Social 📸 Photography

Cindʎ Xiao 🍉<a href="https://infosec.exchange/@REverseConf" class="u-url mention" rel="nofollow noopener" target="_blank">@REverseConf</a> If you ever need to find both the talk video and the slides again, they are collected in one place on my site and on GitHub, for your convenient bookmarking:<a href="https://cxiao.net/posts/2025-02-28-reconstructing-rust-types-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank">https://cxiao.net/posts/2025-02-28-reconstructing-rust-types-re-verse-2025/</a> <a href="https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank">https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025/</a><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#ReverseEngineering</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#MalwareAnalysis</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

Cindʎ Xiao 🍉<a href="https://infosec.exchange/@REverseConf" class="u-url mention" rel="nofollow noopener" target="_blank">@REverseConf</a> The slides for "Reconstructing Rust Types: A Practical Guide for Reverse Engineers" are also available! There is a convenient single-page HTML version if you want to use the material in the presentation as a reference, for your own reversing!<a href="https://cxiao.net/posts/2025-02-28-reconstructing-rust-types-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank">https://cxiao.net/posts/2025-02-28-reconstructing-rust-types-re-verse-2025/</a> <a href="https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025/" rel="nofollow noopener" translate="no" target="_blank">https://github.com/cxiao/reconstructing-rust-types-talk-re-verse-2025/</a><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#ReverseEngineering</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#MalwareAnalysis</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

Cindʎ Xiao 🍉Hi Rust reversing fans - the recording of my talk at <a href="https://infosec.exchange/@REverseConf" class="u-url mention" rel="nofollow noopener" target="_blank">@REverseConf</a>: Reconstructing Rust Types: A Practical Guide for Reverse Engineers, is available for you to watch!<a href="https://www.youtube.com/watch?v=SGLX7g2a-gw" rel="nofollow noopener" translate="no" target="_blank">https://www.youtube.com/watch?v=SGLX7g2a-gw</a><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/ReverseEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#ReverseEngineering</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#MalwareAnalysis</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

