ollvm 新增字符串加密功能

好久没弄ollvm了，可以继续了，今天给ollvm新增了一个pass，用来加密字符串，这个pass是从别的库里面扒出来的。

本文是基于在Windows 上使用VS2017编译出来的ollvm，在这个基础上来添加。

第一步：

寻找两个pass的代码

头文件

#ifndef _STRING_OBFUSCATION_H_
#define _STRING_OBFUSCATION_H_


// LLVM include
#include "llvm/Pass.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/Instructions.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/Transforms/IPO.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/CryptoUtils.h"

// Namespace
using namespace llvm;
using namespace std;

namespace llvm {
    Pass *createStringObfuscation(bool flag);
}

#endif

源文件

#define DEBUG_TYPE "objdiv"
#include <string>
#include <sstream>

#include "llvm/ADT/Statistic.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Value.h"
#include "llvm/Pass.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/CryptoUtils.h"
#include "llvm/Transforms/Obfuscation/StringObfuscation.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/Transforms/Utils/ModuleUtils.h"

using namespace llvm;

STATISTIC(GlobalsEncoded, "Counts number of global variables encoded");

#define ZooPrint(_F, ...) fprintf(stdout, "File : [%s](%d) " _F, __FILE__, __LINE__, __VA_ARGS__)

namespace llvm {

    struct encVar {
    public:
        GlobalVariable *var;
        uint8_t key;
    };

    class StringObfuscationPass : public llvm::ModulePass {
    public:
        static char ID; // pass identification
        bool is_flag = false;
        StringObfuscationPass() : ModulePass(ID) {}
        StringObfuscationPass(bool flag) : ModulePass(ID)
        {
            is_flag = flag;
        }

        virtual bool runOnModule(Module &M) {
            ZooPrint(" Run On Module : %d 
", is_flag);
            if (!is_flag)
                return false;
            std::vector<GlobalVariable*> toDelConstGlob;
            //std::vector<GlobalVariable*> encGlob;
            std::vector<encVar*> encGlob;
            ZooPrint(" M.Size : %d 
", M.size());
            int i = 0;
            for (Module::global_iterator gi = M.global_begin(), ge = M.global_end(); gi != ge; ++gi)
            {

#if 0
                //    老式代码，原来的样子
                @.str = private unnamed_addr constant[13 x i8] c"E4BDA0E5A5BDE4B896E7958C0", align 1
                @__CFConstantStringClassReference = external global[0 x i32]
                @.str.1 = private unnamed_addr constant[3 x i16][i16 20320, i16 22909, i16 0], section "__TEXT,__ustring", align 2
                //    新式字符串的样子
                @"1??_C@_07CHPFNFHA@123456?6?$AA@" = linkonce_odr unnamed_addr constant [8 x i8] c"123456A0", comdat, align 1
                @"1??_C@_03PMGGPEJJ@?$CFd?6?$AA@" = linkonce_odr unnamed_addr constant [4 x i8] c"%dA0", comdat, align 1
                @__local_stdio_printf_options._OptionsStorage = internal global i64 0, align 8
#endif
                // Loop over all global variables
                GlobalVariable* gv = &(*gi);
                //errs() << "Global var " << gv->getName();
                //std::string::size_type str_idx = gv->getName().str().find(".str.");
                std::string section(gv->getSection());

                ZooPrint(" %d : String : "%s" ， section : "%s" ， isConstant : %d ， hasInitializer : %d ， isa : %d ， r : %d 
", i++, gv->getName().str().c_str(), section.c_str(), gv->isConstant(), gv->hasInitializer(), isa<ConstantDataSequential>(gv->getInitializer()), gv->getName().str().substr(0, 8) == ""x01??_C@_");
                //    ZooPrint("      0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 0x%02X 
", gv->getName()[0] & 0xFF, gv->getName()[1] & 0xFF, gv->getName()[2] & 0xFF, gv->getName()[3] & 0xFF, gv->getName()[4] & 0xFF, gv->getName()[5] & 0xFF, gv->getName()[6] & 0xFF, gv->getName()[7] & 0xFF);

                // Let's encode the static ones
                //if (gv->getName().str().substr(0, 4) == ".str"&&
                if (gv->getName().str().substr(0, 7) == "x01??_C@_" &&
                    gv->isConstant() &&
                    gv->hasInitializer() &&
                    isa<ConstantDataSequential>(gv->getInitializer()) &&
                    section != "llvm.metadata" &&
                    section.find("__objc_methname") == std::string::npos
                    /*&&gv->getType()->getArrayElementType()->getArrayElementType()->isIntegerTy()*/)
                {
                    ZooPrint(" In Global Encode 
");
                    ++GlobalsEncoded;
                    //errs() << " is constant";

