This repository documents ongoing PhD research focused on the static and dynamic analysis of Rust binaries, particularly for malware reverse engineering. The goal is to advance open methodologies, tooling, and datasets that help the security community understand, detect, and analyse Rust-based threats using cutting-edge binary analysis techniques.
The methodology of Rust binary analysis extends and builds on the excellent groundwork of Cindy Xiao, Ben Herzog, pushing analysis from language feature exploration into real-world malware detection and reverse engineering. Detailed report can be found at Checkpoint research - Rust Binary Analysis, Feature by Feature.
This project bridges the gap between academic research and hands-on security analysis for Rust binaries, especially those encountered in malware investigations.
Visit the Project Website for comprehensive documentation, wiki, and analysis guides.
Modern malware increasingly leverages Rust for its safety features and unique compiler output, presenting fresh challenges in binary analysis. This project investigates the characteristic features of Rust binaries, exploring:
- Monomorphisation and generic code expansion
- Trait objects and vtable structures
- Name mangling and symbol analysis
- Compilation pipeline impact on detection
- Zero-cost abstractions in binary form
- Runtime initialisation (C vs C++ vs Rust comparison)
- Cross-platform compilation (x86, x86-64, GNU vs MSVC toolchains)
- Reverse Engineering - analyse Rust binaries with state-of-the-art tools (IDA Pro, Ghidra, Binary Ninja)
- Detection Frameworks - Develop scalable frameworks for automated Rust malware detection
- Program Analysis - Extract control flow graphs, trait/vtable patterns, and MIR insights
- Dataset Curation - Build comprehensive sample datasets with benign and malicious binaries
- Open Research - Share methodology documentation, tooling prototypes, and findings
Note: This repository is under active development as part of an ongoing PhD project. Code, scripts, and documentation are subject to regular updates. Contributions and feedback are welcome!
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Add cross-compilation targets
rustup target add x86_64-pc-windows-msvc
rustup target add i686-pc-windows-msvc
rustup target add x86_64-pc-windows-gnu
rustup target add i686-pc-windows-gnuSee the Installation Guide for detailed instructions.
# Clone the repository
git clone https://github.com/Yen-Coder/The-State-of-Rust-in-Malware-Programming.git
cd The-State-of-Rust-in-Malware-Programming
# Build a sample project with different configurations
cd src/01-Rust-Binary-Analysis/01-basic_pl_concepts
# Standard release build
cargo build --release
# Cross-compile for different targets
cargo build --release --target x86_64-pc-windows-msvc
cargo build --release --target i686-pc-windows-gnuSee Building Rust Samples for more build configurations.
Explore compiled binaries in datasets/Benign-Samples/ using reverse engineering tools:
- Binary Ninja (recommended for this research)
- IDA Pro
- Ghidra
See Basic PL Concepts Analysis for detailed binary analysis examples.
src/— Detection frameworks, analysis scripts, and Rust test casesdatasets/— Datasets and signatures for experiments (where licensing permits)docs/— Methodology, experiment notes, and work-in-progress academic writingtools/— Helper scripts and tool integrations for various reverse engineering platforms
- Early scripts for vtable/trait object extraction
- Preliminary dataset collection (benign & malicious Rust binaries)
- Comparative notes on Ghidra, IDA, and Binary Ninja for Rust binaries
Feel free to create issues or pull requests for bugs, suggestions, or research ideas. Due to the ongoing nature of this PhD project, responses may be delayed.
Major inspiration for this research comes from community-driven explorations of Rust binary internals and academic efforts to demystify compiled Rust code for security analysis.
- rust-re-tour - BenH11235's excellent groundwork on Rust binary analysis feature exploration
- Checkpoint Research - Rust Binary Analysis, Feature by Feature - Detailed report on Rust binary analysis techniques
This repository includes a tailored .gitignore for Rust/Cargo projects. Key points:
target/(build artifacts) is ignored to avoid committing large compiled files.- Editor and OS artifacts (e.g.
.idea/,.vscode/,.DS_Store) are ignored. Cargo.lockis present in the repository root — for applications it's recommended to commit it so builds are reproducible; for libraries you may prefer to exclude it.- If you use a custom
CARGO_TARGET_DIR, add it to.gitignoreor set it outside the repo.
If you want a different policy (e.g., commit target/ for caching in CI), open an issue or
submit a PR so we can discuss the tradeoffs.