debugoff 0.2.2

Linux anti-analysis and anti-debugging Rust library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

// DebugOff
// Copyright (C) 2022 0xor0ne
//
// Licensed under:
// - GPL-3.0 when "obfuscate" feature is enabled;
// - MIT when "obfuscate" feature IS NOT enabled;

// On x86-64, the following registers are used for args 1-6:
// arg1: %rdi
// arg2: %rsi
// arg3: %rdx
// arg4: %r10
// arg5: %r8
// arg6: %r9
//
// rax is used for both the syscall number and the syscall return value.
//
// rcx and r11 are always clobbered. syscalls can also modify memory. With the
// `asm!()` macro, it is assumed that memory is clobbered unless the nomem
// option is specified.
use super::syscalls::SysNo;
#[cfg(feature = "syscallobf")]
use const_random::const_random;
use core::arch::asm;

/// Issues a raw system call with 1 arguments.
///
/// # Safety
///
/// Running a system call is inherently unsafe. It is the caller's
/// responsibility to ensure safety.
#[cfg(not(feature = "syscallobf"))]
#[inline(always)]
pub unsafe fn syscall1(n: SysNo, arg1: usize) -> usize {
    let mut ret: usize;
    asm!(
        "syscall",
        inlateout("rax") n as usize => ret,
        in("rdi") arg1,
        out("rcx") _, // rcx is used to store old rip
        out("r11") _, // r11 is used to store old rflags
        options(nostack, preserves_flags)
    );
    ret
}

/// Issues a raw system call with 4 arguments.
///
/// # Safety
///
/// Running a system call is inherently unsafe. It is the caller's
/// responsibility to ensure safety.
#[cfg(not(feature = "syscallobf"))]
#[inline(always)]
pub unsafe fn syscall4(n: SysNo, arg1: usize, arg2: usize, arg3: usize, arg4: usize) -> usize {
    let mut ret: usize;
    asm!(
        "syscall",
        inlateout("rax") n as usize => ret,
        in("rdi") arg1,
        in("rsi") arg2,
        in("rdx") arg3,
        in("r10") arg4,
        out("rcx") _, // rcx is used to store old rip
        out("r11") _, // r11 is used to store old rflags
        options(nostack, preserves_flags)
    );
    ret
}

/// Issues a raw obfuscated system call with 1 arguments.
///
/// # Safety
///
/// Running a system call is inherently unsafe. It is the caller's
/// responsibility to ensure safety.
#[cfg(feature = "syscallobf")]
#[inline(always)]
pub unsafe fn syscall1(n: SysNo, arg1: usize) -> usize {
    let mut ret: usize;
    let key: usize = const_random!(usize);
    asm!(
        "xor r11, rcx",
        "mov rax, r11",
        "and rcx, 0xFF",
        "add rax, rcx",
        "2:",
        "sub rax, 1",
        "sub rcx, 1",
        "cmp rcx, 0",
        "jg 2b",
        "syscall",
        inout("rcx") ((key as u16) as usize) => _, // rcx is used to store old rip
        inout("r11") ((key as u16) as usize) ^ (n as usize) => _, // r11 is used to store old rflags
        out("rax") ret,
        in("rdi") arg1,
        options(nostack, preserves_flags)
    );
    ret
}

/// Issues a raw obfuscated system call with 4 arguments.
///
/// # Safety
///
/// Running a system call is inherently unsafe. It is the caller's
/// responsibility to ensure safety.
#[cfg(feature = "syscallobf")]
#[inline(always)]
pub unsafe fn syscall4(n: SysNo, arg1: usize, arg2: usize, arg3: usize, arg4: usize) -> usize {
    let mut ret: usize;
    let key: usize = const_random!(usize);
    asm!(
        "xor r11, rcx",
        "mov rax, r11",
        "and rcx, 0xFF",
        "add rax, rcx",
        "2:",
        "sub rax, 1",
        "sub rcx, 1",
        "cmp rcx, 0",
        "jg 2b",
        "syscall",
        inout("rcx") ((key as u16) as usize) => _, // rcx is used to store old rip
        inout("r11") ((key as u16) as usize) ^ (n as usize) => _, // r11 is used to store old rflags
        out("rax") ret,
        in("rdi") arg1,
        in("rsi") arg2,
        in("rdx") arg3,
        in("r10") arg4,
        options(nostack, preserves_flags)
    );
    // asm!(
    //     "xor rax, {0}",
    //     "syscall",
    //     in(reg) ((key as u8) as usize),
    //     inlateout("rax") (n as usize) ^ ((key as u8) as usize) => ret,
    //     in("rdi") arg1,
    //     in("rsi") arg2,
    //     in("rdx") arg3,
    //     in("r10") arg4,
    //     out("rcx") _, // rcx is used to store old rip
    //     out("r11") _, // r11 is used to store old rflags
    //     options(nostack, preserves_flags)
    // );
    ret
}