                    // Duplicate global variable
                    GlobalVariable *dynGV = new GlobalVariable(M,
                        gv->getType()->getElementType(),
                        !(gv->isConstant()), gv->getLinkage(),
                        (Constant*)0, gv->getName(),
                        (GlobalVariable*)0,
                        gv->getThreadLocalMode(),
                        gv->getType()->getAddressSpace());
                    // dynGV->copyAttributesFrom(gv);
                    dynGV->setInitializer(gv->getInitializer());

                    std::string tmp = gv->getName().str();
                    //  errs()<<"GV: "<<*gv<<"
";

                    Constant *initializer = gv->getInitializer();
                    ConstantDataSequential *cdata = dyn_cast<ConstantDataSequential>(initializer);
                    if (cdata) {
                        const char *orig = cdata->getRawDataValues().data();
                        unsigned len = cdata->getNumElements()*cdata->getElementByteSize();

                        encVar *cur = new encVar();
                        cur->var = dynGV;
                        cur->key = llvm::cryptoutils->get_uint8_t();
                        // casting away const is undef. behavior in C++
                        // TODO a clean implementation would retrieve the data, generate a new constant
                        // set the correct type, and copy the data over.
                        //char *encr = new char[len];
                        //Constant *initnew = ConstantDataArray::getString(M.getContext(), encr, true);
                        char *encr = const_cast<char *>(orig);
                        // Simple xor encoding
                        for (unsigned i = 0; i != len; ++i) {
                            encr[i] = orig[i] ^ cur->key;
                        }

                        // FIXME Second part of the unclean hack.
                        dynGV->setInitializer(initializer);

                        // Prepare to add decode function for this variable
                        encGlob.push_back(cur);
                    }
                    else {
                        // just copying default initializer for now
                        dynGV->setInitializer(initializer);
                    }

                    // redirect references to new GV and remove old one
                    gv->replaceAllUsesWith(dynGV);
                    toDelConstGlob.push_back(gv);

                }
            }

            // actuallte delete marked globals
            for (unsigned i = 0, e = toDelConstGlob.size(); i != e; ++i)
                toDelConstGlob[i]->eraseFromParent();

            addDecodeFunction(&M, &encGlob);


            return true;
        }

    private:
        void addDecodeFunction(Module *mod, std::vector<encVar*> *gvars) {
            ZooPrint(" Add Decode Function 
");
            // Declare and add the function definition
            //errs()<<"Successful enter decode function"<<"
";
            std::vector<Type*>FuncTy_args;
            FunctionType* FuncTy = FunctionType::get(
                /*Result=*/Type::getVoidTy(mod->getContext()),  // returning void
                /*Params=*/FuncTy_args,  // taking no args
                /*isVarArg=*/false);
            uint64_t StringObfDecodeRandomName = cryptoutils->get_uint64_t();
            std::string  random_str;
            std::stringstream random_stream;
            random_stream << StringObfDecodeRandomName;
            random_stream >> random_str;
            StringObfDecodeRandomName++;
            Constant* c = mod->getOrInsertFunction(".datadiv_decode" + random_str, FuncTy);
            Function* fdecode = cast<Function>(c);
            fdecode->setCallingConv(CallingConv::C);


            BasicBlock* entry = BasicBlock::Create(mod->getContext(), "entry", fdecode);

            IRBuilder<> builder(mod->getContext());
            builder.SetInsertPoint(entry);


            for (unsigned i = 0, e = gvars->size(); i != e; ++i) {
                GlobalVariable *gvar = (*gvars)[i]->var;
                uint8_t key = (*gvars)[i]->key;

                Constant *init = gvar->getInitializer();
                ConstantDataSequential *cdata = dyn_cast<ConstantDataSequential>(init);

                unsigned len = cdata->getNumElements()*cdata->getElementByteSize();
                --len;

                BasicBlock *preHeaderBB = builder.GetInsertBlock();
                BasicBlock* for_body = BasicBlock::Create(mod->getContext(), "for-body", fdecode);
                BasicBlock* for_end = BasicBlock::Create(mod->getContext(), "for-end", fdecode);
                builder.CreateBr(for_body);
                builder.SetInsertPoint(for_body);
                PHINode *variable = builder.CreatePHI(Type::getInt32Ty(mod->getContext()), 2, "i");
                Value *startValue = builder.getInt32(0);
                Value *endValue = builder.getInt32(len);
                variable->addIncoming(startValue, preHeaderBB);
                /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

