Skip to content

mylovereturns/pickle-protector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
demo
demo
 
 
include/pickle
include/pickle
 
 
src
src
 
 
CMakeLists.txt
CMakeLists.txt
 
 
README.md
README.md
 
 

Repository files navigation

pickle protect

vm-based binary protection. custom ISA, keccak-encrypted stub, anti-debug, anti-tamper, the works.

what it does

  • virtualizes marked code regions into a custom bytecode that runs on an internal VM
  • encrypts the stub with multi-round keccak (duplex sponge construction, not just hashing)
  • monitors for debuggers, hardware breakpoints, timing anomalies, ntdll hooks
  • checksums executable sections at runtime with rotating polynomial keys
  • control flow flattening + dead code insertion + opaque predicates on the native side

building

needs cmake 3.20+ and MSVC (VS2022). x64 only for now.

cmake -B build -G "Visual Studio 17 2022" -A x64
cmake --build build --config Release

lib goes to build/Release/pickle_protect.lib, demo exe next to it.

usage

#include "pickle/protect.h"
using namespace pickle;

ProtectionConfig cfg{};
cfg.vm_complexity = 7;
cfg.anti_debug = true;
cfg.anti_tamper = true;

auto& eng = ProtectionEngine::instance();
eng.configure(cfg);
eng.protect_module(GetModuleHandleA(nullptr));
eng.start_monitoring();

mark code with the macros:

PICKLE_PROTECT_BEGIN
// this code gets integrity-monitored
PICKLE_PROTECT_END

PICKLE_VM_BEGIN
// this code gets virtualized
PICKLE_VM_END

project layout

include/pickle/   headers
src/vm/           virtual machine core + handler table + virtualizer
src/antidebug/    debugger/vm/sandbox detection
src/antitamper/   section checksums, hook detection, self-healing
src/obfuscation/  mutator, CFF, opaque predicates, string encryption
src/crypto/       keccak-f[1600], sponge cipher, stub encryption, PRNG
src/engine/       top-level protection engine, packer, marker scanner
demo/             example usage

notes

  • the anti-debug will trip if you run from certain IDEs or under a debugger (obviously). disable cfg.anti_debug during development
  • timing threshold is tuned for ~3GHz+ CPUs. if you're getting false positives on slower hardware bump m_timing_threshold in detect.cpp
  • the VM opcodes are randomized per-build via the master key. two builds with different keys produce incompatible bytecode
  • keccak implementation is the full 24-round f[1600] permutation, not a reduced variant

license

do whatever you want with it. no warranty.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages