lunes, 29 de mayo de 2023

Reversing Rust String And Str Datatypes

Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

Rust string data-types

The two first main objects are "str" and String, lets check also the constructors.




Imports and functions

Even such a basic program links several libraries and occupy 2,568Kb,  it's really not using the imports and expots the runtime functions even the main. 


Even a simple string operation needs 544 functions on rust:


Main function

If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.


Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.


If we jump to main, we see a function call, the first parameter is rust_main as I named it below:



If we search "hello world" on the Defined Strings sections, matches at the end of a large string


After doing "clear code bytes" we can see the string and the reference:


We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
Let's follow the ref.  [ctrl]+[shift]+[f] and we got the references that points to the rust main function.


After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.


Regarding the string object, the allocator internals will reveal the structure in static.
alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
5. alloc::slice::hack::to_vec::h37a40daa915357ad
6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
...
Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

Source code

Let's explain this group of substructures having rust source code in the hand.
The string object is defined at string.rs and it's simply an u8 type vector.



And the definition of vector can be found at vec.rs  and is composed by a raw vector an the len which is the usize datatype.



The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.



The cap field is the capacity of the allocation and a is the allocator:



Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData



Dynamic analysis

The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

So the RDI parámeter is the pointer to the string object:



So RDI contains the stack address pointer that points the the heap address 0x5578f030.
Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

Having symbols we can do:
p mystring

and we get the following structure:

String::String {
  vec: alloc::vec::Vec {
    buf: alloc::raw_vec::RawVec {
      ptr: core::ptr::unique::Unique {
        pointer: 0x555555790130 "hello world\000",
        _marker: core::marker::PhantomData
     },
     cap: 11,
     a: alloc::alloc::Global
   },
   len: 11
  }
}

If the binary was compiled with symbols we can walk the substructures in this way:

(gdb) p mystring.vec.buf.ptr
$6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

(gdb) p mystring.vec.len

$8 = 11

If we try to get the pointer of each substructure we would find out that the the pointer is the same:


If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.


The pionter to the c string is 0x555555790130




This seems the c++ string but, let's look a bit deeper:

RawVector
  Vector:
  (gdb) x/wx 0x7fffffffdf50
  0x7fffffffdf50: 0x55790130  -> low dword c string pointer
  0x7fffffffdf54: 0x00005555  -> hight dword c string pointer
  0x7fffffffdf58: 0x0000000b  -> len

0x7fffffffdf5c: 0x00000000
0x7fffffffdf60: 0x0000000b  -> low cap (capacity)
0x7fffffffdf64: 0x00000000  -> hight cap
0x7fffffffdf68: 0xf722fe27  -> low a  (allocator)
0x7fffffffdf6c: 0x00007fff  -> hight a
0x7fffffffdf70: 0x00000005 

So in this case the whole object is in stack except the null-terminated string.




