OLLVM-16 Compilation Tutorial

OLLVM-16 Compilation Tutorial.md

OLLVM-16 Compilation Tutorial

Obfuscator-LLVM is a modified version of the LLVM compilers/toolchain to obfuscate source code. This can e.g. be used to bypass EDRs.

Someone might find this useful, since there was no step-by-step instructions on how to correctly compile OLLVM-16.

Prerequisites

Required software:

• Visual Studio Community Edition 2022
• Git

This software can e.g. be installed using winget:

winget install -e --id Microsoft.VisualStudio.2022.Community
winget install -e --id Git.Git

Install the clang build tools for Visual Studio:

• Open Visual Studio Installer from the start menu.
• Select Visual Studio Community 2022 and click on Modify.
• Switch to the Individual components tab and search for clang.
• Select C++ Clang Compiler for Windows and MSBuild support for LLVM (clang-cl) toolset and install these.

Download Sources

Prepare build directory (Note: If you want to use another directory, do not use a path containing spaces!):

mkdir C:\ollvm-16
cd C:\ollvm-16

Get LLVM 16 sources:

git clone --config core.autocrlf=false --depth 1 -b release/16.x --single-branch https://github.com/llvm/llvm-project.git

Get OLLVM 16 sources:

git clone --config core.autocrlf=false --depth 1 https://github.com/wwh1004/ollvm-16.git

Modify LLVM 16

Copy the OLLVM obfuscation code to the LLVM project:

Copy-Item -Recurse .\ollvm-16\Obfuscation\ .\llvm-project\llvm\lib\

Add the copied subdirectory to the CMakeLists.txt file:

(((Get-Content .\llvm-project\llvm\lib\CMakeLists.txt) -replace 'add_subdirectory\(WindowsManifest\)', "add_subdirectory(WindowsManifest)`nadd_subdirectory(Obfuscation)") -join "`n") + "`n" | Set-Content -NoNewline .\llvm-project\llvm\lib\CMakeLists.txt

The diff should look like this:

PS > git diff
diff --git a/llvm/lib/CMakeLists.txt b/llvm/lib/CMakeLists.txt
index 283baa609..28c7cfb8d 100644
--- a/llvm/lib/CMakeLists.txt
+++ b/llvm/lib/CMakeLists.txt
@@ -46,6 +46,7 @@ if (LLVM_INCLUDE_TESTS)
 endif()
 add_subdirectory(WindowsDriver)
 add_subdirectory(WindowsManifest)
+add_subdirectory(Obfuscation)

 set(LLVMCONFIGLIBRARYDEPENDENCIESINC "${LLVM_BINARY_DIR}/tools/llvm-config/LibraryDependencies.inc")

Compile OLLVM

Create a Visual Studio project in C:\ollvm16\ollvm-build using cmake:

& "C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe" `
 -DLLVM_TARGETS_TO_BUILD=X86 `
 -DLLVM_ENABLE_PROJECTS="llvm;clang;lld" `
 -DLLVM_ENABLE_DIA_SDK=OFF `
 -DCLANG_ENABLE_STATIC_ANALYZER=OFF `
 -DCLANG_ENABLE_ARCMT=OFF `
 -DCLANG_ENABLE_OBJC_REWRITER=OFF `
 -DLLVM_ENABLE_EH=OFF `
 -DLLVM_ENABLE_RTTI=OFF `
 -DLLVM_ENABLE_LTO=Thin `
 -DLLVM_OPTIMIZED_TABLEGEN=ON `
 -DLLVM_INCLUDE_BENCHMARKS=OFF `
 -DLLVM_INCLUDE_EXAMPLES=OFF `
 -DLLVM_INCLUDE_TESTS=OFF `
 -DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded `
 -DCMAKE_C_FLAGS="/utf-8" `
 -DCMAKE_CXX_FLAGS="/utf-8" `
 -DLLVM_OBFUSCATION_LINK_INTO_TOOLS=ON `
 -S "C:\ollvm-16\llvm-project\llvm" `
 -B "C:\ollvm-16\ollvm-build" `
 -G "Visual Studio 17 2022" `
 -T ClangCL `
 -A x64

This process can take a minute or two.

Open the created Visual Studio Solution file in Visual Studio:

C:\ollvm-16\ollvm-build\LLVM.sln

Change the solution configuration to Release.

In the Solution Explorer, right-click on CMakePredefinedTargets\ALL_BUILD (LLVM - clang-cl) and select Build.

This process can take several hours, depending on the system performance.

Result

When everything worked, you have all the compiled executables in the bin directory:

ls C:\ollvm-16\ollvm-build\Release\bin\

The Release directory can be copied to other systems so they can also use OLLVM.

Using OLLVM

To compile a Visual Studio solution using OLLVM, the location of the build tools has to be changed. This can be done by adding a new file Directory.build.props to the project directory root with the following content:

<Project>
  <PropertyGroup>
    <LLVMInstallDir>C:\ollvm16\ollvm-build\Release\</LLVMInstallDir>
    <LLVMToolsVersion>16.0.6</LLVMToolsVersion>
  </PropertyGroup>
</Project>

Then, in the Solution Explorer, right-click on the project (not the solution) and select Properties. In Configuration Properties → General change Platform Toolset to LLVM (clang-cl).

To obfuscate the binary, add these necessary options as additional command line options.

Simple example:

-mllvm -sub -mllvm -split -mllvm -fla -mllvm -bcf

Extensive example:

-mllvm -sub -mllvm -sub_loop=3 -mllvm -split -mllvm -split_num=3 -mllvm -fla -mllvm -bcf -mllvm -bcf_loop=3 -mllvm -bcf_prob=40

When the binary is now built, the obfuscation is applied.

If you get the error Unexpected compiler version, expected Clang 18.0.0 or newer, you can try the following compiler option which allows you to use clang <= 18:

-D_ALLOW_COMPILER_AND_STL_VERSION_MISMATCH

References

• LLVM: https://llvm.org/
• LLVM 16.x source code: https://github.com/llvm/llvm-project/tree/release/16.x
• OLLVM project: https://github.com/obfuscator-llvm/obfuscator/wiki
• OLLVM-16 implementation: https://github.com/wwh1004/ollvm-16
• LLVM and Visual Studio: https://llvm.org/docs/GettingStartedVS.html
• Clang/LLVM support in Visual Studio projects: https://learn.microsoft.com/en-us/cpp/build/clang-support-msbuild
• Compiling LLVM with Visual Studio: https://phasetw0.com/llvm/getting-started-on-windows/