Home

Awesome

DebugOff Library

Linux anti-analysis Rust library

The goal of this library is to make both static and dynamic (debugging) analysis more difficult.

The library targets Linux environments.

It is currently based on ptrace anti-analysis trick and provides the following main features:

To use the crate, add it to your dependencies:

[dependencies]
debugoff = { version = "0.2.1, features = ["obfuscate"] }

For enabling also system call obfuscation, use the syscallobf feature (this is an experimental feature and affect only binaries targeting x86_64 architecture):

[dependencies]
debugoff = { version = "0.2.1, features = ["obfuscate", "syscallobf"] }

Given that the library generates random code at each compilation, be sure to rebuild everything each time. Something like this:

cargo clean
cargo build --release

Stripping symbols from the release build is also a good idea:

[profile.release]
debug = false
strip = "symbols"
panic = "abort"

Usage Example

In the example below, debugoff is used only when the target OS is Linux and only for release builds (in this way when the code is compiled in debug mode it can be debugged without the need to bypass debugoff).

// Include only for Linux and when building in release mode
#[cfg(target_os = "linux")]
#[cfg(not(debug_assertions))]
use debugoff;
use std::time::SystemTime;

fn main() {
  // Call only for Linux and when building in release mode
  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!(
      "Time: {}",
      SystemTime::now()
          .duration_since(SystemTime::UNIX_EPOCH)
          .unwrap()
          .as_millis()
  );

  // Call only for Linux and when building in release mode
  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!("Example complete!");
}

See other examples in the examples directory which can be built with:

cargo build --release --features obfuscate,syscallobf --examples

Obfuscation example

If we build the following code (which does not use DebugOff) in release mode:

use std::time::SystemTime;

fn main() {
  println!(
      "Time: {}",
      SystemTime::now()
          .duration_since(SystemTime::UNIX_EPOCH)
          .unwrap()
          .as_millis()
  );

  println!("Example complete!");
}

This is the corresponding function graph of the main function:

Executable build without
DebugOff.

If we build the same code using DebugOff with obfuscate feature:

#[cfg(target_os = "linux")]
#[cfg(not(debug_assertions))]
use debugoff;
use std::time::SystemTime;

fn main() {
  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!(
      "Time: {}",
      SystemTime::now()
          .duration_since(SystemTime::UNIX_EPOCH)
          .unwrap()
          .as_millis()
  );

  #[cfg(target_os = "linux")]
  #[cfg(not(debug_assertions))]
  debugoff::multi_ptraceme_or_die();

  println!("Example complete!");
}

This is the obfuscated function graph of the main function:

Executable build with
DebugOff.

In this particular example, all the code generated by DebugOff was inlined in the main function. This is not guaranteed to be always the case because the functions inlining can be influenced by many factors like the locations where DebugOff is called and the toolchain version used for building the project. In other cases the resulting function graph could be simpler than the one reported in the example but, in any case, more complex than the one generated when DebugOff is not used.

License

Licensed under:

TODOs