creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 16:03:17 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/reverse-engineering-rust-malware/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

6.6 KiB
Raw Permalink Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
reverse-engineering-rust-malware Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis. cybersecurity malware-analysis
rust
reverse-engineering
malware-analysis
ghidra
ida-pro
binary-analysis
rust-malware
1.0 mahipal Apache-2.0
DE.AE-02
RS.AN-03
ID.RA-01
DE.CM-01
T1027
T1055
T1140
T1497

Reverse Engineering Rust Malware

Overview

Rust has become increasingly popular for malware development due to its cross-compilation, memory safety guarantees, and the complexity it introduces for reverse engineers. Rust binaries contain the entire standard library statically linked, producing large binaries with extensive boilerplate code. Key challenges include non-null-terminated strings (Rust uses fat pointers with pointer+length), monomorphization generating duplicated generic code, complex error handling (Result/Option unwrap chains), and unfamiliar calling conventions. Decompiling Rust to C produces unhelpful output compared to C/C++ binaries. Tools like Ghidra scripts for crate extraction, and training focused on Rust-specific patterns (2024-2025) help address these challenges. Notable Rust malware includes BlackCat/ALPHV ransomware, Hive ransomware variants, and Buer Loader.

When to Use

  • When performing authorized security testing that involves reverse engineering rust malware
  • When analyzing malware samples or attack artifacts in a controlled environment
  • When conducting red team exercises or penetration testing engagements
  • When building detection capabilities based on offensive technique understanding

Prerequisites

  • IDA Pro 8.0+ or Ghidra 11.0+
  • Rust toolchain for reference compilation
  • Python 3.9+ for helper scripts
  • Understanding of Rust memory model (ownership, borrowing)
  • Familiarity with Rust string types (String, &str, CString)

Workflow

Step 1: Identify and Parse Rust Binary Metadata

#!/usr/bin/env python3
"""Analyze Rust malware binary metadata and extract crate dependencies."""
import re
import sys
import json


def identify_rust_binary(data):
    """Check if binary is Rust-compiled and extract version info."""
    indicators = {
        "rust_panic_strings": bool(re.search(rb'panicked at', data)),
        "rust_unwrap": bool(re.search(rb'called.*unwrap.*on.*None', data)),
        "core_panic": bool(re.search(rb'core::panicking', data)),
        "std_rt": bool(re.search(rb'std::rt::lang_start', data)),
        "cargo_path": bool(re.search(rb'\.cargo[/\\]registry', data)),
        "rustc_version": None,
    }

    version = re.search(rb'rustc\s+(\d+\.\d+\.\d+)', data)
    if version:
        indicators["rustc_version"] = version.group(1).decode()

    is_rust = sum(1 for v in indicators.values() if v) >= 2
    return is_rust, indicators


def extract_crates(data):
    """Extract Rust crate (dependency) names from binary strings."""
    crate_pattern = re.compile(
        rb'(?:crates\.io-[a-f0-9]+/|\.cargo/registry/src/[^/]+/)'
        rb'([\w-]+)-(\d+\.\d+\.\d+)'
    )
    crates = {}
    for match in crate_pattern.finditer(data):
        name = match.group(1).decode()
        version = match.group(2).decode()
        crates[name] = version

    # Also check for common malware-relevant crates
    suspicious_crates = {
        "reqwest": "HTTP client",
        "hyper": "HTTP library",
        "tokio": "Async runtime",
        "aes": "AES encryption",
        "chacha20": "ChaCha20 encryption",
        "rsa": "RSA encryption",
        "ring": "Crypto library",
        "base64": "Base64 encoding",
        "winapi": "Windows API bindings",
        "winreg": "Registry access",
        "sysinfo": "System information",
        "screenshots": "Screen capture",
        "clipboard": "Clipboard access",
        "keylogger": "Key logging",
    }

    capabilities = []
    for crate_name, description in suspicious_crates.items():
        if crate_name in crates:
            capabilities.append({
                "crate": crate_name,
                "version": crates[crate_name],
                "capability": description,
            })

    return crates, capabilities


def extract_rust_strings(data):
    """Extract strings handling Rust's non-null-terminated format."""
    # Rust strings are stored as pointer+length, but string literals
    # are often in .rodata as contiguous sequences
    strings = []
    ascii_pattern = re.compile(rb'[\x20-\x7e]{8,500}')
    for match in ascii_pattern.finditer(data):
        s = match.group().decode('ascii')
        # Filter for malware-relevant strings
        keywords = ['http', 'socket', 'encrypt', 'decrypt', 'shell',
                    'exec', 'cmd', 'upload', 'download', 'persist',
                    'registry', 'mutex', 'pipe', 'inject']
        if any(kw in s.lower() for kw in keywords):
            strings.append(s)

    return strings


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <rust_binary>")
        sys.exit(1)

    with open(sys.argv[1], 'rb') as f:
        data = f.read()

    is_rust, indicators = identify_rust_binary(data)
    print(f"[{'+'if is_rust else '-'}] Rust binary: {is_rust}")
    print(json.dumps(indicators, indent=2, default=str))

    crates, capabilities = extract_crates(data)
    print(f"\n[+] Crates ({len(crates)}):")
    for name, ver in sorted(crates.items()):
        print(f"  {name} v{ver}")

    if capabilities:
        print(f"\n[!] Suspicious capabilities:")
        for cap in capabilities:
            print(f"  {cap['crate']} -> {cap['capability']}")

    strings = extract_rust_strings(data)
    if strings:
        print(f"\n[+] Suspicious strings ({len(strings)}):")
        for s in strings[:20]:
            print(f"  {s}")

Validation Criteria

  • Binary correctly identified as Rust-compiled with version info
  • Crate dependencies extracted revealing malware capabilities
  • Rust-specific string extraction handles fat pointer format
  • Main entry point and core logic functions identified
  • Encryption, networking, and persistence code located

References

Reference in New Issue View Git Blame Copy Permalink