github:
https://github.com/obfuscator-llvm/obfuscator/tree/llvm-4.0
先复制 include Obfuscation:
/home/nowind/llvm/ollvm/obfuscator/include/llvm/Transforms/Obfuscation
/home/nowind/llvm/llvm-project-9.0.1/llvm/include/llvm/Transforms/Obfuscation
lib Obfuscation:
/home/nowind/llvm/ollvm/obfuscator/lib/llvm/Transforms/Obfuscation
/home/nowind/llvm/llvm-project-9.0.1/llvm/lib/Transforms/Obfuscation
再复制:
/home/nowind/llvm/ollvm/obfuscator/include/llvm/CrytoUtils.h
/home/nowind/llvm/llvm-project-9.0.1/llvm/include/llvm/CrytoUtils.h
在/home/nowind/llvm/llvm-project-9.0.1/llvm/lib/Transforms/目录中的
CMakeLists.txt 中增加 add_subdirectory(Obfuscation)
LLVMBuild.txt中增加 Obfuscation
在/home/nowind/llvm/llvm-project-9.0.1/llvm/lib/IPO/ 中增加Obfuscation
修改PassManagerBuilder 文件
报错:/home/nowind/llvm/llvm-project-9.0.1/llvm/lib/Transforms/Obfuscation/Flattening.cpp:68:25: error: ‘createLowerSwitchPass’ was not declared in this scope
增加#include "llvm/Transforms/Utils.h"
ninja LLVMObfuscation
ninja clang
fix bug:https://github.com/obfuscator-llvm/obfuscator/pull/76/files
混淆的4种特性:https://github.com/obfuscator-llvm/obfuscator/wiki/Features
1、指令替换Instructions Substitution ,加减等运算符替换,增加无用数值
clang -mllvm -sub hello_ollvm.c -o hello_ollvm_sub IDA已做优化,可直接识别
clang -mllvm -sub -mllvm -sub_loop=3 hello_ollvm.c -o hello_ollvm_sub2,替换3次
2、虚假的控制流程 bogus control flow,bcf
clang -mllvm -bcf hello_ollvm_bcf.c -o hello_ollvm_bcf
clang -mllvm -bcf -mllvm -bcf_loop=3 hello_ollvm_bcf.c -o hello_ollvm_bcf
clang -mllvm -bcf -mllvm -bcf_prob=40 hello_ollvm_bcf.c -o hello_ollvm_bcf 混淆百分比
3、控制流程平坦化 Control Flow Flattening 转成switch
clang -mllvm -fla hello_ollvm_bcf.c -o hello_ollvm_fla 其中hello_ollvm_fla为可执行文件
clang -mllvm -fla -mllvm -split hello_ollvm_bcf.c -o hello_ollvm_fla
clang -mllvm -fla -mllvm -split_num=3 hello_ollvm_bcf.c -o hello_ollvm_fla
4、给函数增加混淆特性:
__attribute((__annotate__(("fla"))));
__attribute((__annotate__(("nosub")))) __attribute((__annotate__(("nobcf"))));
混合:
clang -mllvm -fla -mllvm -split -mllvm -split_num=3 -mllvm -bcf -mllvm -bcf_loop=3 -mllvm -bcf_prob=40 -mllvm -sub -mllvm -sub_loop=3 hello_ollvm_bcf.c -o hello_ollvm_obf
clang -mllvm -fla -emit-llvm -S hello_ollvm_bcf.c -o hello_ollvm_fla.ll 生成ll文件
clang -mllvm -fla -S hello_ollvm_bcf.c -o hello_ollvm_fla.s 生成汇编文件
在源码外编译使用ollvm:
git 切换到最初始的源码,没有ollvm的代码中,我这里是master分支,
ollvm 源码外下载的资料:
https://download.csdn.net/download/ahjxly/88624738
https://download.csdn.net/download/ahjxly/88624738使用clang 执行ollvm:
clang -Xclang -load -Xclang /home/nowind/llvm/pro/pro4/OLLVM/cmake-build-debug/ollvm/lib/Transforms/Obfuscation/LLVMObfuscation.so -mllvm -fla /home/nowind/llvm/pro/pro4/example/hello_ollvm_fla.c -emit-llvm -S -o /home/nowind/llvm/pro/pro4/example/hello_llvm_fla.ll断点的话要使用clang-9:
/home/nowind/llvm/llvm-project-9.0.1/llvm/cmake-build-debug/bin/clang-9 -cc1 -triple x86_64-unknown-linux-gnu -emit-llvm -disable-free -main-file-name hello_ollvm_fla.c -mrelocation-model static -mthread-model posix -mdisable-fp-elim -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -coverage-notes-file /home/nowind/llvm/pro/pro4/example/hello_llvm_fla.gcno -resource-dir /home/nowind/llvm/llvm-project-9.0.1/llvm/cmake-build-debug/lib/clang/9.0.1 -internal-isystem /usr/local/include -internal-isystem /home/nowind/llvm/llvm-project-9.0.1/llvm/cmake-build-debug/lib/clang/9.0.1/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fdebug-compilation-dir /home/nowind/llvm/llvm-project-9.0.1/llvm/cmake-build-debug/bin -ferror-limit 19 -fmessage-length 0 -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -load /home/nowind/llvm/pro/pro4/OLLVM/cmake-build-debug/ollvm/lib/Transforms/Obfuscation/LLVMObfuscation.so -mllvm -fla -faddrsig -o /home/nowind/llvm/pro/pro4/example/hello_llvm_fla.ll -x c /home/nowind/llvm/pro/pro4/example/hello_ollvm_fla.c
