Reversing Rust String And Str Datatypes

Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

Rust string data-types

The two first main objects are "str" and String, lets check also the constructors.

Imports and functions

Even such a basic program links several libraries and occupy 2,568Kb,  it's really not using the imports and expots the runtime functions even the main. 

Even a simple string operation needs 544 functions on rust:

Main function

If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.

Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.

If we jump to main, we see a function call, the first parameter is rust_main as I named it below:

If we search "hello world" on the Defined Strings sections, matches at the end of a large string

After doing "clear code bytes" we can see the string and the reference:

We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
Let's follow the ref.  [ctrl]+[shift]+[f] and we got the references that points to the rust main function.

After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.

Regarding the string object, the allocator internals will reveal the structure in static.
alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
5. alloc::slice::hack::to_vec::h37a40daa915357ad
6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
...


Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

Source code

Let's explain this group of substructures having rust source code in the hand.
The string object is defined at string.rs and it's simply an u8 type vector.

And the definition of vector can be found at vec.rs  and is composed by a raw vector an the len which is the usize datatype.

The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.

The cap field is the capacity of the allocation and a is the allocator:

Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData

Dynamic analysis

The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

So the RDI parámeter is the pointer to the string object:

So RDI contains the stack address pointer that points the the heap address 0x5578f030.
Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

Having symbols we can do:
p mystring

and we get the following structure:

String::String {
  vec: alloc::vec::Vec {
    buf: alloc::raw_vec::RawVec {
      ptr: core::ptr::unique::Unique {
        pointer: 0x555555790130 "hello world\000",
        _marker: core::marker::PhantomData
     },
     cap: 11,
     a: alloc::alloc::Global
   },
   len: 11
  }
}

If the binary was compiled with symbols we can walk the substructures in this way:

(gdb) p mystring.vec.buf.ptr
$6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

(gdb) p mystring.vec.len

$8 = 11

If we try to get the pointer of each substructure we would find out that the the pointer is the same:

If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.

The pionter to the c string is 0x555555790130




This seems the c++ string but, let's look a bit deeper:

RawVector
  Vector:
  (gdb) x/wx 0x7fffffffdf50
  0x7fffffffdf50: 0x55790130  -> low dword c string pointer
  0x7fffffffdf54: 0x00005555  -> hight dword c string pointer
  0x7fffffffdf58: 0x0000000b  -> len

0x7fffffffdf5c: 0x00000000
0x7fffffffdf60: 0x0000000b  -> low cap (capacity)
0x7fffffffdf64: 0x00000000  -> hight cap
0x7fffffffdf68: 0xf722fe27  -> low a  (allocator)
0x7fffffffdf6c: 0x00007fff  -> hight a
0x7fffffffdf70: 0x00000005 

So in this case the whole object is in stack except the null-terminated string.

More articles

1. Hacking App
2. Growth Hacker Tools
3. Hacking Tools For Windows Free Download
4. Usb Pentest Tools
5. Hacker Hardware Tools
6. Pentest Tools Open Source
7. Hacker Tools Mac
8. Pentest Tools Port Scanner
9. Hacker Tools For Mac
10. Hacking Tools Download
11. Hack Tools
12. Pentest Tools For Android
13. Top Pentest Tools
14. Pentest Tools Url Fuzzer
15. World No 1 Hacker Software
16. Pentest Automation Tools
17. Hacker Tools 2019
18. Hack Website Online Tool
19. Hack Tool Apk
20. Hacker Tools Online
21. Hacking Tools Name
22. Hacker Tools Hardware
23. Hack Tools
24. How To Make Hacking Tools
25. Hacker Tools Apk Download
26. Hacker Tools Online
27. Hacker Tools Mac
28. Usb Pentest Tools
29. Bluetooth Hacking Tools Kali
30. Github Hacking Tools
31. Pentest Tools Port Scanner
32. Android Hack Tools Github
33. Hacker
34. Hacker Tools Linux
35. Hacking Tools For Beginners
36. Pentest Tools Windows
37. Hacking Tools Windows
38. Hacking Tools Online
39. Pentest Box Tools Download
40. Game Hacking
41. Tools 4 Hack
42. Hacker Search Tools
43. Hak5 Tools
44. Pentest Tools For Ubuntu
45. Hacker Search Tools
46. Hacker Tools Github
47. Hacking Tools Kit
48. Pentest Reporting Tools
49. Hacker Tools For Mac
50. Underground Hacker Sites
51. Hacker Tools Linux
52. Hacker Tools Hardware
53. Hacking Tools For Beginners
54. Hack Tools Github
55. Tools 4 Hack
56. Hack Tools For Mac
57. Pentest Tools Tcp Port Scanner
58. Hack Tools
59. Hacking Tools 2020
60. Hacker Tools Online
61. Pentest Tools For Ubuntu
62. Pentest Automation Tools
63. Hackers Toolbox
64. How To Make Hacking Tools
65. Pentest Tools Android
66. Pentest Box Tools Download
67. Hacker Techniques Tools And Incident Handling
68. Hacking Tools For Kali Linux
69. Best Hacking Tools 2019
70. Hacker Techniques Tools And Incident Handling
71. Hack Tools For Games
72. Hacking Tools For Windows Free Download
73. World No 1 Hacker Software
74. Pentest Tools
75. Growth Hacker Tools
76. Hack Tools Mac
77. Game Hacking
78. Hacking Tools Windows 10
79. Hacking Tools Free Download
80. Pentest Tools Review
81. Pentest Tools Nmap
82. Hack And Tools
83. Hack Tools For Windows
84. Pentest Tools Github
85. Hack Tools Pc
86. Hack Tools For Pc
87. Physical Pentest Tools
88. Pentest Tools Url Fuzzer
89. Hack Tools For Pc
90. Hacker Tools Software
91. Hacking Tools Hardware
92. Hacker Tools Apk
93. Pentest Tools Alternative
94. Pentest Tools Nmap
95. Hack Rom Tools
96. Bluetooth Hacking Tools Kali
97. Hacker Tools
98. Hack Tools
99. What Are Hacking Tools
100. Hacking Tools For Games
101. Wifi Hacker Tools For Windows
102. Hack Tools
103. Hacker Security Tools
104. Hacker Hardware Tools
105. Nsa Hacker Tools
106. Best Hacking Tools 2020
107. Hacker Tools For Ios
108. Hacking Tools Hardware
109. Pentest Tools For Ubuntu
110. Growth Hacker Tools
111. Nsa Hacker Tools
112. Pentest Tools List
113. Pentest Tools For Mac
114. Hacker Tools Apk Download
115. Pentest Tools Website Vulnerability
116. Hack Tools
117. Kik Hack Tools
118. Hack Tools Download
119. Tools Used For Hacking
120. Game Hacking
121. Hacking Tools For Windows
122. Hacking Tools Mac
123. Hacking Tools Kit
124. Pentest Tools Kali Linux
125. Hacking Tools Online
126. Pentest Tools Kali Linux
127. Hack Tools Download
128. Beginner Hacker Tools
129. Pentest Tools Port Scanner
130. Hacker Tools Hardware
131. Hacking Tools For Pc
132. How To Hack
133. Hack Tools For Mac
134. Hacker Tools Apk Download
135. Pentest Tools Find Subdomains
136. Pentest Tools Windows
137. Hacker Tools List
138. Hacking Tools For Windows