Related posts


  1. Pentest Tools Tcp Port Scanner
  2. Hack Tools Mac
  3. World No 1 Hacker Software
  4. Hacking Tools For Games
  5. Pentest Tools For Windows
  6. Hack Tools For Windows
  7. Hacker Techniques Tools And Incident Handling
  8. Physical Pentest Tools
  9. Pentest Tools Linux
  10. Hacking Tools Kit
  11. Termux Hacking Tools 2019
  12. Hacker Tool Kit
  13. Pentest Reporting Tools
  14. Hacking Tools Name
  15. Hack Tools Github
  16. Blackhat Hacker Tools
  17. Hacking Tools For Mac
  18. Pentest Tools Apk
  19. Pentest Tools For Windows
  20. Tools Used For Hacking
  21. Hack Tools For Games
  22. Hack Tools Pc
  23. Pentest Tools Github
  24. Hack Tools
  25. Pentest Tools Find Subdomains
  26. Hacker Tools Free
  27. Hack Tools 2019
  28. Hack Tools For Windows
  29. Pentest Tools Nmap
  30. Hacking Tools Windows
  31. Wifi Hacker Tools For Windows
  32. Pentest Tools Find Subdomains
  33. Hacking Tools For Mac
  34. Android Hack Tools Github
  35. Hacking Tools Software
  36. What Are Hacking Tools
  37. Hacking Tools Usb
  38. Ethical Hacker Tools
  39. Tools For Hacker
  40. Pentest Tools Apk
  41. Hacking App
  42. Hacking Tools
  43. Hacking Tools For Games
  44. Hack App
  45. Pentest Tools Windows
  46. Hak5 Tools
  47. Install Pentest Tools Ubuntu
  48. Nsa Hacker Tools
  49. Hack Tool Apk No Root
  50. Hacker Tools
  51. New Hacker Tools
  52. Pentest Automation Tools
  53. Hacking Tools Usb
  54. Hacking Tools For Beginners
  55. Hacking Tools Windows
  56. Pentest Tools Open Source
  57. Android Hack Tools Github
  58. Hacker Tools Apk
  59. Black Hat Hacker Tools
  60. Hacking Tools For Windows
  61. Hack Rom Tools
  62. Free Pentest Tools For Windows
  63. What Is Hacking Tools
  64. Nsa Hacker Tools
  65. Hacker Techniques Tools And Incident Handling
  66. Pentest Tools For Windows
  67. Wifi Hacker Tools For Windows
  68. Black Hat Hacker Tools
  69. Computer Hacker
  70. Hack Tools 2019
  71. Hacks And Tools
  72. Growth Hacker Tools
  73. Hack Tools For Games
  74. Free Pentest Tools For Windows
  75. Hacking Tools Free Download
  76. Nsa Hacker Tools
  77. Hacking Tools For Windows
  78. Growth Hacker Tools
  79. Hacker
  80. Pentest Tools Website
  81. Install Pentest Tools Ubuntu
  82. Hacking Tools Hardware
  83. Pentest Tools Windows
  84. Pentest Tools Website
  85. Hacker Tools Linux
  86. Hack Tools For Games
  87. Termux Hacking Tools 2019
  88. Pentest Tools Download
  89. Nsa Hacker Tools
  90. Hacking Tools Hardware
  91. Pentest Tools Nmap
  92. Hacker Tools 2019
  93. Hacking Tools 2020
  94. Hacking Tools Software
  95. Wifi Hacker Tools For Windows
  96. Pentest Tools For Ubuntu
  97. Hacker Security Tools
  98. Hacker Tools Online
  99. Pentest Automation Tools
  100. Pentest Tools Subdomain
  101. Hack Apps
  102. Hackers Toolbox
  103. Nsa Hack Tools
  104. Hack Tools For Windows
  105. Physical Pentest Tools
  106. Hacker Techniques Tools And Incident Handling
  107. Hack Tools For Pc
  108. Hack Tools Download
  109. Hack And Tools
  110. Hacking Tools For Windows Free Download
  111. Best Pentesting Tools 2018
  112. Pentest Tools Apk
  113. Pentest Box Tools Download
  114. Hacking Tools Online
  115. Pentest Tools Nmap
  116. Hacking Tools Windows
  117. Hack Tools 2019
  118. Underground Hacker Sites
  119. Hacker Tools Github
  120. Hacker Tools Hardware
  121. Hacking Tools For Beginners
  122. Hacking Tools Software
  123. Hacking Tools Kit
  124. Bluetooth Hacking Tools Kali
  125. Hacking Tools Windows 10
  126. Pentest Tools Alternative
  127. Pentest Tools Free
  128. Pentest Tools For Mac
  129. Easy Hack Tools
  130. Hacking Tools
  131. Hacking Tools Windows
  132. Hacker Tools Apk Download
  133. Hacking Tools Online
  134. How To Hack
  135. Best Hacking Tools 2020
  136. Hacking Tools For Windows Free Download
  137. Hacking Tools Online
  138. Hacker Tools Windows
  139. Nsa Hack Tools Download
  140. Blackhat Hacker Tools
  141. Hacking Tools Online
  142. Hack Tools For Games
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)

Seguidores

Archivo del blog