Reversing Rust String And Str Datatypes

Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

Rust string data-types

The two first main objects are "str" and String, lets check also the constructors.

Imports and functions

Even such a basic program links several libraries and occupy 2,568Kb,  it's really not using the imports and expots the runtime functions even the main. 

Even a simple string operation needs 544 functions on rust:

Main function

If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.

Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.

If we jump to main, we see a function call, the first parameter is rust_main as I named it below:

If we search "hello world" on the Defined Strings sections, matches at the end of a large string

After doing "clear code bytes" we can see the string and the reference:

We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
Let's follow the ref.  [ctrl]+[shift]+[f] and we got the references that points to the rust main function.

After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.

Regarding the string object, the allocator internals will reveal the structure in static.
alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
5. alloc::slice::hack::to_vec::h37a40daa915357ad
6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
...


Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

Source code

Let's explain this group of substructures having rust source code in the hand.
The string object is defined at string.rs and it's simply an u8 type vector.

And the definition of vector can be found at vec.rs  and is composed by a raw vector an the len which is the usize datatype.

The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.

The cap field is the capacity of the allocation and a is the allocator:

Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData

Dynamic analysis

The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

So the RDI parámeter is the pointer to the string object:

So RDI contains the stack address pointer that points the the heap address 0x5578f030.
Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

Having symbols we can do:
p mystring

and we get the following structure:

String::String {
  vec: alloc::vec::Vec {
    buf: alloc::raw_vec::RawVec {
      ptr: core::ptr::unique::Unique {
        pointer: 0x555555790130 "hello world\000",
        _marker: core::marker::PhantomData
     },
     cap: 11,
     a: alloc::alloc::Global
   },
   len: 11
  }
}

If the binary was compiled with symbols we can walk the substructures in this way:

(gdb) p mystring.vec.buf.ptr
$6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

(gdb) p mystring.vec.len

$8 = 11

If we try to get the pointer of each substructure we would find out that the the pointer is the same:

If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.

The pionter to the c string is 0x555555790130




This seems the c++ string but, let's look a bit deeper:

RawVector
  Vector:
  (gdb) x/wx 0x7fffffffdf50
  0x7fffffffdf50: 0x55790130  -> low dword c string pointer
  0x7fffffffdf54: 0x00005555  -> hight dword c string pointer
  0x7fffffffdf58: 0x0000000b  -> len

0x7fffffffdf5c: 0x00000000
0x7fffffffdf60: 0x0000000b  -> low cap (capacity)
0x7fffffffdf64: 0x00000000  -> hight cap
0x7fffffffdf68: 0xf722fe27  -> low a  (allocator)
0x7fffffffdf6c: 0x00007fff  -> hight a
0x7fffffffdf70: 0x00000005 

So in this case the whole object is in stack except the null-terminated string.