☮ ♥ ♬ 🧑‍💻Day 32 🗳️💨Things are coming in thick and fast today, so I’ll try to summarise the major themes. No Policies of the <a href="https://ioc.exchange/tags/Liberal" class="mention hashtag" rel="nofollow noopener" target="_blank">#Liberal</a>, <a href="https://ioc.exchange/tags/LNP" class="mention hashtag" rel="nofollow noopener" target="_blank">#LNP</a> and <a href="https://ioc.exchange/tags/Coalition" class="mention hashtag" rel="nofollow noopener" target="_blank">#Coalition</a>. <a href="https://ioc.exchange/tags/AngusTaylor" class="mention hashtag" rel="nofollow noopener" target="_blank">#AngusTaylor</a> (Opposition Treasurer, Liberal) hands in his <a href="https://ioc.exchange/tags/Economics" class="mention hashtag" rel="nofollow noopener" target="_blank">#Economics</a> homework late, it’s got problems. A 🎃 derivative that is toxic ☢️“A Coalition government would drive the <a href="https://ioc.exchange/tags/budget" class="mention hashtag" rel="nofollow noopener" target="_blank">#budget</a> deeper into <a href="https://ioc.exchange/tags/deficit" class="mention hashtag" rel="nofollow noopener" target="_blank">#deficit</a> over the coming two years, as the shadow finance minister, <a href="https://ioc.exchange/tags/JaneHume" class="mention hashtag" rel="nofollow noopener" target="_blank">#JaneHume</a>, insisted her party’s plan to save $17.2bn by <a href="https://ioc.exchange/tags/slashing" class="mention hashtag" rel="nofollow noopener" target="_blank">#slashing</a> the number of <a href="https://ioc.exchange/tags/Canberra" class="mention hashtag" rel="nofollow noopener" target="_blank">#Canberra</a>-based <a href="https://ioc.exchange/tags/PublicServants" class="mention hashtag" rel="nofollow noopener" target="_blank">#PublicServants</a> by 41,000 through “natural attrition” was achievable.”If returned to power, the Coalition would gut a long list of environment and clean energy programs, including <a href="https://ioc.exchange/tags/scrapping" class="mention hashtag" rel="nofollow noopener" target="_blank">#scrapping</a> the <a href="https://ioc.exchange/tags/NetZero" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetZero</a> <a href="https://ioc.exchange/tags/Economy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Economy</a> <a href="https://ioc.exchange/tags/Agency" class="mention hashtag" rel="nofollow noopener" target="_blank">#Agency</a>, reversing Labor’s <a href="https://ioc.exchange/tags/TaxBreaks" class="mention hashtag" rel="nofollow noopener" target="_blank">#TaxBreaks</a> for <a href="https://ioc.exchange/tags/ElectricVehicles" class="mention hashtag" rel="nofollow noopener" target="_blank">#ElectricVehicles</a>, and redirecting money slated for the <a href="https://ioc.exchange/tags/HomeBatteries" class="mention hashtag" rel="nofollow noopener" target="_blank">#HomeBatteries</a> program.<a href="https://ioc.exchange/tags/Reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Reversing</a> tax incentives for green hydrogen would save $1.5bn over four years, and not proceeding with Labor’s critical mineral production tax credits would save $1.2bn, the Coalition’s election policy costings show.”<a href="https://ioc.exchange/tags/AusPol" class="mention hashtag" rel="nofollow noopener" target="_blank">#AusPol</a> / <a href="https://ioc.exchange/tags/treasury" class="mention hashtag" rel="nofollow noopener" target="_blank">#treasury</a> / <a href="https://ioc.exchange/tags/costings" class="mention hashtag" rel="nofollow noopener" target="_blank">#costings</a> / <a href="https://ioc.exchange/tags/economy" class="mention hashtag" rel="nofollow noopener" target="_blank">#economy</a> / <a href="https://ioc.exchange/tags/future" class="mention hashtag" rel="nofollow noopener" target="_blank">#future</a> <<a href="https://www.theguardian.com/australia-news/2025/may/01/coalition-costings-federal-election-promises-larger-deficit-cut-foreign-aid-environment-clean-energy" rel="nofollow noopener" translate="no" target="_blank">https://www.theguardian.com/australia-news/2025/may/01/coalition-costings-federal-election-promises-larger-deficit-cut-foreign-aid-environment-clean-energy</a>>

Alexandre BorgesDEFCON 33 CTF Write-Up Series #1: jxl4fun2 (pwn):<a href="https://blog.cykor.kr/2025/04/DEFCON-33-Series-jxl4fun-pwn" rel="nofollow noopener" translate="no" target="_blank">https://blog.cykor.kr/2025/04/DEFCON-33-Series-jxl4fun-pwn</a>DEFCON 33 CTF Write-Up Series #2: tinii (rev):<a href="https://blog.cykor.kr/2025/04/DEFCON-33-Series-tinii" rel="nofollow noopener" translate="no" target="_blank">https://blog.cykor.kr/2025/04/DEFCON-33-Series-tinii</a><a href="https://infosec.exchange/tags/ctf" class="mention hashtag" rel="nofollow noopener" target="_blank">#ctf</a> <a href="https://infosec.exchange/tags/defcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#defcon</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a>

Volexity :verified:In the course of its investigations, <a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener" target="_blank">@volexity</a> frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.   Today, <a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener" target="_blank">@volexity</a> is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. <a href="https://infosec.exchange/@r00tbsd" class="u-url mention" rel="nofollow noopener" target="_blank">@r00tbsd</a> & Killian Raimbaud presented details at INCYBER Forum earlier today.   GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!   Check out the blog post on how GoResolver works and where to download it: <a href="https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/" rel="nofollow noopener" translate="no" target="_blank">https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/</a>   <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#malwareanalysis</a>

