scc-tw/VMPilot
GitHub: scc-tw/VMPilot
VMPilot 是一个现代化的 C++ 虚拟机保护框架,通过自定义虚拟机执行环境将关键代码虚拟化,以有效抵御逆向工程与破解分析。
Stars: 282 | Forks: 56
# VMPilot: 一个现代化的 C++ 虚拟机保护框架
VMPilot 是一个用 C++ 实现的高级虚拟机保护框架。**设计安全**,VMPilot 专为保护您的软件免受逆向工程而设计。VMPilot 为您的项目提供无缝集成和易用性,树立了软件保护的新标准。
与传统的黑盒解决方案不同,VMPilot 的构建注重透明度。其内部机制易于理解,但难以破解。通过结合现代密码学和混淆技术,您的软件得到了针对潜在攻击的屏蔽。即使拥有超级计算机的计算能力,并行破解 VMPilot 也是一项艰巨的挑战。
## 用法
```
#include
template
T square(T x) {
VMPilot_Begin(__FUNCTION__);
auto result = x * x;
VMPilot_End(__FUNCTION__);
return result;
}
```
输出:
```
square:
push rbp
call _Z13VMPilot_BeginPKc ; VMPilot_Begin(__FUNCTION__);
... garbage code ...
... garbage code ...
... garbage code ...
call _Z11VMPilot_EndPKc ; VMPilot_End(__FUNCTION__);
pop rbp
ret
```
### 重要:编译器优化与受保护区域
在 `-O2`/`-O3` 下,编译器可能会在
`VMPilot_Begin`/`VMPilot_End` 边界之间**重排纯算术运算**,将计算移出
受保护区域。这些标记是不透明的函数调用,充当
副作用屏障,但编译器可以自由调度
与该调用没有数据依赖的指令。
为了确保所有预期的代码保留在受保护区域内,请使用
编译器屏障:
```
template
T square(T x) {
VMPilot_Begin(__FUNCTION__);
asm volatile("" ::: "memory"); // GCC/Clang: prevent reordering
auto result = x * x;
asm volatile("" ::: "memory");
VMPilot_End(__FUNCTION__);
return result;
}
```
在 MSVC 上,使用 `_ReadWriteBarrier()` 可达到相同效果。
此外,使用
`__attribute__((noinline))` (GCC/Clang) 或 `__declspec(noinline)`
(MSVC) 标记受保护的函数,以防止编译器将它们内联到调用者中,这
会创建嵌套的标记对。
## 架构
VMPilot 有五个主要组件:**Frontend**(二进制分析)、**Backend**(编译)、**Serializer**(持久化)、**Linker**(二进制修补)和 **Runtime**(VM 执行引擎)。
### Frontend(二进制分析)
```
binary (ELF / PE / Mach-O)
|
v
Segmentator::segment() -- find VMPilot_Begin/End markers, extract regions
|
v
RegionRefiner::refine/group() -- deduplicate, handle inlining, detect canonical copies
|
v
ReferenceAnalyzer -- detect data refs (globals, TLS, GOT, atomics, jump tables)
|
v
CompilationUnit[] -- ready for compilation
```
### Backend(编译)
```
CompilationUnit[]
|
v
CompilationOrchestrator -- parallel compilation via work-stealing thread pool
| CompilerBackend::compile_unit() (pluggable: SimpleBackend, future LLVM)
v
CompilationResult -- bytecodes + diagnostics
```
### 序列化器
```
CompilationUnit[] / CompilationContext
|
v
Serializer::build_units() -- convert segmentation results to CompilationUnits
|
+-> Serializer::dump/load() -- round-trip to TOML manifest + binary format
```
### Runtime VM
```
VM Bytecode Blob
|
v
VmEngine::create() -- blob validation, key derivation, state init
|
v
dispatch_unit() pipeline -- fixed-width N sub-instructions per dispatch unit
| fetch, decrypt (SipHash), decode (two-layer PRP)
| ORAM scan (branchless) + handler dispatch (55 opcodes)
| branchless FPE encode (Speck64/128 XEX mode)
| BLAKE3 fingerprint + key ratchet (entangled)
| 16-register re-encode, stack hygiene
| enc_state advance (8-byte full-instruction ratchet)
| branchless BB MAC verification + transition MUX
v
VmExecResult -- decoded return value
