Check Environment
(Experimental)

The goal of this transformation is to ensure that -- during execution -- the program is running in a "safe" environment. By "safe" we mean that we are not being monitored in any way. More specifically, that program will check that it is not being debugged, not being emulated, not being run inside a virtual machine, etc.

You can read about the InitCheckers transformation here. It sets up Tigress so that you can later invoke the CheckEnvironment and Checksum transformations. Use --CheckEnvironmentSandboxes to list the sandboxes/debuggers you want to test for, and --CheckEnvironmentCheckerCount to indicate how many checkers you want to insert. As usual, --Functions lists the functions where we can insert the checkers: 

tigress --Environment=x86_64:Linux:Clang:5.1 \
    --Transform=InitChecker \
       ... \
   --Transform=CheckEnvironment \
       --Functions=fac \
       --CheckEnvironmentSandboxes=valgrind \
       --CheckEnvironmentCheckerCount=2 \
   foo.c --out=obf.c

OptionArgumentsDescription
--Transform CheckEnvironment Check if we are being run in an environment where we are being monitored.
--CheckEnvironmentCheckerCount INTSPEC How many checkers to insert in the program. Default=1.
--CheckEnvironmentTrace BOOLSPEC Trace the execution of the checkers. Default=false.
--CheckEnvironmentSandboxes gdb, lldb, bochs, vmware, virtualBox, qemu, pin, cuckoo, kvm, hyper_v, parallels, xen The list of sandbxes that should be detected. Default=None.
  • gdb = The gdb debugger
  • lldb = The lldb debugger
  • bochs = The Bochs emulator
  • vmware = The VMware virtual machine
  • virtualBox = The VirtualBox virtual machine
  • qemu = The QEMU emulator
  • pin = The Intel Pin tracing tool
  • cuckoo = The Cuckoo sandbox
  • kvm = The KVM
  • hyper_v = The Micrsoft Hyper-V
  • parallels = The Parallels
  • xen = The Xen