Rairii :win3_progman: :win3: a discord guild i was in got some malspam (link to reddit post which linked to malware present on compromised wordpress site sexccessories.co[.]ke)Funnily enough, there were supposedly both windows and mac samples present, except they fucked up with the mac one, a passworded zip containing a “dmg” which is actually the following text:<pre><code>Build failed: failed to create DMG: exit status 64 Output: Creating disk image... Mounting disk image... Device name: /dev/disk4 Searching for mounted interstitial disk image using /dev/disk4s... Mount dir: /Volumes/dmg.kfA109 Copying background file '/tmp/8aAwS.png'... Copying volume icon file '/Users/user/desktop/TradingView_3760.icns'... Will sleep for 2 seconds to workaround occasions "Can't get disk (-1728)" issues... Running AppleScript to make Finder stuff pretty: /usr/bin/osascript "/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk" "dmg.kfA109" /var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk:85:89: execution error: Finder got an error: Can’t get disk "dmg.kfA109". (-1728) Failed running AppleScript Unmounting disk image... "disk4" ejected. </code></pre>I predicted it would be a packed stealer of some description. I was right, unpacked binary is lumma stealer.Been a while since I’ve done manual unpacking of a malware sample, this one was fun. The packer is the same as described here <a href="https://alertoverload.com/posts/2025/01/remcos-v5.3.0/" rel="nofollow noopener" target="_blank">https://alertoverload.com/posts/2025/01/remcos-v5.3.0/</a>Original zipfile has the hash <code>85a2619c5bc5ae10d9ab3aab48c364b638d7b835d169f651b08c1f0282c39d58</code>.The original binary was ~800MB, padded with garbage. Removing that padding yields a binary with the hash <code>d0e956e5fe825e8f2817ce660d3680294d790cf1baec0bdfdc540841e7202c80</code> - and manually unpacking that gives <code>bbd1e2cc95f1907d4c8c92d66bc62f43aa3e5634af6bdb947dfd826023195253</code>.There’s also a bunch of additional stuff in the zip alongside the malware sample; copied straight from a windows installation, and the way it was copied in revealed the localisation installed on that system, which is unsurprisingly Russian (Russia) [<code>ru-RU</code>].<a class="hashtag" href="https://labyrinth.zone/tag/malware" rel="nofollow noopener" target="_blank">#malware</a> <a class="hashtag" href="https://labyrinth.zone/tag/reversing" rel="nofollow noopener" target="_blank">#reversing</a> <a class="hashtag" href="https://labyrinth.zone/tag/infosec" rel="nofollow noopener" target="_blank">#infosec</a>

kriware :verified:Stuxnet Rootkit Analysis and SimulationThis GitHub project provides a detailed simulation of the Stuxnet rootkit's operation, useful for cybersecurity education and research on complex malware behavior.<a href="https://github.com/ring0-c0d3-br34k3r/Stuxnet-Rootkit" rel="nofollow noopener" translate="no" target="_blank">https://github.com/ring0-c0d3-br34k3r/Stuxnet-Rootkit</a><a href="https://infosec.exchange/tags/Stuxnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Stuxnet</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a>

blub<a href="https://norden.social/tags/DLF" class="mention hashtag" rel="nofollow noopener" target="_blank">#DLF</a> Podcast über den <a href="https://norden.social/tags/darkavenger" class="mention hashtag" rel="nofollow noopener" target="_blank">#darkavenger</a> <a href="https://www.deutschlandfunk.de/dark-avenger-100.html" rel="nofollow noopener" translate="no" target="_blank">https://www.deutschlandfunk.de/dark-avenger-100.html</a><a href="https://norden.social/tags/Bulgarien" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bulgarien</a> <a href="https://norden.social/tags/VX" class="mention hashtag" rel="nofollow noopener" target="_blank">#VX</a> <a href="https://norden.social/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a>

