Linux anti-debugging and anti-analysis rust library

Overview

DebugOff Library

Linux anti-analysis Rust library

The goal of this library is to make both static and dynamic (debugging) analysis more difficult.

The library targets Linux environments.

It is currently based on ptrace anti-analysis trick and provides the following main features:

  • Direct syscall invocation without relying on libc (this makes LD_PRELOAD bypass mechanism ineffective);

  • System call obfuscation which makes static reverse engineering more difficult (this feature is currently supported only in x86_64);

  • Multiple ptrace syscall invocations. Each call to ptrace must return the expected value (i.e., 0 at the first invocation and -1 thereafter) and contributes to the computation of an "offset" value that, at the end of the ptrace call chain, must match an expected value (see here). If ptrace returns an unexpcted value or the "offset" value does not match, the process is terminated;

  • 'ptrace' is called in nested loops. The loops are unrolled and the number of iterations is randomized at each compilation. Moreover, also the "offset" value is radomized at each iteration;

  • The generated code can be obfuscated even more by enabling the obfuscate feature which relies on goldberg crate;

To use the crate, add it to your dependencies:

[dependencies]
debugoff = { version = "0.2.1, features = ["obfuscate"] }

For enabling also system call obfuscation, use the syscallobf feature (this is an experimental feature and affect only binaries targeting x86_64 architecture):

[dependencies]
debugoff = { version = "0.2.1, features = ["obfuscate", "syscallobf"] }

Given that the library generates random code at each compilation, be sure to rebuild everything each time. Something like this:

cargo clean
cargo build --release

Stripping symbols from the release build is also a good idea:

[profile.release]
debug = false
strip = "symbols"
panic = "abort"

Usage Example

In the example below, debugoff is used only when the target OS is Linux and only for release builds (in this way when the code is compiled in debug mode it can be debugged without the need to bypass debugoff).

// Include only for Linux and when building in release mode
#[cfg(target_os = "linux")]
#[cfg(not(debug_assertions))]
use debugoff;
use std::time::SystemTime;

fn main() {
  // Call only for Linux and when building in release mode
  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!(
      "Time: {}",
      SystemTime::now()
          .duration_since(SystemTime::UNIX_EPOCH)
          .unwrap()
          .as_millis()
  );

  // Call only for Linux and when building in release mode
  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!("Example complete!");
}

See other examples in the examples directory which can be built with:

cargo build --release --features obfuscate,syscallobf --examples

Obfuscation example

If we build the following code (which does not use DebugOff) in release mode:

use std::time::SystemTime;

fn main() {
  println!(
      "Time: {}",
      SystemTime::now()
          .duration_since(SystemTime::UNIX_EPOCH)
          .unwrap()
          .as_millis()
  );

  println!("Example complete!");
}

This is the corresponding function graph of the main function:

Executable build without DebugOff.

If we build the same code using DebugOff with obfuscate feature:

#[cfg(target_os = "linux")]
#[cfg(not(debug_assertions))]
use debugoff;
use std::time::SystemTime;

fn main() {
  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!(
      "Time: {}",
      SystemTime::now()
          .duration_since(SystemTime::UNIX_EPOCH)
          .unwrap()
          .as_millis()
  );

  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!("Example complete!");
}

This is the obfuscated function graph of the main function:

Executable build with DebugOff.

In this particular example, all the code generated by DebugOff was inlined in the main function. This is not guaranteed to be always the case because the functions inlining can be influenced by many factors like the locations where DebugOff is called and the toolchain version used for building the project. In other cases the resulting function graph could be simpler than the one reported in the example but, in any case, more complex than the one generated when DebugOff is not used.

License

Licensed under:

  • GPL-3.0 when obfuscate feature is enabled;
  • MIT when obfuscate feature IS NOT enabled;

TODOs

  • Syscall obfuscation;
  • Deterministic builds;
  • Remove dependency from goldberg by implemeing internal obfuscation functionalities in order to remove GPL-3.0 license requirement;
You might also like...
A rust library for sharing and updating arbitrary slices between threads, optimized for wait-free reads

atomicslice A Rust library for thread-safe shared slices that are just about as fast as possible to read while also being writable. Overview Use Atomi

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode
unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode. It is essentially a reimplementation of the Python VM with taint tracking.

