In order to identify Rust binaries, we studied character or byte strings specific to the release and size-minimized builds of Rust binaries.
Our study shows that using YARA rules enables us to detect some of the size-minimized Rust binaries by combining multiple specific strings and the core::panic::Location struct that uses the strings.
Using the study results from "Differences between binaries, associated with setting modifications of Profiles in Cargo," "Reducing binary sizes" and "Identifying main function, and initialization," we created YARA rules that identify Rust binaries:
private rule PE_Signature
{
condition:
uint16(0) == 0x5A4D
}
private rule Plain_Rust_Binary
{
metadata:
description = "Detect plain Rust binary"
author = "JPCERT/CC Incident Response Group"
strings:
$s1 = "run with `RUST_BACKTRACE=1` environment variable to display a backtrace"
$s2 = "called `Result::unwrap()` on an `Err` value"
$s3 = "called `Option::unwrap()` on a `None` value"
condition:
PE_Signature and all of them
}
private rule Minsized_Rust_Binary
{
metadata:
description = "Detect minsized Rust binary"
author = "JPCERT/CC Incident Response Group"
strings:
$s1 = "<unknown>"
$s2 = "<redacted>"
$s3 = "failed to write whole buffer"
$s4 = "failed to write the buffered data"
$c1_64 = {1C 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00}
$c1_32 = {1C 00 00 00 17 00 00 00}
$c2_64 = {21 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00}
$c2_32 = {21 00 00 00 17 00 00 00}
condition:
PE_Signature and 3 of ($s*) and 1 of ($c1*) and 1 of ($c2*)
}
rule Rust_Binary
{
metadata:
description = "Detect Rust binary"
author = "JPCERT/CC Incident Response Group"
condition:
Plain_Rust_Binary or Minsized_Rust_Binary
}