Use this skill when analyzing stripped or static-linked Rust malware or suspicious Rust ELF binaries. Focus on string recovery, panic-path reconstruction, module-tree building, command-dispatch discovery, and protocol recovery.
Use this skill for Rust-heavy reverse engineering workflows, especially when the sample is stripped, static-linked, or hard to analyze with default string/symbol views.
Start with:
file sample.bin
sha256sum sample.bin
strings -a -n 6 sample.bin | rg -i "panic|thread 'panicked|::|\\.rs:|tokio|reqwest|serde|ring|rustls|openssl|cmd|/bin/sh"
binwalk sample.bin # signature scan; add -Me for extraction
Then inspect object and import context:
readelf -h -S sample.bin 2>/dev/null | head -200
objdump -x sample.bin 2>/dev/null | head -200
IDA's default string window and strings(1) both under-count Rust
binaries because Rust stores strings as (pointer, length) slices packed
into .rodata, not NUL-terminated. The bundled scanner walks
byte-by-byte and recovers panic paths, crate versions, and command words
that never show up in the UI:
.rodatapython3 scripts/rodata_scanner.py sample.bin --min 6 > rodata.strings
wc -l rodata.strings # baseline: expect 5-20x IDA's count
python3 scripts/rodata_scanner.py sample.bin --grep 'panic|\.rs:'
Chain the scanner into the other helpers:
# reconstruct the attacker's workspace tree from panic paths:
python3 scripts/rodata_scanner.py sample.bin \
| python3 scripts/panic_path_extractor.py --stdin-text --tree
# mine operator attribution fingerprints (user, crates, rustc, typos):
python3 scripts/rodata_scanner.py sample.bin \
| python3 scripts/rust_fingerprint.py --stdin-text
# peer IPs from a live-process memory dump (not from the binary):
python3 scripts/mem_peer_extractor.py dump.bin
Treat the typo output from rust_fingerprint.py --typos-only as your
highest-value global-search pivot: a misspelled word in a log message is
almost always a unique fingerprint across VT + GitHub + google.
If ida-pro-mcp is connected, use:
find_regex for panic strings, crate paths, command words, and URLsxrefs_to on high-signal strings or importsdecompile likely dispatchers and large branch-heavy handlerscallgraph from the top dispatcher candidate before bulk renamingpy_eval to port rodata_scanner.py into IDA so the results are
anchored to addresses you can xref from (see reverse-ida-mcp-driver
for the ready-to-paste py_eval payload)For Rust samples, assume:
Produce:
Identify:
Prioritize:
.rodata printable spansDo not dump raw strings without clustering.
Cluster into:
Use recovered file paths and panic paths to build:
Highlight files that likely correspond to:
Use command-like strings and xrefs to find:
Build a command map with confidence labels.
If ida-pro-mcp is connected, prioritize:
find_regex for command words, JSON keys, panic paths, and protocol stringsxrefs_to from those hitsdecompile the narrowest branch-heavy callers firstrename only after the command map is stableTry to recover:
Never invent exact field semantics. Prefer neutral placeholders like:
If protocol detail becomes the main question, hand off to reverse-protocol-reconstruction.
If build paths, wallets, cloud relays, or operator traces emerge, hand off to reverse-operator-attribution.
Minimum artifact bundle:
[2-5 sentences]