好久没弄ollvm了,可以继续了,今天给ollvm新增了一个pass,用来加密字符串,这个pass是从别的库里面扒出来的。
本文是基于在Windows 上使用VS2017编译出来的ollvm,在这个基础上来添加。
第一步:
寻找两个pass的代码
头文件
1 #ifndef _STRING_OBFUSCATION_H_ 2 #define _STRING_OBFUSCATION_H_ 3 4 5 // LLVM include 6 #include "llvm/Pass.h" 7 #include "llvm/IR/Function.h" 8 #include "llvm/IR/Instructions.h" 9 #include "llvm/ADT/Statistic.h" 10 #include "llvm/Transforms/IPO.h" 11 #include "llvm/IR/Module.h" 12 #include "llvm/Support/CommandLine.h" 13 #include "llvm/CryptoUtils.h" 14 15 // Namespace 16 using namespace llvm; 17 using namespace std; 18 19 namespace llvm { 20 Pass *createStringObfuscation(bool flag); 21 } 22 23 #endif
源文件
1 #define DEBUG_TYPE "objdiv" 2 #include <string> 3 #include <sstream> 4 5 #include "llvm/ADT/Statistic.h" 6 #include "llvm/IR/Function.h" 7 #include "llvm/IR/Constants.h" 8 #include "llvm/IR/Module.h" 9 #include "llvm/IR/Value.h" 10 #include "llvm/Pass.h" 11 #include "llvm/Support/raw_ostream.h" 12 #include "llvm/CryptoUtils.h" 13 #include "llvm/Transforms/Obfuscation/StringObfuscation.h" 14 #include "llvm/IR/IRBuilder.h" 15 #include "llvm/Transforms/Utils/ModuleUtils.h" 16 17 using namespace llvm; 18 19 STATISTIC(GlobalsEncoded, "Counts number of global variables encoded"); 20 21 #define ZooPrint(_F, ...) fprintf(stdout, "File : [%s](%d) " _F, __FILE__, __LINE__, __VA_ARGS__) 22 23 namespace llvm { 24 25 struct encVar { 26 public: 27 GlobalVariable *var; 28 uint8_t key; 29 }; 30 31 class StringObfuscationPass : public llvm::ModulePass { 32 public: 33 static char ID; // pass identification 34 bool is_flag = false; 35 StringObfuscationPass() : ModulePass(ID) {} 36 StringObfuscationPass(bool flag) : ModulePass(ID) 37 { 38 is_flag = flag; 39 } 40 41 virtual bool runOnModule(Module &M) { 42 ZooPrint(" Run On Module : %d ", is_flag); 43 if (!is_flag) 44 return false; 45 std::vector<GlobalVariable*> toDelConstGlob; 46 //std::vector<GlobalVariable*> encGlob; 47 std::vector<encVar*> encGlob; 48 ZooPrint(" M.Size : %d ", M.size()); 49 int i = 0; 50 for (Module::global_iterator gi = M.global_begin(), ge = M.global_end(); gi != ge; ++gi) 51 { 52 53 #if 0 54 // 老式代码,原来的样子 55 @.str = private unnamed_addr constant[13 x i8] c"E4BDA0E5A5BDE4B896E7958C 0", align 1 56 @__CFConstantStringClassReference = external global[0 x i32] 57 @.str.1 = private unnamed_addr constant[3 x i16][i16 20320, i16 22909, i16 0], section "__TEXT,__ustring", align 2 58 // 新式字符串的样子 59 @"