feat(llvm): LLVM 18.0.3 support obfuscation

Author: buffcow

llvm-project/llvm/lib/Passes/CMakeLists.txt

@@ -6,6 +6,19 @@ add_llvm_component_library(LLVMPasses
   PassPlugin.cpp
   StandardInstrumentations.cpp
 
+  Obfuscation/Utils.cpp
+  Obfuscation/CryptoUtils.cpp
+  Obfuscation/ObfuscationOptions.cpp
+  Obfuscation/BogusControlFlow.cpp
+  Obfuscation/IPObfuscationContext.cpp
+  Obfuscation/Flattening.cpp
+  Obfuscation/StringEncryption.cpp
+  Obfuscation/SplitBasicBlock.cpp
+  Obfuscation/Substitution.cpp
+  Obfuscation/IndirectBranch.cpp
+  Obfuscation/IndirectCall.cpp
+  Obfuscation/IndirectGlobalVariable.cpp
+
   ADDITIONAL_HEADER_DIRS
   ${LLVM_MAIN_INCLUDE_DIR}/llvm
   ${LLVM_MAIN_INCLUDE_DIR}/llvm/Passes

llvm-project/llvm/lib/Passes/PassBuilder.cpp

@@ -282,6 +282,16 @@
 #include "llvm/Transforms/Vectorize/SLPVectorizer.h"
 #include "llvm/Transforms/Vectorize/VectorCombine.h"
 #include <optional>
+// 引用 Obfuscation 相关文件
+#include "Obfuscation/BogusControlFlow.h" // 虚假控制流
+#include "Obfuscation/Flattening.h"  // 控制流平坦化
+#include "Obfuscation/SplitBasicBlock.h" // 基本块分割
+#include "Obfuscation/Substitution.h" // 指令替换
+#include "Obfuscation/StringEncryption.h" // 字符串加密
+#include "Obfuscation/IndirectGlobalVariable.h" // 间接全局变量
+#include "Obfuscation/IndirectBranch.h" // 间接跳转
+#include "Obfuscation/IndirectCall.h" // 间接调用
+#include "Obfuscation/Utils.h" // 为了控制函数名混淆开关 (bool obf_function_name_cmd;)
 
 using namespace llvm;
 
@@ -448,6 +458,17 @@ class TriggerVerifierErrorPass
 
 } // namespace
 
+// 添加命令行支持
+static cl::opt<bool> s_obf_split("split", cl::init(false), cl::desc("SplitBasicBlock: split_num=3(init)"));
+static cl::opt<bool> s_obf_sobf("sobf", cl::init(false), cl::desc("String Obfuscation"));
+static cl::opt<bool> s_obf_fla("fla", cl::init(false), cl::desc("Flattening"));
+static cl::opt<bool> s_obf_sub("sub", cl::init(false), cl::desc("Substitution: sub_loop"));
+static cl::opt<bool> s_obf_bcf("bcf", cl::init(false), cl::desc("BogusControlFlow: application number -bcf_loop=x must be x > 0"));
+static cl::opt<bool> s_obf_ibr("ibr", cl::init(false), cl::desc("Indirect Branch"));
+static cl::opt<bool> s_obf_igv("igv", cl::init(false), cl::desc("Indirect Global Variable"));
+static cl::opt<bool> s_obf_icall("icall", cl::init(false), cl::desc("Indirect Call"));
+static cl::opt<bool> s_obf_fn_name_cmd("fncmd", cl::init(false), cl::desc("use function name control obfuscation(_ + command + _ | example: function_fla_bcf_)"));
+
 PassBuilder::PassBuilder(TargetMachine *TM, PipelineTuningOptions PTO,
                          std::optional<PGOOptions> PGOOpt,
                          PassInstrumentationCallbacks *PIC)
@@ -483,6 +504,30 @@ PassBuilder::PassBuilder(TargetMachine *TM, PipelineTuningOptions PTO,
   PIC->addClassToPassName(decltype(CREATE_PASS)::name(), NAME);
 #include "PassRegistry.def"
   }
+
+  //outs() << "[obf] registerPipelineStartEPCallback\n"; // 优化前
+  //outs() << "[obf] registerOptimizerLastEPCallback\n"; // 优化后
+  this->registerOptimizerLastEPCallback(
+      [](llvm::ModulePassManager &MPM,
+         llvm::OptimizationLevel Level) {
+        outs() << "[obf] run.registerOptimizerLastEPCallback\n";
+        obf_function_name_cmd = s_obf_fn_name_cmd;
+        if (obf_function_name_cmd) {
+          outs() << "[obf] enable function name control obfuscation(_ + command + _ | example: function_fla_)\n";
+        }
+        MPM.addPass(StringEncryptionPass(s_obf_sobf)); // 先进行字符串加密 出现字符串加密基本块以后再进行基本块分割和其他混淆 加大解密难度
+        llvm::FunctionPassManager FPM;
+        FPM.addPass(IndirectCallPass(s_obf_icall)); // 间接调用
+        FPM.addPass(SplitBasicBlockPass(s_obf_split)); // 优先进行基本块分割
+        FPM.addPass(FlatteningPass(s_obf_fla)); // 对于控制流平坦化
+        FPM.addPass(SubstitutionPass(s_obf_sub)); // 指令替换
+        FPM.addPass(BogusControlFlowPass(s_obf_bcf)); // 虚假控制流
+        MPM.addPass(createModuleToFunctionPassAdaptor(std::move(FPM)));
+        MPM.addPass(IndirectBranchPass(s_obf_ibr)); // 间接指令 理论上间接指令应该放在最后
+        MPM.addPass(IndirectGlobalVariablePass(s_obf_igv)); // 间接全局变量
+        MPM.addPass(RewriteSymbolPass()); // 根据yaml信息 重命名特定symbols
+      }
+  );
 }
 
 void PassBuilder::registerModuleAnalyses(ModuleAnalysisManager &MAM) {