codedefender_config/
lib.rs

1//! `codedefender-config` provides the Rust data structures used for serializing and deserializing
2//! CodeDefender YAML configuration files and analysis results. These structures are used by both
3//! the CodeDefender CLI and its backend services.
4//!
5//! This crate is intended to be consumed by tools that integrate with or generate CodeDefender config files.
6
7use serde::{Deserialize, Serialize};
8
9/// Current supported YAML config version.
10pub const YAML_CONFIG_VERSION: &str = "1.0.4";
11
12/// Available SIMD extension types used by mutation engines.
13#[derive(Debug, Serialize, Deserialize, Clone)]
14pub enum MutationEngineExtension {
15    /// All base instructions
16    Generic,
17    /// All base instructions + Legacy SSE instructions up until SSE3
18    SSE3,
19    /// All base instructions + Legacy SSE instructions up until SSE4.2
20    SSE42
21}
22
23/// Supported PE environments.
24#[derive(Debug, Clone, Copy, Eq, PartialEq, PartialOrd, Ord, Serialize, Deserialize)]
25pub enum PeEnvironment {
26    /// User-mode PE (exe, dll)
27    UserMode,
28    /// Kernel-mode PE (sys)
29    KernelMode,
30    /// UEFI firmware image
31    UEFI,
32}
33
34/// Configuration settings for lifting x86 instructions into IR.
35#[derive(Debug, Serialize, Deserialize, Clone)]
36pub struct LifterSettings {
37    /// Whether to lift calls into IR.
38    pub lift_calls: bool,
39    /// Calling convention used for lifting, only `WindowsAbi`, and `Conservative` are supported.
40    pub calling_convention: String,
41    /// Max stack copy size in bytes when lifting.
42    pub max_stack_copy_size: u32,
43    /// Fallback: split on calls if lifting fails.
44    pub split_on_calls_fallback: bool,
45}
46
47/// IR optimization settings.
48#[derive(Debug, Serialize, Deserialize, Clone)]
49pub struct OptimizationSettings {
50    /// Enable constant propagation.
51    pub constant_propagation: bool,
52    /// Enable instruction combining.
53    pub instruction_combine: bool,
54    /// Enable dead code elimination.
55    pub dead_code_elim: bool,
56    /// Enable pruning of unused block parameters.
57    pub prune_useless_block_params: bool,
58    /// Number of optimization iterations to run.
59    pub iterations: u32,
60}
61
62/// Assembler-level codegen settings.
63#[derive(Debug, Serialize, Deserialize, Clone)]
64pub struct AssemblerSettings {
65    /// Whether to shuffle basic blocks.
66    pub shuffle_basic_blocks: bool,
67    /// Instruction prefix to prepend to emitted instructions.
68    pub instruction_prefix: String,
69    /// Chance of randomly applying the prefix.
70    pub random_prefix_chance: f64,
71}
72
73/// Compiler configuration (IR + codegen) for a profile.
74#[derive(Debug, Serialize, Deserialize, Clone)]
75pub struct CDCompilerSettings {
76    /// Assembler settings.
77    pub assembler_settings: AssemblerSettings,
78    /// Optimization settings.
79    pub optimization_settings: OptimizationSettings,
80    /// IR lifter settings.
81    pub lifter_settings: LifterSettings,
82}
83
84/// Fake PDB string settings to confuse debuggers.
85#[derive(Default, Debug, Serialize, Deserialize)]
86pub struct FakePdbString {
87    /// Whether the fake PDB string is enabled.
88    pub enabled: bool,
89    /// Value to emit as the fake PDB string.
90    pub value: String,
91}
92
93/// Custom `.text` section name override.
94#[derive(Default, Debug, Serialize, Deserialize)]
95pub struct CustomSectionName {
96    /// Whether this feature is enabled.
97    pub enabled: bool,
98    /// Custom section name value.
99    pub value: String,
100}
101
102/// Global obfuscation settings for the module.
103#[derive(Debug, Serialize, Deserialize)]
104pub struct CDModuleSettings {
105    /// Whether to crash the IDA decompiler intentionally.
106    #[serde(default)]
107    pub ida_crasher: bool,
108    /// Whether to enable IAT/Import protection.
109    #[serde(default)]
110    pub import_protection: bool,
111    /// Should the output file be packed/compressed? This option only works for usermode modules.
112    #[serde(default)]
113    pub pack_output_file: bool,
114    /// Obscure the entry point of the module with anti tamper and anti debug tactics
115    #[serde(default)]
116    pub obscure_entry_point: bool,
117    /// Clear unwind information. makes it harder for attackers to locate functions, however
118    /// structured exception handling will not work.
119    #[serde(default)]
120    pub clear_unwind_info: bool,
121    /// Fake PDB string settings.
122    #[serde(default)]
123    pub fake_pdb_string: FakePdbString,
124    /// Custom PE section name settings.
125    #[serde(default)]
126    pub custom_section_name: CustomSectionName,
127}
128
129/// Instruction-level semantics used in transformations.
