Bridging the Rust Reverse Engineering Gap: Automated Demangling and Function Identification in Ghidra

Abstract

The growing adoption of the Rust programming language in both legitimate systems software and malware development has exposed critical limitations in existing reverse engineering frameworks. Rust binaries exhibit unique characteristics — aggressive monomorphization, static linking of the entire standard library, a specialized symbol mangling scheme (RFC 2603), and ownership-driven memory layout optimizations — that make them substantially more difficult to analyze than equivalent C/C++ programs. A controlled experiment by Microsoft Threat Intelligence Center demonstrated that a simple downloader program compiled in C++ produces fewer than 100 functions in a binary under 20 KB, while the same program in Rust yields nearly 10,000 functions in a binary exceeding 3 MB. This paper presents a method for automatically handling Rust executables within the Ghidra reverse engineering framework through the development of a specialized plugin. The plugin integrates four key capabilities: automated Rust binary detection via structural and string-based heuristics, full Rust v0 symbol demangling, standard library function identification using Ghidra’s FunctionID database infrastructure, and Rust-specific data type annotation for structures such as Option<T>, Result<T, E>, string slices, and Vec<T>. We review the current state of Rust reverse engineering tooling — including GhidRust, ReOxide, the 0xA11C initiative, and Microsoft’s RIFT — and position our contribution within this evolving landscape. Experimental evaluation on a corpus of 35 Rust binaries, including real-world malware samples such as BlackCat/ALPHV variants, demonstrates significant improvements in decompilation readability and a 40–60% reduction in manual analysis time.