{"id":13546122,"url":"https://github.com/0xor0ne/debugoff","last_synced_at":"2025-04-04T09:09:49.701Z","repository":{"id":41149952,"uuid":"504633306","full_name":"0xor0ne/debugoff","owner":"0xor0ne","description":"Linux anti-debugging and anti-analysis rust library","archived":false,"fork":false,"pushed_at":"2022-12-26T16:42:51.000Z","size":843,"stargazers_count":316,"open_issues_count":1,"forks_count":25,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-28T08:08:12.934Z","etag":null,"topics":["anti-analysis","anti-debugging","antianalysis","antidebug","antidebugging","debugging","dynamic-analysis","obfuscation","rust","static-analysis"],"latest_commit_sha":null,"homepage":"https://crates.io/crates/debugoff","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xor0ne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-GPL","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-17T18:20:10.000Z","updated_at":"2025-03-24T20:02:47.000Z","dependencies_parsed_at":"2023-01-31T00:45:56.149Z","dependency_job_id":null,"html_url":"https://github.com/0xor0ne/debugoff","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xor0ne%2Fdebugoff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xor0ne%2Fdebugoff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xor0ne%2Fdebugoff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xor0ne%2Fdebugoff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xor0ne","download_url":"https://codeload.github.com/0xor0ne/debugoff/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247149502,"owners_count":20891954,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-analysis","anti-debugging","antianalysis","antidebug","antidebugging","debugging","dynamic-analysis","obfuscation","rust","static-analysis"],"created_at":"2024-08-01T12:00:32.131Z","updated_at":"2025-04-04T09:09:49.683Z","avatar_url":"https://github.com/0xor0ne.png","language":"Rust","funding_links":[],"categories":["Offensive Security and Red Teaming","Rust","Awesome Repositories"],"sub_categories":["Packing, Obfuscation, Encryption, Anti-analysis","ELF VX technology"],"readme":"# DebugOff Library\n\n\n## Linux anti-analysis Rust library\n\nThe goal of this library is to make both static and dynamic (debugging) analysis\nmore difficult.\n\n\u003e **The library targets Linux environments.**\n\nIt is currently based on `ptrace` anti-analysis trick and provides the following\nmain features:\n\n* Direct syscall invocation without relying on libc (this makes LD_PRELOAD\n  bypass mechanism ineffective);\n\n* System call obfuscation which makes static reverse engineering more difficult\n  (this feature is currently supported only in `x86_64`);\n\n* Multiple `ptrace` syscall invocations. Each call to `ptrace` must return the\n  expected value (i.e., 0 at the first invocation and -1 thereafter) and\n  contributes to the computation of an \"`offset`\" value that, at the end of the\n  `ptrace` call chain, must match an expected value (see\n  [here](https://seblau.github.io/posts/linux-anti-debugging)). If ptrace\n  returns an unexpcted value or the \"`offset`\" value does not match, the process\n  is terminated;\n\n* 'ptrace' is called in nested loops. The loops are unrolled and the number of\n  iterations is randomized at each compilation. Moreover, also the \"`offset`\"\n  value is radomized at each iteration;\n\n* The generated code can be obfuscated even more by enabling the `obfuscate`\n  feature which relies on [goldberg crate](https://crates.io/crates/goldberg);\n\nTo use the crate, add it to your dependencies:\n\n```text\n[dependencies]\ndebugoff = { version = \"0.2.1, features = [\"obfuscate\"] }\n```\n\nFor enabling also system call obfuscation, use the `syscallobf` feature (this is\nan experimental feature and affect only binaries targeting `x86_64`\narchitecture):\n\n```text\n[dependencies]\ndebugoff = { version = \"0.2.1, features = [\"obfuscate\", \"syscallobf\"] }\n```\n\nGiven that the library generates random code at each compilation, be sure to\nrebuild everything each time. Something like this:\n\n```text\ncargo clean\ncargo build --release\n```\n\nStripping symbols from the release build is also a good idea:\n\n```text\n[profile.release]\ndebug = false\nstrip = \"symbols\"\npanic = \"abort\"\n```\n\n## Usage Example\n\nIn the example below, `debugoff` is used only when the target OS is Linux  and\nonly for release builds (in this way when the code is compiled in debug mode it\ncan be debugged without the need to bypass `debugoff`).