sábado, 27 de enero de 2024

Reversing Rust String And Str Datatypes

Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

Rust string data-types

The two first main objects are "str" and String, lets check also the constructors.




Imports and functions

Even such a basic program links several libraries and occupy 2,568Kb,  it's really not using the imports and expots the runtime functions even the main. 


Even a simple string operation needs 544 functions on rust:


Main function

If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.


Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.


If we jump to main, we see a function call, the first parameter is rust_main as I named it below:



If we search "hello world" on the Defined Strings sections, matches at the end of a large string


After doing "clear code bytes" we can see the string and the reference:


We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
Let's follow the ref.  [ctrl]+[shift]+[f] and we got the references that points to the rust main function.


After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.


Regarding the string object, the allocator internals will reveal the structure in static.
alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
5. alloc::slice::hack::to_vec::h37a40daa915357ad
6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
...


Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

Source code

Let's explain this group of substructures having rust source code in the hand.
The string object is defined at string.rs and it's simply an u8 type vector.



And the definition of vector can be found at vec.rs  and is composed by a raw vector an the len which is the usize datatype.



The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.



The cap field is the capacity of the allocation and a is the allocator:



Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData



Dynamic analysis

The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

So the RDI parámeter is the pointer to the string object:



So RDI contains the stack address pointer that points the the heap address 0x5578f030.
Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

Having symbols we can do:
p mystring

and we get the following structure:

String::String {
  vec: alloc::vec::Vec {
    buf: alloc::raw_vec::RawVec {
      ptr: core::ptr::unique::Unique {
        pointer: 0x555555790130 "hello world\000",
        _marker: core::marker::PhantomData
     },
     cap: 11,
     a: alloc::alloc::Global
   },
   len: 11
  }
}

If the binary was compiled with symbols we can walk the substructures in this way:

(gdb) p mystring.vec.buf.ptr
$6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

(gdb) p mystring.vec.len

$8 = 11

If we try to get the pointer of each substructure we would find out that the the pointer is the same:


If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.


The pionter to the c string is 0x555555790130




This seems the c++ string but, let's look a bit deeper:

RawVector
  Vector:
  (gdb) x/wx 0x7fffffffdf50
  0x7fffffffdf50: 0x55790130  -> low dword c string pointer
  0x7fffffffdf54: 0x00005555  -> hight dword c string pointer
  0x7fffffffdf58: 0x0000000b  -> len

0x7fffffffdf5c: 0x00000000
0x7fffffffdf60: 0x0000000b  -> low cap (capacity)
0x7fffffffdf64: 0x00000000  -> hight cap
0x7fffffffdf68: 0xf722fe27  -> low a  (allocator)
0x7fffffffdf6c: 0x00007fff  -> hight a
0x7fffffffdf70: 0x00000005 

So in this case the whole object is in stack except the null-terminated string.




