diff --git a/README.md b/README.md index c9fde9e..1afb0bf 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,45 @@

- GhidRust + GhidRust

GhidRust

-

GhidRust: Rust binary analysis extension

+

GhidRust: Rust binary analysis extension for Ghidra

+**Status:** Currently, the plugin is under extensive development. It is far from maturity. But a working prototype can be expected within a few weeks. + +![](./media/extension_entry.png) + +This project was a part of one of my institute courses. For a detailed overview, please have a look at the [report](./media/report.pdf) created for the course submission. The following README is fairly sparse. + +## Features + +### Rust binary detection + +The plugin can detect Rust binaries. To use the feature, click on `GhidRust -> Check if Rust binary`. It will show a popup indicating whether it's a Rust binary or not. + +May not be a Rust binary | May be a Rust binary +:-------------------------:|:-------------------------: +![](./media/not_rust_bin.png) | ![](./media/rust_bin.png) + +### Function ID + +The plugin also consists of `RustStdAnalyzer` which analyzes Rust binaries and applies function signatures to the library functions (Rust's `std`) found in the binary. This is done using `.fidb` function ID database. A default database for x86-64 and Rust version 1.58.1 has been provided at [`libstd.fidb`](./data/libstd-4c74cbab78ec4891.fidb). This is useful when analyzing stripped Rust binaries. + +Without Function ID | With Function ID +:-------------------------:|:-------------------------: +![](./media/without_fid.png) | ![](./media/with_fid.png) + +The analyzer is enabled by default for Rust binaries, and it's name in analyzer window is _"Detect Rust libstd functions"_. + +![](./media/analyzer_entry.png) + +### Decompilation + +This is a work-in-progress feature as of now. It requires parsing the decompiled C code and then emitting the corresponding Rust code. Once that is done, Rust macro support will also be added in the future. + +The decompiler panel can be accessed by clicking `GhidRust -> Open decompiler`. It looks as follows. + +![](./media/return_0.png) + ## Building There is a build script provided (`build.sh`) which can build and install the extension. @@ -29,3 +65,7 @@ You can install it using the install flag as follows. ``` ./build.sh -ig ``` + +## Adding it to Ghidra + +To add it to Ghidra, just click on `File -> Install Extensions...` and choose GhidRust there. Once installed, you will have a `GhidRust` entry in the Ghidra toolbar which can be used to invoke the plugin. diff --git a/media/analyzer_entry.png b/media/analyzer_entry.png new file mode 100644 index 0000000..3239237 Binary files /dev/null and b/media/analyzer_entry.png differ diff --git a/media/extension_entry.png b/media/extension_entry.png new file mode 100644 index 0000000..6f58170 Binary files /dev/null and b/media/extension_entry.png differ diff --git a/images/ghidrust.png b/media/ghidrust.png similarity index 100% rename from images/ghidrust.png rename to media/ghidrust.png diff --git a/media/not_rust_bin.png b/media/not_rust_bin.png new file mode 100644 index 0000000..cad0b9a Binary files /dev/null and b/media/not_rust_bin.png differ diff --git a/media/report.pdf b/media/report.pdf new file mode 100644 index 0000000..a8528a3 Binary files /dev/null and b/media/report.pdf differ diff --git a/media/return_0.png b/media/return_0.png new file mode 100644 index 0000000..63bfcb7 Binary files /dev/null and b/media/return_0.png differ diff --git a/media/rust_bin.png b/media/rust_bin.png new file mode 100644 index 0000000..2bda0da Binary files /dev/null and b/media/rust_bin.png differ diff --git a/media/with_fid.png b/media/with_fid.png new file mode 100644 index 0000000..a53d883 Binary files /dev/null and b/media/with_fid.png differ diff --git a/media/without_fid.png b/media/without_fid.png new file mode 100644 index 0000000..e00eb67 Binary files /dev/null and b/media/without_fid.png differ