                //LoadInst *Load=builder.CreateLoad(gvar);
                //errs()<<"Load: "<<*(Load->getPointerOperand())<<"
";
                Value* indexList[2] = { ConstantInt::get(variable->getType(), 0), variable };
                Value *const_key = builder.getInt8(key);
                Value *GEP = builder.CreateGEP(gvar, ArrayRef<Value*>(indexList, 2), "arrayIdx");
                LoadInst *loadElement = builder.CreateLoad(GEP, false);
                loadElement->setAlignment(1);
                //errs()<<"Type: "<<*loadElement<<"
";
                //CastInst* extended = new ZExtInst(const_key, loadElement->getType(), "extended", for_body);
                //Value* extended = builder.CreateZExtOrBitCast(const_key, loadElement->getType(),"extended");
                Value *Xor = builder.CreateXor(loadElement, const_key, "xor");
                StoreInst *Store = builder.CreateStore(Xor, GEP, false);
                Store->setAlignment(1);

                ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
                Value *stepValue = builder.getInt32(1);
                Value *nextValue = builder.CreateAdd(variable, stepValue, "next-value");
                Value *endCondition = builder.CreateICmpULT(variable, endValue, "end-condition");
                endCondition = builder.CreateICmpNE(endCondition, builder.getInt1(0), "loop-condition");
                BasicBlock *loopEndBB = builder.GetInsertBlock();
                builder.CreateCondBr(endCondition, loopEndBB, for_end);
                builder.SetInsertPoint(for_end);
                variable->addIncoming(nextValue, loopEndBB);

            }
            builder.CreateRetVoid();
            appendToGlobalCtors(*mod, fdecode, 0);


        }

    };

    Pass *createStringObfuscation(bool flag);
}

#if 0
RegisterPass(const char *PassArg, const char *Name, bool CFGOnly = false, bool is_analysis = false)

上面这个是RegisterPass的构造函数。
参数说明：

template<typename passName>        ：YourPassName；
                    PassArg        ：opt调用时所用的命行参数；
                    Name        ：此pass的简要说明；
                    CFGOnly        ：如果一个遍历CFG而不修改它，那么这个参数被设置为true；
                    is_analysis    ：如果一个Pass是一个分析Pass，例如dominator tree pass，那么这个参数被设置为true。
例子：

static RegisterPass<Hello> X("hello", "Hello World Pass", false, false);
#endif

char StringObfuscationPass::ID = 0;
static RegisterPass<StringObfuscationPass> X("GVDiv", "Global variable (i.e., const char*) diversification pass", false, true);

Pass * llvm::createStringObfuscation(bool flag) {
    ZooPrint("new my pass 
");
    return new StringObfuscationPass(flag);
}

第二步：

将头文件放在如下位置：ollvmobfuscator-llvm-4.0includellvmTransformsObfuscationStringObfuscation.h

将源文件放在如下位置：ollvmobfuscator-llvm-4.0libTransformsObfuscationStringEncode.cpp

第三步：

将源文件放到如下工程中

第四步：

在此文件中新增代码：ollvmobfuscator-llvm-4.0libTransformsIPOPassManagerBuilder.cpp

新增导入头文件

 #include "llvm/Transforms/Obfuscation/StringObfuscation.h" 

新增全局变量代码如下

static cl::opt<std::string> Seed("seed", cl::init(""),
                            cl::desc("seed for the random"));

//    全局开关，根据参数判断是否设置
static cl::opt<bool> StringObf("sobf", cl::init(false),
                            cl::desc("Enable the string obfuscation"));

在：PassManagerBuilder::populateModulePassManager 函数中，新增挂载新的pass代码，如下

 MPM.add(createStringObfuscation(StringObf)); 

意义为根据全局开关来判断是否启用当前pass

经过以上四步，问题全部解决了，直接重新编译ollvm即可。

后续可以修改pass代码，可以修改解密函数。

新增其他pass新增步骤也如上。

使用方式如下

 G:ollvmTest>G:ollvmuildRelWithDebInfoinclang.exe -mllvm -sobf -mllvm -fla main.c 

含义是，开启字符串加密，并且启动代码扁平化

效果：

源代码如下

编译后如下

已经开启了代码扁平化，原始字符串也已经不一样了，具体情况，

看data段就好了：

已经完全没个人样了

重点在最后，忘了，补充一句，由于字符串在ollvm里面是以UTF8的格式保存的，所以中文字符串天然就是乱码，

有时间想办法来解决一下中文字符串的乱码问题。

这个pass挺简单的，我也没怎么改就拿来用了，后续有时间再改一下吧。