TTPs: Rust vs C++
A comparative analysis of C++ and Rust implant binaries
Last updated
A comparative analysis of C++ and Rust implant binaries
Last updated
With the end of 2022 and the start of 2023, it's only a matter of time until discussion begins about the language that's going to "replace" C/C++. There's a lot of reasons why C/C++ is going to be here for a long time, but in the scope of Offensive Security Engineering, what are the benefits of making the jump to another language? Historically, the primary contenders for offensive development have been C, C++, and C#. The comparison between those specific languages is outside the scope of this article, but something that HAS come to my attention is Rust development.
I recently posed the question "does rust provide any benefits over C/C++ for offensive security engineering" on Twitter and received a variety of responses.
The benefits seem to be centered around Rust's internal complexity making Blue Team analysis inherently more difficult. This makes creating signatures for Rust Binaries more difficult than for similar C++ binaries. So I figured we could test that out a little bit and see what behavior we could observer.
The proposed analysis methodology is as follows:
Make two programs, one written in Rust and one in C++
The functionality of the programs should be as similar as possible
VirtualAlloc -> (Some sort of copy) -> VirtualProtect -> CreateThread
Both programs should use the same payload
Msfvenom calc.exe
Measure how long the programs take to execute using the powershell "Measure-Command"
Upload both binaries to Dogbolt to get a sense of the reverse engineering effort necessary to signature the binary. We'll especially be looking out for the API calls.
Upload both programs into VT for a reasonable detectability measurement
Note: The goal of this analysis is not to perform a comprehensive quantitive assessment, but rather to get a sense of the pros and cons of Rust in the context as offensive security tooling.
We've implemented a basic implant several times on here before, but here's the code one more time:
I'll confess, this kicked my ass for a couple of hours. Finally I found @trickster0's OffensiveRust repository and Github, and luckily it had the exact Rust program I was looking for.
Now that we've generated our two programs, lets compile them and compare their performance.
We measure the performance these two programs over twenty rounds of operation and find their performance pretty comparable.
Rust is well known to be a fast programming language, so this isn't a surprise. Rust also famously produces thick binaries compared to C++, and we can observe that by comparing the file sizes of our two programs.
Uploading the Rust binary gets us some errors (we time out) from Angr and Ghidra, but we get some decent input from Hex-Ray and BinaryNinja.
Decompiling the Rust binary produces over 26000 lines of decompiled code in both BinaryNinja and Hex-Rays.
We're only able to find all the Windows API calls in BinaryNinja.
When we upload the C++ binary we also get some timeout errors (it must be some error on dogbolt's side), we only get a maximum of about 16000 lines of decompiled code.
And our C++ binary leaks all the WinAPI calls and a pretty accurate decompilation of our code, all visible in the screenshot below.
It looks like the Rust binary definitely provides some inherent protections to reverse engineering efforts at the decompilation level, we were unable to get anything this accurate from the Rust binary using this tool.
Finally, the last part of our analysis.
Our rust binary is detected by 5/72 AV engines.
Our C++ binary is detected by 21/72 AV engines.
In this writeup, we've seen how a Rust binary with near-identical functionality to a C++ binary compared in terms of operating speed, decompilation, and detectibility. Rust is without a doubt superior in its resistance to reverse engineering and detection by AV engines, while achieving comparable performance in terms of speed.
It's likely that over time the detection of Rust binaries will improve as the language continues to grow in popularity, existing decompilation technology is not capable of providing the same thorough analysis that is available for C++ binaries.
If you're considering making the jump to Rust, there's some real benefits to be gained, at least for the time being.