130#[derive(Debug, Serialize, Deserialize, Clone)]
131pub struct Semantics {
132    #[serde(default)]
133    pub add: bool,
134    #[serde(default)]
135    pub sub: bool,
136    #[serde(default)]
137    pub and: bool,
138    #[serde(default)]
139    pub xor: bool,
140    #[serde(default)]
141    pub or: bool,
142    #[serde(default)]
143    pub not: bool,
144    #[serde(default)]
145    pub neg: bool,
146}
147
148/// Bit widths to apply transformations to.
149#[derive(Debug, Serialize, Deserialize, Clone)]
150pub struct BitWidths {
151    #[serde(default)]
152    pub bit8: bool,
153    #[serde(default)]
154    pub bit16: bool,
155    #[serde(default)]
156    pub bit32: bool,
157    #[serde(default)]
158    pub bit64: bool,
159}
160
161/// The origin of SSA value from within the instruction.
162/// Please refer to this documentation for more info:
163/// https://docs.codedefender.io/features/ethnicity
164#[derive(Debug, Serialize, Deserialize, Clone)]
165pub struct SsaOrigins {
166    pub normal: bool,
167    pub memop: bool,
168    pub fp_based_memop: bool,
169    pub sp_based_memop: bool,
170}
171
172/// Configuration for the Loop Encode Semantics pass.
173#[derive(Debug, Serialize, Deserialize, Clone)]
174pub struct LoopEncodeSemantics {
175    /// Number of times to attempt transformation.
176    pub iterations: u32,
177    /// Percent chance to apply transformation (0–100).
178    pub probability: u32,
179    /// Instruction semantics to consider.
180    pub semantics: Semantics,
181    /// Bit widths to target.
182    pub bitwidths: BitWidths,
183    pub ethnicities: SsaOrigins,
184}
185
186/// Configuration for Mixed Boolean Arithmetic pass.
187#[derive(Debug, Serialize, Deserialize, Clone)]
188pub struct MixedBooleanArithmetic {
189    pub iterations: u32,
190    pub probability: u32,
191    pub semantics: Semantics,
192    pub bitwidths: BitWidths,
193    pub ethnicities: SsaOrigins,
194}
195
196/// Configuration for Mutation Engine pass.
197#[derive(Debug, Serialize, Deserialize, Clone)]
198pub struct MutationEngine {
199    pub iterations: u32,
200    pub probability: u32,
201    pub extension: MutationEngineExtension,
202    pub semantics: Semantics,
203    pub bitwidths: BitWidths,
204    pub ethnicities: SsaOrigins,
205}
206
207/// Pass that crashes IDA’s decompiler.
208#[derive(Debug, Serialize, Deserialize, Clone)]
209pub struct IDADecompilerCrasher;
210
211/// Suppress constants and prevent them from rematerializing at runtime.
212#[derive(Debug, Serialize, Deserialize, Clone)]
213pub struct SuppressConstants {
214    pub ethnicities: SsaOrigins,
215}
216
217/// Statically obscure constants, this does not prevent rematerialization at runtime.
218/// Use the SuppressConstants pass in tandem with this!
219#[derive(Debug, Serialize, Deserialize, Clone)]
220pub struct ObscureConstants {
221    pub probability: u32,
222    pub iterations: u32,
223    pub bitwidths: BitWidths,
224    pub ethnicities: SsaOrigins,
225}
226
227/// Memory reference obfuscation pass.
228#[derive(Debug, Serialize, Deserialize, Clone)]
229pub struct ObscureReferences;
230
231/// Control-flow obfuscation pass.
232#[derive(Debug, Serialize, Deserialize, Clone)]
233pub struct ObscureControlFlow {
234    pub probability: u32,
235}
236
237/// Tether extraction pass.
238#[derive(Debug, Serialize, Deserialize, Clone)]
239pub struct TetherExtraction {
240    /// Min length of a sequence of instructions that should be extracted.
241    /// Its a bad idea for this to be 1 usually because its easy to synthesize
242    pub min_extract_len: usize,
243    /// Tether server endpoint
244    pub endpoint: String,
245    /// Tether server port
246    pub port: u16,
247    /// Hex string of the servers public key. This is used for public key pinning.
248    /// This needs to be length 64...
249    pub server_public_key: String,
250}
251
252/// Opaque block duplication pass.
253#[derive(Debug, Serialize, Deserialize, Clone)]
254pub struct OpaqueBlockDuplication {
255    /// Number of iterations to attempt transformation.
256    pub iterations: u32,
257    /// Percent chance to apply transformation (0–100).
258    pub probability: u32,
259}
260
261/// Split block pass, used to create more control flow points for other passes to transform.
262#[derive(Debug, Serialize, Deserialize, Clone)]
263pub struct SplitBlockPass {
264    /// The number of SSA values required to be within a block for it to be split into two seperate blocks.