CVEs for the Rust standard library

Rust CVE Preface This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to sec

Rust library for developing safe canisters.

IC Kit This library provides an alternative to ic-cdk that can help developers write canisters and unit test them in their Rust code. Install Add this

QuickCheck bug hunting in Rust standard library data structures

BugHunt, Rust This project is aiming to provide "stateful" QuickCheck models for Rust's standard library. That is, we build up a random list of operat

A simple rust library for working with ZIP archives

rust-zip A simple rust library to read and write Zip archives, which is also my pet project for learning Rust. At the moment you can list the files in

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

A new shellcode injection technique. Given as C++ header, standalone Rust program or library.
A new shellcode injection technique. Given as C++ header, standalone Rust program or library.

FunctionStomping Description This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stompin

Extended precision integer Rust library. Provides signed/unsigned integer 256 to 2048.

Extended precision integer Rust library. Provides signed/unsigned integer 256 to 2048.

Comments
  • Possible GPL violation with the use of the goldberg library

    Possible GPL violation with the use of the goldberg library

    The goldberg library is licensed as GPL-3.0 and if I understand that correctly, this would force you to license debugoff as GPL-3.0 as well because of the Copyleft.

    I'm not sure if it's possible to license debugoff in such a way that it is only GPL if the obfuscate feature is enabled and/or if using obfuscate only counts as using the output created by it (the same way that the machine code produced by GCC doesn't count as a derived work of GCC).

    But you should definitely look into the specifics of the licensing situation here and potentially remove the dependency on goldberg.

    opened by FSMaxB 3
  • armv7-linux-androideabi build fails

    armv7-linux-androideabi build fails

    cargo build --target armv7-linux-androideabi --release

    Compiling debugoff v0.2.1

    error: cannot use register r7: the frame pointer (r7) cannot be used as an operand for inline asm --> C:\Users\DaMiao.cargo\registry\src\github.com-1ecc6299db9ec823\debugoff-0.2.1\src\arch\arm\syscall.rs:80:9 | 80 | in("r7") n as usize, | ^^^^^^^^^^^^^^^^^^^

    error: cannot use register r7: the frame pointer (r7) cannot be used as an operand for inline asm --> C:\Users\DaMiao.cargo\registry\src\github.com-1ecc6299db9ec823\debugoff-0.2.1\src\arch\arm\syscall.rs: 100:9 | 100 | in("r7") n as usize, | ^^^^^^^^^^^^^^^^^^^

    error: could not compile debugoff due to 2 previous errors

    bug 
    opened by Da-Miao 1
Owner
01101110011010010110001101101011
null
Binary Analysis Framework in Rust

Welcome to Falcon Falcon is a formal binary analysis framework in Rust. Expression-based IL with strong influences from RREIL and Binary Ninja's LLIL.

Falcon Binary Analysis Framework 489 Dec 18, 2022
Whole program static stack analysis

cargo-call-stack Static, whole program stack analysis Other examples: Embedded CoAP / IPv4 server (source) "Hello, world!" HEADS UP: This tool relies

Jorge Aparicio 457 Dec 22, 2022
Finds imports that could be exploited, still requires manual analysis.

drv-vuln-scanner Vulnerable driver scanning tool for win64, put drivers to scan in drv/. Finds imports that could be exploited, still requires manual

selene 24 Dec 10, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1.1k Jan 6, 2023
Linux LPE using polkit-1 written in Rust.

CVE-2021-4024-Rust Linux LPE using polkit-1 written in Rust. Build instructions Install rust if you haven't already git clone https://github.com/deoxy

Kevin Pham 1 Feb 3, 2022
A utility like pkg-audit for Arch Linux. Based on Arch Security Team data.

arch-audit pkg-audit-like utility for Arch Linux. Based on data from security.archlinux.org collected by the awesome Arch Security Team. Installation

Andrea Scarpino 316 Nov 22, 2022
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order).

Mundane Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order). Issues and

Google 1.1k Jan 3, 2023