rnicro

A Linux x86_64 debugger and exploit development toolkit written in Rust, specialized for Rust binary analysis and security research.

Features

Core Debugger — ptrace-based process control, software/hardware breakpoints, watchpoints, multi-thread support, source-level stepping, DWARF variables with Rust type pretty-printing.

Exploit Development — ROP gadget search and chain builder, format string payloads, heap analysis (glibc), shellcode toolkit, SROP, one-gadget finder, ASLR leak calculator.

Automation — Structured event logging, anti-analysis bypass engine (ptrace, /proc spoofing, signal-based tricks like Mirai), and memory secret extraction (differential strings, entropy detection, known patterns).

Editor Integration — Debug Adapter Protocol (DAP) server with VS Code extension. Security analysis panel, Rust-specialized variable display.

Quick Start

cargo install rnicro

# CLI debugger
rnicro ./target/debug/my_program

# DAP mode (for editors)
rnicro --dap

Module Overview

Anti-Analysis Bypass

The bypass engine automatically neutralizes common anti-debugging techniques at runtime:

• ptrace(TRACEME) self-trace — fakes success
• /proc/self/status TracerPid — spoofs to 0
• prctl(PR_SET_DUMPABLE, 0) — rewrites arg to keep dumpable
• alarm() / setitimer() watchdog timers — neutralized
• kill(getpid(), sig) / tgkill self-signals — suppressed
• INT3 self-check traps — auto-skipped

Secret Extraction

Automatically scans writable memory on sensitive syscalls (write, sendto) using:

• Differential scanning — detects newly appeared printable strings
• Entropy tracking — identifies decryption events (high-to-low entropy transitions)
• Pattern matching — AWS keys, JWT, PEM, GitHub tokens, Bearer tokens

Platform

• Target: Linux x86_64 (ptrace, /proc)
• Development: macOS compatible (Linux-only modules behind #[cfg(target_os = "linux")])

License

MIT