```
### Linker(二进制修补)
```
Original Binary + VM Bytecode Blob
|
v
BinaryEditor -- CRTP + std::variant dispatch
| ELFEditor / PEEditor / MachOEditor
v
StubEmitter -- emit entry/exit stubs per architecture
| X86_64 / ARM64 / X86_32
v
PayloadBuilder -- assemble final protected binary
|
v
Protected Binary
```
### 支持的平台
| 格式 | 架构 | Frontend | Linker | Runtime |
|--------|-------------|----------|--------|---------|
| ELF | x86-64 | Yes | Yes | Yes |
| ELF | x86-32 | Yes | Yes | Yes |
| ELF | ARM64 | Yes | Yes | Yes |
| PE | x86-64 | Yes | Yes | Yes |
| PE | x86-32 | Yes | Yes | Yes |
| Mach-O | ARM64 | Yes | Yes | Yes |
## 安全模型
Runtime VM 实现了具有**滚动状态棘轮**和**时序归一化**的**前向保密**:
- **每条指令的 FPE 编码** -- 寄存器使用 XEX 模式下的 Speck64/128 加密;密钥通过 `BLAKE3_KEYED(key, opcode || register_fingerprint)` 在每条指令上棘轮更新
- **8 字节全指令棘轮** -- 解密指令的所有 8 个字节驱动 enc_state SipHash 链;任何解密错误都会级联到所有后续指令
- **BB 链演化** -- 在每个基本块转换时更新的单向 BLAKE3 链状态;泄露当前状态不会暴露过去状态的任何信息(抗原像性 >= 2^256)
- **急切重编码** -- 在每次 BB 转换时重新编码所有 16 个寄存器;死寄存器被清理为 `Enc(K_new, 0)` 以防止路径合并指纹去同步
- **无分支执行** -- FPE 编码、BB 转换和 ORAM 扫描使用按位 MUX 以防止时序侧信道
- **栈卫生** -- 所有中间密钥材料通过 `secure_zero()` 在使用后清零
- **ORAM 策略** -- 通过编译时策略选择提供 `RollingKeyOram`(完全 IND-CPA 安全性)和 `DirectOram`(快速测试)
## 依赖项
- [CMake](https://cmake.org/download/) 3.20+
- C++17 编译器 (GCC 14+, Clang 18+, MSVC 2022+, Apple Clang)
- [Ninja](https://github.com/ninja-build/ninja) (Linux/macOS 上必需;Windows `*-win` 预设不需要)
### 第三方库
| 库 | 类型 | 用途 |
|---------|------|---------|
| [Botan](https://github.com/randombit/botan) | submodule | 加密后端 (AES, SHA-256) |
| [BLAKE3](https://github.com/BLAKE3-team/BLAKE3) | submodule | 密钥哈希,密钥派生 |
| [capstone](https://github.com/capstone-engine/capstone) | submodule | 多架构反汇编 |
| [tl::expected](https://github.com/TartanLlama/expected) | submodule | 错误处理 (C++17 backport) |
| [elfio-modern](https://github.com/scc-tw/elfio-modern) | submodule | ELF 二进制解析 |
| [coffi-modern](https://github.com/scc-tw/coffi-modern) | submodule | PE/COFF 二进制解析 |
| [spdlog](https://github.com/gabime/spdlog) | CPM | 日志记录 |
| [toml++](https://github.com/marzer/tomlplusplus) | CPM | 清单格式 |
| [GoogleTest](https://github.com/google/googletest) | FetchContent | 测试(仅开发) |
## 构建
### 使用 CMake 预设(推荐)
```
git submodule update --init --recursive
# 开发 (Debug + tests + ASan/UBsan)
cmake --preset dev
cmake --build --preset dev
ctest --preset dev
# 发布 (optimised + LTO)
cmake --preset release
cmake --build --preset release
# 其他预设: reldbg, minsize, ci
cmake --list-presets # show all available presets
```
### Windows (Visual Studio)
```
git submodule update --init --recursive
cmake --preset dev-win
cmake --build --preset dev-win --parallel
ctest --preset dev-win
# 其他预设: release-win, ci-win
```
### 手动构建(不使用预设)
```
git submodule update --init --recursive
cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=Debug -DVMPILOT_ENABLE_TESTS=ON -DVMPILOT_ENABLE_SANITIZERS=ON
ninja -C build
ctest --test-dir build --output-on-failure
```
### CMake 选项
| 选项 | 默认值 | 描述 |
|--------|---------|-------------|
| `VMPILOT_ENABLE_TESTS` | OFF | 构建测试目标 |
| `VMPILOT_ENABLE_SANITIZERS` | OFF | 对第一方目标启用 ASan + UBsan |
| `VMPILOT_ENABLE_LTO` | OFF | 链接时优化 |
## 项目结构
```
CMakeLists.txt Root build (includes cmake/ modules)
CMakePresets.json Preset configurations (dev, release, ci, ...)
cmake/
Options.cmake Build type default, feature toggles
CompilerWarnings.cmake vmpilot_options INTERFACE (C++17, warnings)
Sanitizers.cmake vmpilot_sanitizer INTERFACE (ASan+UBsan)
LTO.cmake Link-time optimisation
Dependencies.cmake CPM packages, GoogleTest
CPM.cmake CPM v0.42.1 bootstrap
SuppressThirdPartyWarnings.cmake Per-target warning suppression
common/
include/
core/
CompilationContext.hpp Shared compilation context (arch, mode, sections)
CompilationUnit.hpp In-memory compilation unit
DataReference.hpp Data/TLS/GOT/atomic reference descriptor
Section.hpp Unified binary section abstraction
NativeSymbolTable.hpp Symbol table entry + lookup
ArchEnum.hpp Architecture enumeration
ModeEnum.hpp Sub-architecture mode enumeration
diagnostic.hpp Diagnostic codes and severity levels
diagnostic_collector.hpp Thread-safe diagnostic collection
thread_pool.hpp Work-stealing thread pool
vm/
vm_context.hpp BBMetadata, EpochCheckpoint, constants
vm_blob.hpp Bytecode blob format and validation
vm_insn.hpp Instruction encoding (8-byte packed)
vm_opcode.hpp 55 VM opcodes across 8 categories
vm_crypto.hpp BLAKE3 keyed hashing, SipHash
vm_encoding.hpp Per-BB LUT derivation, RE_TABLE
encoded_value.hpp Phantom types: Encoded
blob_view.hpp Type-safe non-owning blob access
speck64.hpp Speck64/128 block cipher (27 rounds)
xex_speck64.hpp XEX tweakable mode, FPE_Encode/Decode
secure_zero.hpp explicit_bzero + SecureLocal RAII
hardware_rng.hpp RDRAND / RNDR / fallback RNG
src/
vm/vm_crypto.cpp blake3_keyed_128, blake3_keyed_fingerprint
vm/vm_encoding.cpp derive_register_tables, derive_re_tables
vm/hardware_rng_{linux,darwin,windows}.cpp
crypto/ Botan/OpenSSL backend + BLAKE3
frontend/
include/
segmentator/ Binary parsing, region extraction
region_refiner/ Dedup, inline grouping, canonical detection
reference_analyzer/ Data/TLS/GOT/atomic reference detection
arch_handler/ X86 + ARM64 disassembly traits
capstone_wrapper/ C++ wrapper around capstone
file_handler/ ELF/PE/Mach-O file handlers
src/
segmentator/ HandlerRegistry, segmentator
reference_analyzer/ SymExpr, MemoryModel, layers, traits
capstone_wrapper/ capstone C++ bindings
region_refiner/ RegionRefiner
arch_handler/ X86Handler, ARM64Handler
file_handler/ ELFHandler, PEHandler, MachOHandler
tests/ 25 test binaries
backend/