More information
  1. Hacking Tools For Kali Linux
  2. Pentest Tools List
  3. Pentest Tools Linux
  4. Pentest Tools
  5. Pentest Tools Tcp Port Scanner
  6. Free Pentest Tools For Windows
  7. Hacker Techniques Tools And Incident Handling
  8. Hack Tools Mac
  9. Hacker Tools Online
  10. Hack Tools Download
  11. Nsa Hack Tools Download
  12. Hack Tools Mac
  13. Pentest Tools Subdomain
  14. Hack Tool Apk No Root
  15. Computer Hacker
  16. Tools Used For Hacking
  17. Hacking Tools For Beginners
  18. Wifi Hacker Tools For Windows
  19. Hacking Tools Download
  20. Hacking App
  21. Hacker Security Tools
  22. Physical Pentest Tools
  23. Kik Hack Tools
  24. Computer Hacker
  25. Pentest Tools Alternative
  26. Hacking Tools Github
  27. Pentest Tools Bluekeep
  28. Hacks And Tools
  29. Hacker Tools For Mac
  30. Hack Tools Github
  31. Underground Hacker Sites
  32. Computer Hacker
  33. Pentest Tools Website
  34. Hack Tool Apk
  35. Hacking Tools For Windows 7
  36. Hacker Tools 2020
  37. Nsa Hacker Tools
  38. Hack Tools
  39. Hacking Tools Kit
  40. World No 1 Hacker Software
  41. Hack Tools
  42. Physical Pentest Tools
  43. Hak5 Tools
  44. Underground Hacker Sites
  45. Bluetooth Hacking Tools Kali
  46. Termux Hacking Tools 2019
  47. Hacking Tools Kit
  48. Easy Hack Tools
  49. Pentest Tools For Android
  50. Hack Tools
  51. Pentest Tools Bluekeep
  52. Pentest Tools Review
  53. Bluetooth Hacking Tools Kali
  54. Pentest Tools Kali Linux
  55. Hacking Tools
  56. Pentest Tools Download
  57. Hacker Techniques Tools And Incident Handling
  58. How To Make Hacking Tools
  59. Hack Tools Online
  60. Pentest Tools Url Fuzzer
  61. Bluetooth Hacking Tools Kali
  62. Ethical Hacker Tools
  63. Hacker
  64. Pentest Tools Find Subdomains
  65. Pentest Tools Windows
  66. Computer Hacker
  67. Hack Tool Apk No Root
  68. Hacking Tools For Windows
  69. Hacker Tools Apk Download
  70. Pentest Tools Port Scanner
  71. Ethical Hacker Tools
  72. Hacking Tools Hardware
  73. Hacking Tools And Software
  74. Pentest Tools Windows
  75. Hacking Apps
  76. Hacking Tools 2020
  77. Github Hacking Tools
  78. Hack Tools Github
  79. Beginner Hacker Tools
  80. Pentest Tools Windows
  81. Pentest Tools Review
  82. Hacker Tools For Ios
  83. Hacking Tools Windows
  84. Usb Pentest Tools
  85. Hacker Tools For Pc
  86. New Hack Tools
  87. Pentest Tools Download
  88. Free Pentest Tools For Windows
  89. Pentest Tools Download
  90. Hack Tools For Ubuntu
  91. Hacker Techniques Tools And Incident Handling
  92. Tools 4 Hack
  93. Kik Hack Tools
  94. Hacker Tools Free Download
  95. Pentest Tools Open Source
  96. What Are Hacking Tools
  97. Install Pentest Tools Ubuntu
  98. Hacking Tools Mac
  99. Hacker Tools Online
  100. Hacker Tools Apk
  101. Game Hacking
  102. Hackers Toolbox
  103. Hacking Tools Pc
  104. Pentest Tools Windows
  105. Hacker Tools Apk
  106. Hacker Tools
  107. Hacker Tools Online
  108. Pentest Tools Port Scanner
  109. Computer Hacker
  110. Beginner Hacker Tools
  111. Hack Tool Apk No Root
  112. Hack Rom Tools
  113. Hacker Tools Software
  114. Computer Hacker
  115. Pentest Tools For Mac
  116. Pentest Tools For Android
  117. Pentest Automation Tools
  118. Growth Hacker Tools
  119. Install Pentest Tools Ubuntu
  120. Physical Pentest Tools
  121. Nsa Hack Tools
  122. Pentest Tools Subdomain
  123. Hack Tools For Games
  124. Pentest Tools Subdomain
  125. Hacking Tools Kit
  126. Hacking Tools For Mac
  127. Computer Hacker
  128. Hacker Tools Github
  129. Github Hacking Tools
  130. Blackhat Hacker Tools
  131. Growth Hacker Tools
  132. Hack Tools 2019
  133. Hacking Tools Windows
  134. Hack Website Online Tool
  135. Pentest Tools List
  136. Hack Tools For Games

0 comentarios:

Publicar un comentario