MalwareLabDecryption of strings from <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsyncRAT</a>/#DcRat/#VenomRAT configuration with <a href="https://infosec.exchange/tags/CyberChef" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberChef</a>. Little bit of <a href="https://infosec.exchange/tags/Dotnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Dotnet</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> and commented recipe with usage of registers for PBKDF2 and AES decryptionBlog post: <a href="https://malwarelab.eu/posts/asyncrat-cyberchef/" rel="nofollow noopener" translate="no" target="_blank">https://malwarelab.eu/posts/asyncrat-cyberchef/</a> Recipe with example input: <a href="https://tinyurl.com/AsyncRatConfigDecryptor2" rel="nofollow noopener" translate="no" target="_blank">https://tinyurl.com/AsyncRatConfigDecryptor2</a>

Davide Eynard (+mala)Hi everyone! Six more months passed since my last <a href="https://fosstodon.org/tags/introduction" class="mention hashtag" rel="nofollow noopener" target="_blank">#introduction</a>, so here is an updated one:AKA: +mala, AiTTaLaMJob: Doin’ trustworthy <a href="https://fosstodon.org/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> @ moz://a.ai - more generally I love <a href="https://fosstodon.org/tags/teaching" class="mention hashtag" rel="nofollow noopener" target="_blank">#teaching</a>, no matter if to humans or machines :-)Projects: 3564020356.org is the oldest (~22yrs 😅), <a href="https://fosstodon.org/tags/PicoGopher" class="mention hashtag" rel="nofollow noopener" target="_blank">#PicoGopher</a> the most recent... Look around and find the rest! 😜Interests: <a href="https://fosstodon.org/tags/bouldering" class="mention hashtag" rel="nofollow noopener" target="_blank">#bouldering</a> <a href="https://fosstodon.org/tags/gopher" class="mention hashtag" rel="nofollow noopener" target="_blank">#gopher</a> <a href="https://fosstodon.org/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#SelfHosting</a> <a href="https://fosstodon.org/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#opensource</a> <a href="https://fosstodon.org/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://fosstodon.org/tags/fediverse" class="mention hashtag" rel="nofollow noopener" target="_blank">#fediverse</a> <a href="https://fosstodon.org/tags/recsys" class="mention hashtag" rel="nofollow noopener" target="_blank">#recsys</a> <a href="https://fosstodon.org/tags/ML" class="mention hashtag" rel="nofollow noopener" target="_blank">#ML</a> <a href="https://fosstodon.org/tags/solarpunk" class="mention hashtag" rel="nofollow noopener" target="_blank">#solarpunk</a> <a href="https://fosstodon.org/tags/CommunitiesOfExperience" class="mention hashtag" rel="nofollow noopener" target="_blank">#CommunitiesOfExperience</a>

Cindʎ Xiao 🍉Here's a live kernel dump of a Windows system with the <code>win32kbase_rs</code> module loaded, opened in WinDbg. We can use the <code>!poolused</code> command to get an idea of memory allocations made with this new <code>RstG</code> pool tag.We can see that there have been a few allocations with the <code>RstG</code> pool tag, totaling 368 bytes.Note that Microsoft describes this pool tag as "GDITAG_RUST_GLOBALS". If you've got a recent enough version of WinDbg / Debugging Tools for Windows, you can find this pool tag description in <code>amd64\triage\pooltag.txt</code> in your debugger install location.Here's the new Rust-related pool tag descriptions in <code>pooltag.txt</code>:Rust - win32kbase_rs.sys - GDITAG_RUST RstG - win32kbase.sys - GDITAG_RUST_GLOBALSYou can find out more about the <code>Rust</code> pool tag in my other thread, which looks more specifically at the Rust code: <a href="https://infosec.exchange/@cxiao/110366048880535679" translate="no" rel="nofollow noopener" target="_blank">https://infosec.exchange/@cxiao/110366048880535679</a><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a> <a href="https://infosec.exchange/tags/windbg" class="mention hashtag" rel="nofollow noopener" target="_blank">#windbg</a>

