Skip to content

eshard/obfuscator-llvm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Georges GagnerotPatriceBlin
Georges Gagnerot
and
Jul 5, 2024
a629c1f · Jul 5, 2024

History

71 Commits
Jul 24, 2023
Mar 17, 2022
Jul 24, 2023
May 3, 2022
Jul 24, 2023
Sep 26, 2023
Oct 13, 2021
Oct 13, 2021
Jul 5, 2024
May 3, 2022
Sep 23, 2021
May 3, 2022
Aug 10, 2022

Repository files navigation

About

LLVM obfuscation is a LLVM pass plugin, used to apply transformation on LLVM assembly language to provide obfuscation.

Compilation

To build this plugin you need to build LLVM. Refer to the documentation for more information.

Here's how you can download, build and install LLVM:

git clone --depth 1 --branch llvmorg-14.0.6 https://github.com/llvm/llvm-project.git
cd llvm-project

mkdir -p build && cd build
cmake -G "Ninja" -DCMAKE_INSTALL_PREFIX=/opt/llvm ..
ninja -j$(nproc)
ninja install

Then, to compile the plugin:

git clone https://github.com/eshard/obfuscator-llvm.git
cd obfuscator-llvm

mkdir -p build && cd build
cmake -G "Ninja" -DLLVM_DIR=/opt/llvm/lib/cmake ..
ninja -j$(nproc)

If the compilation is successful the plugin is libLLVMObfuscator.so and can be used with clang (-fpass-plugin=) or opt (-load-pass-plugin).

Usage

With clang

This plugin can be used with clang's switch -fpass-plugin and depending on your llvm version in addition you may need to specify -fno-legacy-pass-manager.

clang -fno-legacy-pass-manager -fpass-plugin=<path/to/llvm/obfuscation>/libLLVMObfuscator.so hello_world.c -o hello_world

You can chose to insert passes in the optimization pipeline by setting the following environment variables before running clang:

  • LLVM_OBF_PEEPHOLE_PASSES
  • LLVM_OBF_SCALAROPTIMIZERLATE_PASSES
  • LLVM_OBF_VECTORIZERSTART_PASSES
  • LLVM_OBF_PIPELINESTART_PASSES
  • LLVM_OBF_PIPELINEEARLYSIMPLIFICATION_PASSES
  • LLVM_OBF_OPTIMIZERLASTEP_PASSES

For instance if you want to run the flattening, bogus and substitution passes in that order, you can do: export LLVM_OBF_SCALAROPTIMIZERLATE_PASSES="flattening, bogus, substitution, split-basic-blocks"

Refer to the llvm::PassBuilder documentation for more information on each insertion point.

With opt

opt can be used to apply specific passes from LLRM-IR you would pre-generate using clang.

# pre-generate llvm bytecode
clang -01 -S -emit-llvm hello_world.c -o hello_world.bc

# apply the pass
opt --relocation-model=pic -load-pass-plugin <path/to/llvm/obfuscation>/libLLVMObfuscator.so
-passes="<my-pass-name>" hello_world.bc -o hello_world_obfuscated.bc

# generate an object file with llc
llc --relocation-model=pic -filetype=obj hello_world_obfuscated.bc -o hello_world_obfuscated.o

# generate the binary file with clang
clang hello_world_obfuscated.o -o hello_world_obfuscated

Debugging

To allow debugging passes in a deterministic way, the environment variable LLVM_OBF_SEED can be set to fix the CryptoUtils seed (used to for all random number generation and encryption).

The variable should contain a hex string of 32 characters or 34 characters if prefixed with "0x", for example: export LLVM_OBF_SEED="0xA04252B187478C00A40BC6D81D1A8A52"

The environement variable LLVM_OBF_DEBUG_SEED can be set to "y" to enable printing the seed everytime the plugin is loaded.

Cross compilation

Acknowledgement

This project started from Obfuscator-LLVM by the information security group of the University of Applied Sciences and Arts Western Switzerland of Yverdon-les-Bains (HEIG-VD).

Releases

No releases published

Packages

No packages published