|
| 1 | +# De-Optimizer |
| 2 | +<div align="center"> |
| 3 | + <img src=".github/img/banner.png"> |
| 4 | + <br> |
| 5 | + <br> |
| 6 | + |
| 7 | + |
| 8 | + [![GitHub All Releases][release-img]][release] |
| 9 | + [![Build][workflow-img]][workflow] |
| 10 | + [![Issues][issues-img]][issues] |
| 11 | + [![Crates][crates-img]][crates] |
| 12 | + ![Docker Pulls][docker-pulls] |
| 13 | + [![License: MIT][license-img]][license] |
| 14 | +</div> |
| 15 | + |
| 16 | +[crates]: https://crates.io/crates/deoptimizer |
| 17 | +[crates-img]: https://img.shields.io/crates/v/deoptimizer |
| 18 | +[release]: https://github.com/EgeBalci/deoptimizer/releases |
| 19 | +[release-img]: https://img.shields.io/github/v/release/EgeBalci/deoptimizer |
| 20 | +[downloads]: https://github.com/EgeBalci/deoptimizer/releases |
| 21 | +[downloads-img]: https://img.shields.io/github/downloads/EgeBalci/deoptimizer/total?logo=github |
| 22 | +[issues]: https://github.com/EgeBalci/deoptimizer/issues |
| 23 | +[issues-img]: https://img.shields.io/github/issues/EgeBalci/deoptimizer?color=red |
| 24 | +[docker-pulls]: https://img.shields.io/docker/pulls/EgeBalci/EgeBalci?logo=docker&label=docker%20pulls |
| 25 | +[license]: https://raw.githubusercontent.com/EgeBalci/deoptimizer/master/LICENSE |
| 26 | +[license-img]: https://img.shields.io/github/license/EgeBalci/deoptimizer.svg |
| 27 | +[google-cloud-shell]: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/EgeBalci/deoptimizer&tutorial=README.md |
| 28 | +[workflow-img]: https://github.com/EgeBalci/deoptimizer/actions/workflows/main.yml/badge.svg |
| 29 | +[workflow]: https://github.com/EgeBalci/deoptimizer/actions/workflows/main.yml |
| 30 | +[moneta-ref]: https://github.com/forrest-orr/moneta |
| 31 | +[pe-sieve-ref]: https://github.com/hasherezade/pe-sieve |
| 32 | +[insomnihack]: https://www.youtube.com/watch?v=Issvbst_89I |
| 33 | + |
| 34 | + |
| 35 | +This tool is a machine code de-optimizer. By transforming/mutating the machine code instructions to their functional equivalents it makes possible to bypass pattern-based detection mechanisms used by security products. |
| 36 | + |
| 37 | +## Why? |
| 38 | +Bypassing security products is a very important part of many offensive security engagements. The majority of the current AV evasion techniques used in various different evasion tools, such as packers, shellcode encoders, and obfuscators, are dependent on the use of self-modifying code running on RWE memory regions. Considering the current state of security products, such evasion attempts are easily detected by memory analysis tools such as [Moneta](https://github.com/forrest-orr/moneta) and [Pe-sieve](https://github.com/hasherezade/pe-sieve). This project introduces a new approach to code obfuscation with the use of machine code de-optimization. It uses certain mathematical approaches, such as arithmetic partitioning, logical inverse, polynomial transformation, and logical partitioning, for transforming/mutating the instructions of the target binary without creating any recognizable patterns. The tool is capable of transforming the instructions of a given binary up to ~95% by using the mentioned de-optimization tricks. |
| 39 | + |
| 40 | +**Watch the presentation for more...** |
| 41 | + |
| 42 | +## Installation |
| 43 | + |
| 44 | +**Download the pre-built release binaries [HERE](https://github.com/EgeBalci/deoptimizer/releases).** |
| 45 | + |
| 46 | +[](google-cloud-shell) |
| 47 | + |
| 48 | +***From Source*** |
| 49 | +``` |
| 50 | +cargo install deoptimizer |
| 51 | +``` |
| 52 | + |
| 53 | +***Docker Install*** |
| 54 | + |
| 55 | +[](https://hub.docker.com/r/egee/deoptimizer/) |
| 56 | + |
| 57 | +```bash |
| 58 | +docker run -it egee/deoptimizer -h |
| 59 | +``` |
| 60 | + |
| 61 | +## Usage |
| 62 | + |
| 63 | +``` |
| 64 | +Machine code deoptimizer. |
| 65 | +
|
| 66 | +Usage: deoptimizer [OPTIONS] |
| 67 | +
|
| 68 | +Options: |
| 69 | + -a, --arch <ARCH> Target architecture (x86/arm) [default: x86] |
| 70 | + -f, --file <FILE> target binary file name [default: ] |
| 71 | + -o, --outfile <OUTFILE> output file name [default: ] |
| 72 | + -s, --source <SOURCE> source assembly file [default: ] |
| 73 | + --syntax <SYNTAX> assembler formatter syntax (nasm/masm/intel/gas) [default: keystone] |
| 74 | + -b, --bitness <BITNESS> bitness of the binary file (16/32/64) [default: 64] |
| 75 | + -A, --addr <ADDR> start address in hexadecimal form [default: 0x0000000000000000] |
| 76 | + --skip-offsets <SKIP_OFFSETS>... File offset range for not deoptimizing (eg: 0-10 for skipping first ten bytes) |
| 77 | + -c, --cycle <CYCLE> total number of deoptimization cycles [default: 1] |
| 78 | + -F, --freq <FREQ> deoptimization frequency [default: 0.5] |
| 79 | + --transforms <TRANSFORMS> allowed transform routines (ap/li/lp/om/rs) [default: ap,li,lp,om,rs] |
| 80 | + --allow-invalid allow processing of invalid instructions |
| 81 | + -v, --verbose verbose output mode |
| 82 | + --debug debug output mode |
| 83 | + -h, --help Print help |
| 84 | + -V, --version Print version |
| 85 | +``` |
| 86 | + |
| 87 | +### Currently Supported Architectures |
| 88 | + |
| 89 | +| **Architecture** | **32** | **64** | |
| 90 | +|:-----------------:|:------:|:------:| |
| 91 | +| **x86** | ✅ | ✅ | |
| 92 | +| **ARM** | ❌ | 🚧 | |
| 93 | +| **RISC5** | ❌ | 🚧 | |
| 94 | + |
| 95 | +## TO DO |
| 96 | +- [ ] PE file support. |
| 97 | +- [ ] ELF file support |
| 98 | +- [ ] Mach-O file support. |
| 99 | +- [ ] ARM architecture support. |
| 100 | +- [ ] RISC5 architecture support. |
0 commit comments