265    pub threshold: u32,
266}
267
268/// Encode immediate ssa values into lea's
269#[derive(Debug, Serialize, Deserialize, Clone)]
270pub struct LeaEncodeImm {
271    /// Percent chance to apply transformation (0–100).
272    pub probability: u32,
273    pub ethnicities: SsaOrigins,
274}
275
276/// All possible obfuscation passes.
277#[derive(Debug, Serialize, Deserialize, Clone)]
278#[serde(tag = "type")]
279pub enum ObfuscationPass {
280    LoopEncodeSemantics(LoopEncodeSemantics),
281    MixedBooleanArithmetic(MixedBooleanArithmetic),
282    MutationEngine(MutationEngine),
283    TetherExtraction(TetherExtraction),
284    SplitBlockPass(SplitBlockPass),
285    OpaqueBlockDuplication(OpaqueBlockDuplication),
286    ObscureControlFlow(ObscureControlFlow),
287    LeaEncodeImm(LeaEncodeImm),
288    ObscureConstants(ObscureConstants),
289    SuppressConstants(SuppressConstants),
290    IDADecompilerCrasher,
291    ObscureReferences,
292    AntiEmulator,
293}
294
295/// Profile definition used to apply passes to symbols.
296#[derive(Debug, Serialize, Deserialize)]
297pub struct CDProfile {
298    /// Name of the profile.
299    pub name: String,
300    /// Obfuscation passes for this profile.
301    pub passes: Vec<ObfuscationPass>,
302    /// Compiler settings for this profile.
303    pub compiler_settings: CDCompilerSettings,
304    /// List of symbol RVAs this profile targets.
305    pub symbols: Vec<u64>,
306}
307
308/// Top-level config file structure.
309#[derive(Debug, Serialize, Deserialize)]
310pub struct CDConfig {
311    /// Module-wide settings.
312    pub module_settings: CDModuleSettings,
313    /// All profiles to apply during obfuscation.
314    pub profiles: Vec<CDProfile>,
315}
316
317/// Information about a single function found during analysis.
318#[derive(Deserialize, Serialize, Clone, Debug)]
319pub struct AnalysisFunction {
320    /// RVA of the function.
321    pub rva: u64,
322    /// Function name.
323    pub symbol: String,
324    /// Number of references to this function.
325    pub ref_count: usize,
326}
327
328/// Reason why a function was rejected from analysis.
329#[derive(Deserialize, Serialize, Clone, Debug)]
330pub struct AnalysisReject {
331    /// RVA of the rejected function.
332    pub rva: u64,
333    /// Symbol name.
334    pub symbol: String,
335    /// Mnemonic reason string (e.g., internal enum).
336    pub ty: String,
337    /// Stringified reason (human-readable).
338    pub reason: String,
339}
340
341/// Grouping of functions under a named macro profile.
342#[derive(Deserialize, Serialize, Clone, Debug)]
343pub struct AnalysisMacroProfile {
344    /// Name of the macro profile.
345    pub name: String,
346    /// List of function RVAs in this macro.
347    pub rvas: Vec<u64>,
348}
349
350/// Results from binary analysis, returned to the frontend.
351#[derive(Deserialize, Serialize, Clone, Debug)]
352pub struct AnalysisResult {
353    /// Environment type (UserMode, KernelMode, UEFI).
354    pub environment: PeEnvironment,
355    /// Functions found during analysis.
356    pub functions: Vec<AnalysisFunction>,
357    /// Rejected functions and reasons.
358    pub rejects: Vec<AnalysisReject>,
359    /// Macro profiles generated from analysis.
360    pub macros: Vec<AnalysisMacroProfile>,
361}
362
363/// Symbol representation used in YAML: either name or RVA.
364#[derive(Debug, Serialize, Deserialize)]
365pub enum YamlSymbol {
366    /// Symbol name
367    Name(String),
368    /// Symbol RVA.
369    Rva(u64),
370}
371
372/// Obfuscation profile for YAML configuration.
373#[derive(Debug, Serialize, Deserialize)]
374pub struct YamlProfile {
375    /// Profile name (referenced by source macros).
376    pub name: String,
377    /// Passes to apply to this profile.
378    pub passes: Vec<ObfuscationPass>,
379    /// Compiler configuration for this profile.
380    pub compiler_settings: CDCompilerSettings,
381    /// Symbols targeted by this profile.
382    pub symbols: Vec<YamlSymbol>,
383    /// Only used by the SaaS UI. Not used by the CLI.
384    pub color: Option<String>,
385}
386
387/// Root YAML config structure.
388#[derive(Debug, Serialize, Deserialize)]
389pub struct YamlConfig {
390    /// Version of the config file format.
391    pub version: String,
392    /// Global module-wide obfuscation settings.
393    pub module_settings: CDModuleSettings,
394    /// Obfuscation profiles to apply.
395    pub profiles: Vec<YamlProfile>,
396}
codedefender_config/lib.rs

codedefender_config/
lib.rs
