In this article I will first give an introduction to LLVM, and then I will present a little LLVM-IR obfuscater PoC I have coded for fun. Here is the introduction of the article:
For several months, I came across a lot of papers that use the LLVM framework to develop really cool tools like:
- decompilation framework (Dagger),
- universal deobfuscation (Opticode),
- bug-finding with static binary instrumentation (AddressSanitizer),
- fast C compiler (Clang),
- automatic test cases generator (Klee),
In other words, LLVM is everywhere, and it’s only the beginning.
In this paper, I will try in a first part, to give you an overview of the framework: basically what you can do with it and what you cannot. Then, I will introduce a PoC called Kryptonite: a small obfuscater based on LLVM. We will talk about how you can build such tools and how they can be improved.
I’m currently playing with the version 3.3 of LLVM (the latest when I’m writing this paper), so the code may changed a bit for the upcoming version (don’t hesitate to shoot me an email if this is the case).
Keep in mind that no CPUs were harmed during this piece of research, trust me.
I hope you will enjoy the read, cheers!