\n\n```rust\n// Include only for Linux and when building in release mode\n#[cfg(target_os = \"linux\")]\n#[cfg(not(debug_assertions))]\nuse debugoff;\nuse std::time::SystemTime;\n\nfn main() {\n  // Call only for Linux and when building in release mode\n  #[cfg(target_os = \"linux\")]\n  #[cfg(not(debug_assertions))]\n  debugoff::multi_ptraceme_or_die();\n\n  println!(\n      \"Time: {}\",\n      SystemTime::now()\n          .duration_since(SystemTime::UNIX_EPOCH)\n          .unwrap()\n          .as_millis()\n  );\n\n  // Call only for Linux and when building in release mode\n  #[cfg(target_os = \"linux\")]\n  #[cfg(not(debug_assertions))]\n  debugoff::multi_ptraceme_or_die();\n\n  println!(\"Example complete!\");\n}\n```\n\nSee other examples in the [examples directory](./examples) which can be built\nwith:\n\n```bash\ncargo build --release --features obfuscate,syscallobf --examples\n```\n\n## Obfuscation example\n\nIf we build the following code (which does not use `DebugOff`) in release mode:\n\n```rust\nuse std::time::SystemTime;\n\nfn main() {\n  println!(\n      \"Time: {}\",\n      SystemTime::now()\n          .duration_since(SystemTime::UNIX_EPOCH)\n          .unwrap()\n          .as_millis()\n  );\n\n  println!(\"Example complete!\");\n}\n```\n\nThis is the corresponding function graph of the `main` function:\n\n![Executable build without\nDebugOff](./docs/images/function_graph_no_debugoff.png).\n\nIf we build the same code using `DebugOff` with `obfuscate` feature:\n\n```rust\n#[cfg(target_os = \"linux\")]\n#[cfg(not(debug_assertions))]\nuse debugoff;\nuse std::time::SystemTime;\n\nfn main() {\n  #[cfg(target_os = \"linux\")]\n  #[cfg(not(debug_assertions))]\n  debugoff::multi_ptraceme_or_die();\n\n  println!(\n      \"Time: {}\",\n      SystemTime::now()\n          .duration_since(SystemTime::UNIX_EPOCH)\n          .unwrap()\n          .as_millis()\n  );\n\n  #[cfg(target_os = \"linux\")]\n  #[cfg(not(debug_assertions))]\n  debugoff::multi_ptraceme_or_die();\n\n  println!(\"Example complete!\");\n}\n```\n\nThis is the obfuscated function graph of the `main` function:\n\n![Executable build with\nDebugOff](./docs/images/function_graph_obfuscate.png).\n\nIn this particular example, all the code generated by `DebugOff` was inlined in\nthe `main` function. This is not guaranteed to be always the case because the\nfunctions inlining can be influenced by many factors like the locations where\n`DebugOff` is called and the toolchain version used for building the project. In\nother cases the resulting function graph could be simpler than the one reported\nin the example but, in any case, more complex than the one generated when\n`DebugOff` is not used.\n\n## License\n\nLicensed under:\n\n* GPL-3.0 when `obfuscate` feature is enabled;\n* MIT when `obfuscate` feature **IS NOT** enabled;\n\n## TODOs\n\n* Implement syscall obfuscation for other architectures (for not syscall\n  obfuscation is supported only for `x86_64`);\n* Deterministic builds;\n* Remove dependency from goldberg by implemeing internal obfuscation\n  functionalities in order to remove GPL-3.0 license requirement;\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xor0ne%2Fdebugoff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xor0ne%2Fdebugoff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xor0ne%2Fdebugoff/lists"}