='4b15dc8e43b773df8900e7b194ada169',
guessedtoolchain='Mingw-w64 (Mingw6-GCC8.3.0)'
)
This can be used to apply the proper signature.
Some signatures of rust win stdlib are available here.
Requirements
You have to build on the same platform then the platform used to build your target (likely linux if your target is an ELF, likely windows if your target is an EXE). Choosing IDA as your signature provider requires IDA with IDAPython. IDA provider is the only provider supported at the moment.
Extending the tool for other disassemblers
This tool is meant to be used with IDA. If you want to extend it to Ghidra, binja, r2, or watever tool you are using, just create a new provider that inherits BaseSigProvider. You might need to adapt the command line to add your provider's argument.
TODO (hopefully ?)
- [ ] Make a Dockerfile for easy installation and usage
- [ ] Make Dockerfiles to easy usage when signing mingw targets
- [ ] Implement a provider that does not require IDA with IDAPython, using smda
FAQ
How is it different from Ariane or Cerberus?
While Ariane or Cerberus tries to recognize functions and sign them themselves, reinventing the wheel, this tool focuses on providing accurate information about the Rust compiler (rustc) version used in your target, as well as its dependencies. I delegate function recognition and signature tasks to tools specifically designed for those purposes (IDA, binja...). These tasks are incredibly complex to execute correctly, and these tools perform them much more effectively than I could.
How can I adapt it to Ghidra/Binary Ninja/X ?
This tool generates a signature using a signature provider defined under sig_providers/. You should be able to effortlessly add your own provider to generate a signature that your favorite tool will recognize.
Limitations
Limitations are described in this blogpost.
Thanks
This tool uses the great Mandiant's idb2pat.