LLVM Code Obfuscator

Problem Statement ID: 25236

Organization: National Technical Research Organisation (NTRO)

Overview

A comprehensive application software that obfuscates object files generated from C and C++ code using LLVM compiler infrastructure. The tool generates highly obfuscated binaries for Windows and Linux platforms that are resistant to reverse engineering.

Features

Obfuscation Techniques

1. Control Flow Flattening - Transforms control flow into a flat structure using switch statements
2. Bogus Control Flow - Inserts fake conditional branches that are never taken
3. Instruction Substitution - Replaces standard instructions with semantically equivalent complex sequences
4. String Encryption - Encrypts string literals with XOR-based encryption
5. Opaque Predicates - Inserts predicates that always evaluate to true/false but are hard to analyze
6. Function Splitting - Splits functions into multiple basic blocks

Configurable Parameters

• Obfuscation level (1-5)
• Number of obfuscation cycles
• String encryption intensity
• Bogus code insertion rate
• Control flow complexity

Comprehensive Reporting

The tool generates detailed JSON and HTML reports containing:

• All input parameters
• Output file attributes (size, hash, timestamps)
• Obfuscation methods applied
• Amount of bogus code generated
• Number of obfuscation cycles completed
• String obfuscation statistics
• Number of fake loops inserted
• Performance metrics

Requirements

System Requirements

• LLVM 14+ (tested with LLVM 14-17)
• CMake 3.15+
• C++17 compatible compiler (GCC 9+, Clang 10+, MSVC 2019+)
• Python 3.8+ (for reporting)

Linux

# Ubuntu/Debian
sudo apt-get install llvm-14 llvm-14-dev clang-14 cmake build-essential

# Fedora/RHEL
sudo dnf install llvm llvm-devel clang cmake gcc-c++

Windows

• Install LLVM from https://releases.llvm.org/
• Install Visual Studio 2019+ with C++ tools
• Install CMake from https://cmake.org/

Building

mkdir build
cd build
cmake ..
cmake --build . --config Release

Usage

Basic Usage

./llvm-obfuscator -i input.c -o output

Advanced Usage

./llvm-obfuscator \
  -i input.cpp \
  -o obfuscated_output \
  --level 5 \
  --cycles 3 \
  --string-encryption high \
  --bogus-flow 0.4 \
  --flatten-control-flow \
  --instruction-substitution \
  --report report.json

Command Line Options

Option	Description	Default
-i, --input	Input source file (C/C++)	Required
-o, --output	Output binary name	obfuscated
--level	Obfuscation level (1-5)	3
--cycles	Number of obfuscation cycles	1
--string-encryption	String encryption (none/low/medium/high)	medium
--bogus-flow	Bogus control flow rate (0.0-1.0)	0.3
--flatten-control-flow	Enable control flow flattening	false
--instruction-substitution	Enable instruction substitution	false
--fake-loops	Number of fake loops to insert	5
--report	Report output file (JSON)	report.json
--html-report	Generate HTML report	false
--target	Target platform (linux/windows)	auto-detect
-v, --verbose	Verbose output	false

Examples

Example 1: Basic Obfuscation

./llvm-obfuscator -i hello.c -o hello_obf

Example 2: Maximum Obfuscation

./llvm-obfuscator \
  -i sensitive.cpp \
  -o sensitive_obf \
  --level 5 \
  --cycles 5 \
  --string-encryption high \
  --bogus-flow 0.8 \
  --flatten-control-flow \
  --instruction-substitution \
  --fake-loops 20 \
  --html-report

Example 3: Cross-Platform Build

# For Windows target on Linux
./llvm-obfuscator -i app.c -o app.exe --target windows

# For Linux target
./llvm-obfuscator -i app.c -o app --target linux

Report Format

JSON Report Structure

{
  "input_parameters": {
    "source_file": "input.c",
    "obfuscation_level": 5,
    "cycles": 3,
    "string_encryption": "high"
  },
  "output_attributes": {
    "file_name": "output",
    "file_size": 45678,
    "sha256": "abc123...",
    "target_platform": "linux"
  },
  "obfuscation_statistics": {
    "bogus_code_lines": 1234,
    "obfuscation_cycles": 3,
    "strings_encrypted": 45,
    "fake_loops_inserted": 20,
    "functions_obfuscated": 12
  }
}

Architecture

llvm-obfuscator/
├── src/
│   ├── passes/              # LLVM transformation passes
│   │   ├── ControlFlowFlattening.cpp
│   │   ├── BogusControlFlow.cpp
│   │   ├── InstructionSubstitution.cpp
│   │   └── StringEncryption.cpp
│   ├── obfuscator.cpp       # Main obfuscation engine
│   ├── reporter.cpp         # Report generation
│   └── main.cpp             # CLI interface
├── include/
│   └── obfuscator/
├── tests/
│   └── test_samples/
└── CMakeLists.txt

Security Considerations

• The obfuscated code is designed to resist static analysis and reverse engineering
• String encryption uses runtime decryption to protect sensitive strings
• Control flow obfuscation makes decompilation significantly harder
• Multiple obfuscation cycles compound the complexity

Performance Impact

Obfuscation level vs. performance overhead:

• Level 1-2: 5-15% overhead
• Level 3: 15-30% overhead
• Level 4-5: 30-60% overhead

Limitations

• Obfuscation increases binary size (typically 2-5x)
• Runtime performance may be impacted
• Debugging obfuscated code is extremely difficult
• Some optimizations may be disabled

Testing

cd build
ctest --output-on-failure

Contributing

This is a research project for NTRO. For contributions or issues, please contact the development team.

License

Proprietary - National Technical Research Organisation (NTRO)

Authors

Developed for NTRO Problem Statement ID 25236

References

• LLVM Documentation: https://llvm.org/docs/
• Code Obfuscation Techniques: https://en.wikipedia.org/wiki/Obfuscation_(software)
• LLVM Pass Writing: https://llvm.org/docs/WritingAnLLVMPass.html