include/
bytecode_compiler/ CompilationOrchestrator, pluggable backends
src/
bytecode_compiler/ CompilationOrchestrator, compile pipeline
tools/
dump_regions Show segmentation groups and sites
dump_compile Full pipeline dump
verify_roundtrip Serializer round-trip verification
tests/ 6 test binaries
serializer/
include/
serializer/ SerializationTraits, Serializer
src/
serializer/ Binary serialization, TOML manifest
tests/ 1 test binary
runtime/
include/
vm_engine.hpp VmEngine — dispatch_unit pipeline
vm_state.hpp 4-way state split: Immutable/Execution/Epoch/Oram
vm_policy.hpp DebugPolicy, StandardPolicy, HighSecPolicy
handler_impls.hpp 55 opcode handlers via HandlerTraits
handler_traits.hpp CRTP handler dispatch + compile-time table
pipeline.hpp fetch/decrypt/decode, enter_basic_block, verify_mac
oram_strategy.hpp RollingKeyOram, DirectOram
platform_call.hpp PlatformCallDesc, ABI classification
decoded_insn.hpp Decoded instruction with plaintext operands
vm_runner.hpp VmRunner factory + StepController
blob_builder.hpp Unified blob construction (FPE-encoded)
src/
vm_engine.cpp execute_one_instruction + dispatch_unit + execute
pipeline.cpp enter_basic_block (FPE re-encode + chain evolution)
oram_strategies.cpp ORAM access (branchless read+write)
classify_args.cpp ABI argument classification
tls_helpers.cpp Thread-local storage access
platform_call_*.S/.asm Platform ASM trampolines
test/
unit/ Crypto primitives, blob view, ORAM, state types, pipeline
opcode/ Per-opcode correctness (data movement, arithmetic, logic,
comparison/branch, width extension, control flow)
integration/ CFG patterns, native call, policy matrix, VmRunner
security/ Encryption chain, forward secrecy, timing invariants,
MAC integrity, execution independence
robustness/ Error paths, boundary values, stack limits
concurrency/ Parallel engines, reentrancy
platform/ TLS helpers
example/
hello_world.cpp NATIVE_CALL to puts()
arithmetic.cpp ADD/SUB/MUL/DIV
verify_signature.cpp BLAKE3-KEYED MAC verification
snake.cpp 2D terminal game (step() cooperative loop)
linker/
include/
BinaryEditor.hpp Abstract base (CRTP)
editor_base.hpp CRTP dispatch helpers
ELFEditor.hpp ELF section extension, segment manipulation
PEEditor.hpp PE section injection
MachOEditor.hpp Mach-O load command editing
StubEmitter.hpp Architecture-dispatched stub generation
PayloadBuilder.hpp Bytecode blob + stub assembly
fallback_chain.hpp FallbackChain for dep resolution
strategies/
elf_dep_strategies.hpp RPATH, RUNPATH, LD_LIBRARY_PATH
pe_dep_strategies.hpp SxS manifest, PATH, app-local
macho_dep_strategies.hpp @rpath, @loader_path, install_name_tool
src/
ELFEditor.cpp, PEEditor.cpp, MachOEditor.cpp
StubEmitter.cpp, X86_64StubEmitter.cpp, ARM64StubEmitter.cpp, X86_32StubEmitter.cpp
PayloadBuilder.cpp, BinaryEditor.cpp, Loader.cpp