Cindʎ Xiao 🍉<code>win32kbase</code> uses yet another new pool tag when loading the Rust code: <code>RstG</code>.In <code>AllocateAndLoadBaseRustExports</code>, the memory allocated with this pool tag is used for a struct of type <code>BaseRustExportsStorage</code>; this struct is used to hold the base of the loaded <code>win32kbase_rs</code> image, as well as a table of pointers to its exported functions.<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a>

Cindʎ Xiao 🍉You can find the ID of the <code>Rust_GDI_REGION</code> feature flag statically, by looking inside <code>win32kbase.sys</code> inside build 25357.1.That contains a function called <code>LoadAndConnectRustCode</code>, which first calls <code>Feature_Rust_GDI_REGION__private_IsEnabled</code> to check the status of the feature flag. The Rust code in <code>\SystemRoot\System32\win32kbase_rs.sys</code> is only loaded if that function returns a nonzero value.The <code>Feature_Rust_GDI_REGION__private_IsEnabled</code> function calls <code>wil_details_FeatureStateCache_GetCachedFeatureEnabledState</code> to get the status of the feature. It passes in a variable named <code>Feature_Rust_GDI_REGION__private_descriptor</code> to specify the feature it would like to query.This struct has type <a href="https://www.vergiliusproject.com/kernels/x64/Windows%2011/22H2%20(2022%20Update)/wil_details_FeatureDescriptor" rel="nofollow noopener" target="_blank"><code>wil_details_FeatureDescriptor</code></a>; in its <code>featureId</code> field, you can see the 0x23a024a (37356106) feature ID value.The same feature ID value is also visible as the second argument to the <code>wil_details_FeatureReporting_ReportUsageToService</code> call.<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a>

Cindʎ Xiao 🍉Here's win32kbase_rs.sys loaded on an actual system running Windows 11 Insider Preview 25357.1.You'll have to enable the <code>Rust_GDI_REGION</code> Windows feature flag (ID 37356106) first. The easiest way to do this is via ViVeTool, which interacts with Windows' built-in A/B feature testing mechanism: <a href="https://github.com/thebookisclosed/ViVe" rel="nofollow noopener" translate="no" target="_blank">https://github.com/thebookisclosed/ViVe</a><pre><code>vivetool.exe /enable /id:37356106 </code></pre>Shoutout again to Brent for finding the actual feature flag value, happy reversing out there 🫡<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a>

Cindʎ Xiao 🍉The Rust Windows kernel GDI code also has symbols for <code>fallible_vec::FallibleVec<T,A></code> , which looks like a non-panicking <code>Vec</code> implementation. <code>try_extend</code>, <code>try_extend_from_slice</code>, <code>try_splice_in</code>, and <code>try_insert</code> are all implemented.In fact it looks suspiciously similar to the <code>rust_fallible_vec</code> crate, which Microsoft recently open-sourced: <a href="https://github.com/microsoft/rust_fallible_vec" rel="nofollow noopener" target="_blank">https://github.com/microsoft/rust_fallible_vec</a> :thonking: ( <a href="https://hachyderm.io/@TehPenguin" class="u-url mention" rel="nofollow noopener" target="_blank">@TehPenguin</a> 👋 )The methods are generic over the allocator type <code>A</code>; some of these <code>FallibleVec</code> method implementations use the registered global allocator <code>gdi_alloc::Win32Allocator</code> , and others use the <code>gdi_alloc::TaggedAllocator</code> with the GDI-specific pool tags.<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a>

Cindʎ Xiao 🍉For the specific GDI objects, there are still allocations made with the existing GDI-specific pool tags.It looks like the <code>rgncore::scan::ScanBuilder<gdi_alloc::TaggedAllocator<_>></code> object uses the existing GDI pool tag <code>Gscn</code> ( i.e. <code>GDITAG_SCAN_ARRAY</code>) for vector allocations. (Probably <code>gdi_alloc::TaggedAllocator<_></code> requires specifying a pool tag)I also see <code>Gedg</code> (i.e. <code>GDITAG_EDGE</code>) being used in <code>gdi_rust::region::from_path::GlobalEdgeTable::add_edge</code>, and <code>gdi_rust::region::from_path::ActiveEdgeTable::new</code> , among other places.<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a>

