Andreas Klopsch
Andreas Klopsch is a Malware Reverse Engineer at the Microsoft Threat Intelligence Center (MSTIC). With a strong background in reverse engineering, malware analysis, and vulnerability research, Andreas is dedicated to analyzing and understanding complex malware threats. His current research efforts focus on developing techniques to simplify the analysis of rust binaries.
Session
Malware analysts alike agree: Rust reverse engineering is hard.
Several skilled researchers shared their difficulties in reverse engineering Rust at RECON and other technical conferences. Consequently, it is time to join the effort and contribute to the ongoing challenges in the world of Rust malware. In particular, our research efforts focused on identifying and annotating library code in real-world rust malware.
In our talk, we begin by building a common ground knowledge by summarizing existing rust reverse engineering research and share insights of how rust crates are compiled and linked into binaries.
Next, we introduce our tool suite, RIFT, designed to aid reverse engineers in pinpointing library code within Rust binaries.
This suite comprises a collection of scripts and IDA plugins that streamline the library identification process. We cover how RIFT extracts static information and processes it to compile corresponding libraries and their optimal matching versions as COFF files. Following this, we explore the final stage of the pipeline, where we batch diff the targeted files using Diaphora and visualize the results through an IDA Plugin.
To conclude, we assess our approach by comparing the advantages and disadvantages of the binary diffing approach alongside the application and generation of FLIRT signatures, specifically for Rust binaries. Lastly, we provide links to the open source tool RIFT, share ideas for future research and invite researchers to collaborate with us.