Forked from: github.com/burrowers/garble

golang binary build code-obfuscator obfuscation

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Daniel Martí 1db6e1e230 make -coverprofile include toolexec processes (#216 ) testscript already included magic to also account for commands in the total code coverage. That does not happen with plain tests, since those only include coverage from the main test process. The main problem was that, before, indirectly executed commands did not properly save their coverage profile anywhere for testscript to collect it at the end. In other words, we only collected coverage from direct garble executions like "garble -help", but not indirect ones like "go build -toolexec=garble". $ go test -coverprofile=cover.out PASS coverage: 3.6% of statements total coverage: 16.6% of statements ok mvdan.cc/garble 6.453s After the delicate changes to testscript, any direct or indirect executions of commands all go through $PATH and properly count towards the total coverage: $ go test -coverprofile=cover.out PASS coverage: 3.6% of statements total coverage: 90.5% of statements ok mvdan.cc/garble 33.258s Note that we can also get rid of our code to set up $PATH, since testscript now does it for us. goversion.txt needed minor tweaks, since we no longer set up $WORK/.bin. Finally, note that we disable the reuse of $GOCACHE when collecting coverage information. This is to do "full builds", as otherwise the cached package builds would result in lower coverage. Fixes #35.		4 years ago
.github	CI: comment out test-gotip for now (#157 )	5 years ago
internal	if the seed is random and the build fails, print the seed (#213 )	4 years ago
scripts	obfuscate fewer std packages (#196 )	4 years ago
testdata	make -coverprofile include toolexec processes (#216 )	4 years ago
.gitattributes	start testing on GitHub Actions	5 years ago
.gitignore	skip literals used in constant expressions	5 years ago
AUTHORS	set up an AUTHORS file to attribute copyright	5 years ago
CONTRIBUTING.md	CONTRIBUTING: include some basic terminology (#188 )	5 years ago
LICENSE	set up an AUTHORS file to attribute copyright	5 years ago
README.md	Document reflect.TypeOf hint (#211 )	4 years ago
bench_test.go	set up an AUTHORS file to attribute copyright	5 years ago
go.mod	make -coverprofile include toolexec processes (#216 )	4 years ago
go.sum	make -coverprofile include toolexec processes (#216 )	4 years ago
hash.go	fix garbling names belonging to indirect imports (#203 )	4 years ago
import_obfuscation.go	all: use better names than "blacklist", and docs (#206 )	4 years ago
line_obfuscator.go	rewrite go:linkname directives with garbled names (#200 )	4 years ago
main.go	if the seed is random and the build fails, print the seed (#213 )	4 years ago
main_test.go	make -coverprofile include toolexec processes (#216 )	4 years ago
runtime_strip.go	Replaced asthelper.Ident with ast.NewIdent	5 years ago
shared.go	fix garbling names belonging to indirect imports (#203 )	4 years ago

README.md

garble

GO111MODULE=on go get mvdan.cc/garble

Obfuscate Go code by wrapping the Go toolchain. Requires Go 1.15 or later, since Go 1.14 uses an entirely different object format.

garble build [build flags] [packages]

See garble -h for up to date usage information.

Purpose

Produce a binary that works as well as a regular build, but that has as little information about the original source code as possible.

The tool is designed to be:

Coupled with cmd/go, to support modules and build caching
Deterministic and reproducible, given the same initial source code
Reversible given the original source, to un-garble panic stack traces

Mechanism

The tool wraps calls to the Go compiler and linker to transform the Go build, in order to:

Replace as many useful identifiers as possible with short base64 hashes
Replace package paths with short base64 hashes
Remove all build and module information
Strip filenames and shuffle position information
Strip debugging information and symbol tables
Obfuscate literals, if the -literals flag is given
Removes extra information if the -tiny flag is given

Options

By default, the tool garbles the packages under the current module. If not running in module mode, then only the main package is garbled. To specify what packages to garble, set GOPRIVATE, documented at go help module-private.

Caveats

Most of these can improve with time and effort. The purpose of this section is to document the current shortcomings of this tool.

Exported methods are never garbled at the moment, since they could be required by interfaces and reflection. This area is a work in progress.
Functions implemented outside Go, such as assembly, aren't garbled since we currently only transform the input Go source.
Go plugins are not currently supported; see #87.
There are cases where garble is a little too agressive with obfuscation, this may lead to identifiers getting obfuscated which are needed for reflection, e.g. to parse JSON into a struct; see #162. To work around this you can pass a hint to garble, that an type is used for reflection via passing it to reflect.TypeOf or reflect.ValueOf in the same file:
```
// this is used for parsing json
type Message struct {
    Command string
    Args    string
}

// never obfuscate the Message type
var _ = reflect.TypeOf(Message{})
```

Tiny Mode

When the -tiny flag is passed, extra information is stripped from the resulting Go binary. This includes line numbers, filenames, and code in the runtime the prints panics, fatal errors, and trace/debug info. All in all this can make binaries 6-10% smaller in our testing.

Note: if -tiny is passed, no panics, fatal errors will ever be printed, but they can still be handled internally with recover as normal. In addition, the GODEBUG environmental variable will be ignored.

Contributing

We actively seek new contributors, if you would like to contribute to garble use the CONTRIBUTING.md as a starting point.