Materials for the workshop Reversing a (not-so-) Simple Rust Loader at Ringzer0 COUNTERMEASURE, conducted by Cindy Xiao on 2025-11-07 in Ottawa, Canada.
- Download a copy of the free version of Binary Ninja: https://binary.ninja/free
- Download a copy of the malware sample that will be used in the workshop, from Malware Bazaar: https://bazaar.abuse.ch/sample/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b/.
- Participants should be aware that this is malware, and take precaution in handling the sample to avoid accidental execution. We will only be analyzing the sample statically. However, to limit the potential damage of an accidental execution, setting up a virtual machine or a non-Windows machine is recommended.
- Slides: PDF slides are available in
slides/. - Binary Ninja Database: A Binary Ninja Database with full annotations for the sample is available in
bndbs/
Check out the Tags in the database for key locations in the binary, and the History in the database for a step-by-step walkthrough of how we marked up the binary.
- Original article with analysis of the same sample, for a written supplement: cxiao.net - Reversing a (not-so-) Simple Rust Loader - 2025-08-17
These Rust resources are not in the slides, but were mentioned during the live version of the workshop:
- N0fix/rustbinsign - Project for creating IDA FLIRT signatures for Rust libraries. Recommended.
- microsoft/RIFT - Another project for creating IDA FLIRT signatures for Rust libraries.
- Reconstructing Rust Types: A Practical Guide for Reverse Engineers - RE//verse 2025