strategies/
elf_dep_strategies.cpp, pe_dep_strategies.cpp, macho_dep_strategies.cpp
tests/ Handover, patch E2E, editor permissions
third_party/ Git submodules
capstone/ Disassembly engine
expected/ tl::expected (C++17 backport)
BLAKE3/ Keyed hashing, key derivation
coffi-modern/ PE/COFF parsing
elfio-modern/ ELF parsing
```
## CI
| 编译器 | 状态 |
|----------|--------|
| MSVC 2022 | [](https://github.com/scc-tw/VMPilot/actions/workflows/msvc.yml) |
| GCC 14 | [](https://github.com/scc-tw/VMPilot/actions/workflows/gcc.yml) |
| Clang 18 | [](https://github.com/scc-tw/VMPilot/actions/workflows/clang.yml) |
| Apple Clang | [](https://github.com/scc-tw/VMPilot/actions/workflows/apple-clang.yml) |
## 路线图
### 已完成
- [x] **Frontend** -- ELF, PE, Mach-O 解析;x86, x86-64, ARM64 反汇编;VMPilot_Begin/End 标记检测;区域细化;引用分析(全局变量,rodata,TLS,GOT/IAT,原子操作,跳转表)
- [x] **Serializer** -- TOML 清单,`SerializationTraits`,往返转储/加载,自定义二进制格式
- [x] **Backend** -- 工作窃取线程池,可插拔 `CompilerBackend` 接口,SimpleBackend 存根
- [x] **统一诊断** -- 具有线程安全收集功能的 `DiagnosticCollector`,`DiagnosticCode` 枚举,摘要报告
- [x] **Linker** -- 具有 CRTP 分发的 ELF/PE/Mach-O 编辑器,存根发射器(x86-64, ARM64, x86-32),PayloadBuilder,FallbackChain 依赖策略
- [x] **Runtime VM** -- 前向保密引擎:Speck-FPE 寄存器编码,BLAKE3 密钥棘轮,55 个操作码,无分支调度单元,ORAM 策略,平台 ASM trampoline (SysV x64, Win64, AAPCS64, cdecl/stdcall)
- [x] **CI/CD** -- GitHub Actions 上的 MSVC, GCC, Clang, Apple Clang
- [x] **Modern CMake** -- 预设,模块化 cmake/ 包含,每目标 sanitizers,CPM 0.42.1
### 进行中
- [ ] **LLVM Backend** -- 用原生到 VM 字节码的翻译器替换 SimpleBackend 存根(提升,归一化,转换,发射)
### 已计划
- [ ] **SAVE_EPOCH/RESYNC v2** -- 使用 ChaCha20-Poly1305 的 AEAD 用于快照完整性(需要硬件绑定密钥或接受 MATE 限制)
## 文档
更多信息请参考 [wiki](/wiki)。
## 架构
```
flowchart TB
subgraph Input
BIN["Binary
(ELF / PE / Mach-O)"] end subgraph Frontend["Frontend (binary analysis)"] direction TB SEG["Segmentator
parse binary, find markers,
extract protected regions"] REF["RegionRefiner
deduplicate, handle inlining,
detect canonical copies"] REFA["ReferenceAnalyzer
globals, rodata, TLS, GOT/IAT,
atomics, jump tables"] SEG --> REF --> REFA end subgraph Serializer["Serializer"] SER["Serializer
build_units(), dump/load,
TOML manifest"] end subgraph Backend["Backend (compilation)"] direction TB ORCH["CompilationOrchestrator
thread pool parallel dispatch"] subgraph Future["LLVM Backend (planned)"] LIFT["Lifting
native -> LLVM IR"] NORM["Normalization
flag simplify, const fold"] XFORM["Transform
virtualize to VM opcodes"] XEMIT["Emit
bytecode + junk + variants"] LIFT --> NORM --> XFORM --> XEMIT end ORCH --> Future end subgraph Linker["Linker (binary patching)"] EDIT["BinaryEditor
ELF / PE / Mach-O
CRTP + variant dispatch"] STUB["StubEmitter
x86-64, ARM64, x86-32
entry/exit stubs"] PAY["PayloadBuilder