Cindʎ Xiao 🍉In the new Rust Windows kernel GDI code, there is a new global allocator registered named <code>gdi_alloc::Win32Allocator</code> . It calls <code>Win32AllocPool</code> with a fun new pool tag name, "Rust"!<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a>

Cindʎ Xiao 🍉For the new Windows kernel Rust GDI stuff that is all the rage now (win32kbase_rs.sys, win32kfull_rs.sys): here are the links to download copies of those binaries, from the Microsoft Symbol Server:<a href="https://msdl.microsoft.com/download/symbols/win32kbase_rs.sys/272C4A031b000/win32kbase_rs.sys" rel="nofollow noopener" translate="no" target="_blank">https://msdl.microsoft.com/download/symbols/win32kbase_rs.sys/272C4A031b000/win32kbase_rs.sys</a><a href="https://msdl.microsoft.com/download/symbols/win32kfull_rs.sys/8264C482a000/win32kfull_rs.sys" rel="nofollow noopener" translate="no" target="_blank">https://msdl.microsoft.com/download/symbols/win32kfull_rs.sys/8264C482a000/win32kfull_rs.sys</a>These should be the versions that are in Windows 11 Insider Preview 25357.1 (zn_release) amd64 . The SHA-256 hashes are: 87ee0235caf2c97384581e74e525756794fa91b666eaacc955fc7859f540430d win32kbase_rs.sys 2efb9ea4032b3dfe7bf7698bd35e3ea3817d52f4d9a063b966f408e196957208 win32kfull_rs.sys(I first extracted these files myself from the update package for build 25357.1, then generated the symbol server download URLs from the PE metadata in the files)Of course, in addition to the actual executables, symbols are available from the symbol server as well (see screenshot).<a href="https://tech.lgbt/@analog_feelings" class="u-url mention" rel="nofollow noopener" target="_blank">@analog_feelings</a> already did some reversing of win32kbase_rs.sys several weeks ago, here: <a href="https://tech.lgbt/@analog_feelings/110232321999960466" rel="nofollow noopener" translate="no" target="_blank">https://tech.lgbt/@analog_feelings/110232321999960466</a> 🤘Now, time for me to go figure out how to actually reverse Rust 🦀<a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#rustlang</a> <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#reverseengineering</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a>

13reak :fedora:<a href="https://infosec.exchange/tags/introduction" class="mention hashtag" rel="nofollow noopener" target="_blank">#introduction</a> Hi,I am an <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> enthusiast interested in <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/incidentresponse" class="mention hashtag" rel="nofollow noopener" target="_blank">#incidentresponse</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/rootkits" class="mention hashtag" rel="nofollow noopener" target="_blank">#rootkits</a> <a href="https://infosec.exchange/tags/velociraptor" class="mention hashtag" rel="nofollow noopener" target="_blank">#velociraptor</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener" target="_blank">#reversing</a> and a bit <a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener" target="_blank">#pentesting</a> / <a href="https://infosec.exchange/tags/purpleteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#purpleteam</a> (yeah, bit more on the <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#blueteam</a> side... 😅 )Programming wise <a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#linux</a> <a href="https://infosec.exchange/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#python</a> <a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/golang" class="mention hashtag" rel="nofollow noopener" target="_blank">#golang</a>Apart from that I can always talk about <a href="https://infosec.exchange/tags/rock" class="mention hashtag" rel="nofollow noopener" target="_blank">#rock</a> and <a href="https://infosec.exchange/tags/metal" class="mention hashtag" rel="nofollow noopener" target="_blank">#metal</a> 😀 🤘 Looking forward to connect to people on these topics - feel free to PM me 🙂

Recent searches

Search options

Administered by:

Server stats:

#reversing