Related links

1. Hacking Tools 2020
2. Hacker
3. Tools Used For Hacking
4. Hacking Tools For Windows 7
5. Hacker Tools Windows
6. Underground Hacker Sites
7. Beginner Hacker Tools
8. Hack App
9. Hacking Tools For Games
10. Nsa Hacker Tools
11. Hacker Tools Windows
12. Hackrf Tools
13. Hacker Tools For Windows
14. Usb Pentest Tools
15. Hack Tools 2019
16. Hacker Tools
17. Hacking Tools For Pc
18. Underground Hacker Sites
19. Pentest Tools Port Scanner
20. Hacking Tools Free Download
21. Hacking Tools For Games
22. Hacker Search Tools
23. Hack Rom Tools
24. Free Pentest Tools For Windows
25. Hacking Tools For Games
26. Hack Tool Apk No Root
27. Hacks And Tools
28. Computer Hacker
29. New Hack Tools
30. Hacker Tools For Ios
31. Game Hacking
32. Pentest Tools Find Subdomains
33. New Hacker Tools
34. Tools Used For Hacking
35. Hacker Tools Apk
36. Hacking Tools Usb
37. Pentest Tools Website Vulnerability
38. Hack Tools
39. What Are Hacking Tools
40. Bluetooth Hacking Tools Kali
41. Hacker Security Tools
42. Pentest Tools Bluekeep
43. Computer Hacker
44. Hacking Apps
45. Hacker Tools Mac
46. Pentest Tools Bluekeep
47. Hacker Security Tools
48. Nsa Hack Tools
49. What Is Hacking Tools
50. Pentest Tools Url Fuzzer
51. Hacking Tools For Beginners
52. Hack Tools Pc
53. Hack Tools Mac
54. Pentest Tools Alternative
55. World No 1 Hacker Software
56. Hacking Tools For Mac
57. Hacking Apps
58. How To Hack
59. Hacking Tools Download
60. Pentest Tools Github
61. Hacking Tools Pc
62. Hacker Tools
63. Hacker Tools 2020
64. Hacker Tools Windows
65. Hacking Tools Windows 10
66. Pentest Box Tools Download
67. Hacking Tools For Beginners
68. Hack Tools For Ubuntu
69. Hacker Tools Hardware
70. Android Hack Tools Github
71. Hacker Tools For Pc
72. Hacking Tools 2020
73. Best Hacking Tools 2020
74. Pentest Tools Online
75. Hack Tools For Pc
76. Hacking Tools Github
77. Hacking Tools Download
78. Hacker Tools 2019
79. Hacking Tools Github
80. Pentest Tools Free
81. Hacking Tools Download
82. Hack Tools Pc
83. Hack Tools For Pc
84. Hacks And Tools
85. Pentest Tools Framework
86. Hacker Tools Mac
87. Hacker Tools Software
88. Hacker Tools 2020
89. Hackrf Tools
90. Hacker Tools Free
91. Hacking Tools Free Download
92. Github Hacking Tools
93. Hacking Tools Name
94. Pentest Tools For Android
95. Hack Rom Tools
96. Pentest Tools List
97. Hack Tools
98. Hak5 Tools
99. Easy Hack Tools
100. World No 1 Hacker Software
101. Pentest Tools Bluekeep
102. Hacker Tools For Pc
103. Hacking Tools Download
104. Physical Pentest Tools
105. Hacking Tools Windows 10
106. Hack Tools
107. Underground Hacker Sites
108. Pentest Tools Find Subdomains
109. Hacking Tools Online
110. Pentest Tools Review
111. Hack And Tools
112. Hack Tools
113. Hack Tools For Windows
114. Pentest Tools Bluekeep
115. Hacking Tools For Games
116. Hacking Tools Download
117. Wifi Hacker Tools For Windows
118. Pentest Tools Linux
119. Growth Hacker Tools
120. Github Hacking Tools
121. Hack Apps
122. Hacking Tools Github
123. Termux Hacking Tools 2019
124. Tools Used For Hacking
125. Hacker Tools Github
126. Pentest Tools Github
127. Hacking Tools Usb
128. Hacker Tools For Ios
129. Hacking Tools For Pc
130. Tools 4 Hack
131. Hacking Tools Mac
132. Pentest Box Tools Download
133. Hacker Hardware Tools
134. Hacking Tools Windows 10
135. New Hacker Tools
136. Hacker
137. Hack Tool Apk No Root
138. Hacker Tools Hardware
139. Pentest Tools Linux
140. How To Make Hacking Tools
141. Hack Tool Apk
142. Hack Tools
143. Hacker Tools For Mac
144. Hacking Tools Kit
145. Best Hacking Tools 2020
146. Hacker Tools Free
147. Wifi Hacker Tools For Windows
148. Hacker Tools Linux
149. Hack Tools Mac
150. How To Install Pentest Tools In Ubuntu
151. Black Hat Hacker Tools
152. Best Hacking Tools 2020
153. What Are Hacking Tools
154. Physical Pentest Tools
155. Hacker Tools Windows
156. Pentest Tools Nmap
157. Pentest Tools Url Fuzzer
158. Hacker Security Tools
159. Pentest Tools For Mac
160. Pentest Tools Find Subdomains
161. Ethical Hacker Tools
162. Nsa Hack Tools Download
163. Easy Hack Tools
164. Pentest Tools Windows
165. Hacking Apps
166. Hack Tool Apk No Root
167. Underground Hacker Sites