Decoding Rust Strings in ELF Firmware Binaries

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://pentestpartners.com/security-blog/decoding-rust-strings
• Blog Title: Decoding Rust Strings in ELF Firmware Binaries
• Suggested Section: Reversing / Reversing Tools & Basic Methods or Hardware/Physical Access / Firmware Analysis

🎯 Content Summary

Overview
The post explains a practical reverse-engineering technique for recovering Rust strings from Linux ELF firmware binaries, especially embedded/ARM device binaries where Ghidra may fail to identify Rust string references correctly. The author encountered this while reversing a custom ARM-based device binary that acted as both a web server and a system controller. The binary was written in Rust, which made normal string discovery less effective because Rust does not al...

🔧 Technical Details

Rust ELF string reconstruction: Rust binaries may store string references as metadata tuples instead of NUL-terminated byte arrays. In the observed rustc output, each reference is an 8-byte little-endian pointer followed by an 8-byte little-endian length. The actual string bytes live sequentially in .rodata without separators, so generic string scanners can merge multiple logical strings together. To recover the strings, inspect the ELF sections with readelf -S or objdump -h, identify the virtual address and size of .rodata, then scan .data.rel.ro word-by-word. Any word whose value falls inside the .rodata range is a candidate string pointer, and the following word is the candidate length. Read exactly that many bytes from .rodata and apply sanity filters such as ignoring values below 4 bytes or above 100 bytes.

Improving Ghidra analysis for Rust fir...

🤖 Agent Actions

Updated src/reversing/reversing-tools-basic-methods/README.md.

What I added:

• Expanded the existing Rust section instead of creating a new page.
• Added a concise subsection on recovering Rust strings from ELF firmware:
  • Rust pointer/length string tuples in .data.rel.ro
  • actual string blob in .rodata
  • readelf -S / objdump -h workflow
  • pointer-range + next-word-length extraction heuristic
  • short extraction snippet
  • why this helps in firmware reversing and Ghidra analysis
• Updated the file’s References section with:
  • the Pen Test Partners blog
  • rust-strings
  • RustStrings.py

Why this location:

• The technique is primarily a reversing method, not a firmware-specific vulnerability class.
• HackTricks already had a small Rust subsection there, so this was the cleanest non-duplicative place.

Validation:

• Verified the diff.
• Tried mdbook build, but mdbook is not installed in this environment (/bin/bash: mdbook: command not found).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://pentestpartners.com/security-blog/decoding-rust-strings

Content Categories: Based on the analysis, this content was categorized under "Reversing / Reversing Tools & Basic Methods or Hardware/Physical Access / Firmware Analysis".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0