assemble final binary"] EDIT --> STUB --> PAY end subgraph Runtime["Runtime VM"] ENG["VmEngine<Policy, Oram>
dispatch_unit pipeline"] FPE["Speck-FPE Encoding
per-instruction key ratchet
XEX tweakable mode"] HAND["55 Opcode Handlers
data, arith, logic, compare,
control, width, atomic"] BRIDGE["Native Bridge
platform ASM trampolines
SysV/Win64/AAPCS64"] CHAIN["Forward Secrecy
BLAKE3 chain evolution
branchless BB transition"] ENG --> FPE --> HAND --> BRIDGE ENG --> CHAIN end BIN --> SEG REFA --> SER SER --> ORCH XEMIT --> BLOB["VM Bytecode Blob"] BLOB --> EDIT PAY --> FINAL["Protected Binary"] BLOB --> ENG subgraph Common["common/"] CORE["Core Types
CompilationUnit, Section,
DataReference"] DIAG["DiagnosticCollector"] POOL["ThreadPool"] CRYPTO["Crypto
BLAKE3, Speck64/128,
SipHash, secure_zero"] end ORCH -.-> POOL SEG -.-> DIAG FPE -.-> CRYPTO REFA -.-> CORE ```
(ELF / PE / Mach-O)"] end subgraph Frontend["Frontend (binary analysis)"] direction TB SEG["Segmentator
parse binary, find markers,
extract protected regions"] REF["RegionRefiner
deduplicate, handle inlining,
detect canonical copies"] REFA["ReferenceAnalyzer
globals, rodata, TLS, GOT/IAT,
atomics, jump tables"] SEG --> REF --> REFA end subgraph Serializer["Serializer"] SER["Serializer
build_units(), dump/load,
TOML manifest"] end subgraph Backend["Backend (compilation)"] direction TB ORCH["CompilationOrchestrator
thread pool parallel dispatch"] subgraph Future["LLVM Backend (planned)"] LIFT["Lifting
native -> LLVM IR"] NORM["Normalization
flag simplify, const fold"] XFORM["Transform
virtualize to VM opcodes"] XEMIT["Emit
bytecode + junk + variants"] LIFT --> NORM --> XFORM --> XEMIT end ORCH --> Future end subgraph Linker["Linker (binary patching)"] EDIT["BinaryEditor
ELF / PE / Mach-O
CRTP + variant dispatch"] STUB["StubEmitter
x86-64, ARM64, x86-32
entry/exit stubs"] PAY["PayloadBuilder
assemble final binary"] EDIT --> STUB --> PAY end subgraph Runtime["Runtime VM"] ENG["VmEngine<Policy, Oram>
dispatch_unit pipeline"] FPE["Speck-FPE Encoding
per-instruction key ratchet
XEX tweakable mode"] HAND["55 Opcode Handlers
data, arith, logic, compare,
control, width, atomic"] BRIDGE["Native Bridge
platform ASM trampolines
SysV/Win64/AAPCS64"] CHAIN["Forward Secrecy
BLAKE3 chain evolution
branchless BB transition"] ENG --> FPE --> HAND --> BRIDGE ENG --> CHAIN end BIN --> SEG REFA --> SER SER --> ORCH XEMIT --> BLOB["VM Bytecode Blob"] BLOB --> EDIT PAY --> FINAL["Protected Binary"] BLOB --> ENG subgraph Common["common/"] CORE["Core Types
CompilationUnit, Section,
DataReference"] DIAG["DiagnosticCollector"] POOL["ThreadPool"] CRYPTO["Crypto
BLAKE3, Speck64/128,
SipHash, secure_zero"] end ORCH -.-> POOL SEG -.-> DIAG FPE -.-> CRYPTO REFA -.-> CORE ```
标签:Bash脚本, C++, DOM解析, 二进制保护, 代码混淆, 加壳保护, 反调试, 数据擦除, 网络安全, 虚拟机保护, 软件保护, 逆向工程防护, 防止篡改, 隐私保护