Cloakwork is an advanced header-only C++20 obfuscation library providing comprehensive protections against static and dynamic analysis. It is highly configurable, extremely modular, and can be embedded directly with no separate compilation step needed. No dependencies required. This was a college project that spiraled into what it is now, so enjoy.
Inspired by obfusheader.h and Zapcrash's nimrodhide.h
Author: helz.dev on Discord License: MIT
- Compile-time string encryption
- Encrypts string literals and decrypts on-the-fly at runtime.
- Multi-layer encryption with polymorphic re-encryption.
- Stack-based encrypted strings with automatic cleanup.
- Wide string (wchar_t) encryption support.
- Compile-time string hashing
- FNV-1a hash computed at compile-time for API name hiding.
- Runtime hash functions for dynamic string comparison.
- Case-insensitive hashing variants.
- Integer/value obfuscation
- Protects sensitive values with random key-based encoding and mutation.
- Mixed Boolean Arithmetic (MBA) obfuscation for arithmetic operations.
- Obfuscated comparison operators (==, !=, <, >, <=, >=).
- Encrypted compile-time constants.
- Data hiding & scattering
- Splits and scrambles user data across memory or in polymorphic wrappers.
- True heap-based data scattering for structure obfuscation.
- Control flow obfuscation
- Opaque predicates using runtime values.
- Control flow flattening via state machines.
- Branch indirection and dead code insertion.
- Junk code insertion macros.
- Function pointer obfuscation
- Multi-layer pointer encryption with rotation and XOR.
- Decoy pointer arrays to hide real function addresses.
- Return address spoofing infrastructure.
- Import hiding
- Dynamic API resolution without import table entries.
- Module enumeration via PEB walking.
- Export table parsing with hash-based lookup.
- Direct syscalls
- Syscall number extraction from ntdll.
- Bypass usermode hooks entirely.
- Anti-debugging
- Multiple techniques including timing checks, PEB inspection, hardware breakpoint detection.
- Parent process analysis and debugger window detection.
- Anti-anti-debug plugin detection (ScyllaHide, TitanHide, etc.).
- Kernel debugger detection and memory breakpoint detection.
- Anti-VM/Sandbox detection
- Hypervisor detection via CPUID.
- VM vendor string detection (VMware, VirtualBox, Hyper-V, etc.).
- Low resource detection (sandbox environments).
- Sandbox DLL and artifact detection.
- VM-specific registry key and MAC address detection.
- Code integrity verification
- Function hash computation for tamper detection.
- Hook detection at function entry points.
- Integrity-checked function wrappers.
- Metamorphic code generation
- Self-mutating code and cross-variant function dispatching.
- Compile-time randomization
- All transformations use compile-time random generation—no two builds are alike.
- Runtime entropy combining multiple sources (RDTSC, ASLR, hardware RNG).
- Full modular configuration
- Every feature is a toggle—disable heavy modules for performance or size.
Add to your project (no build step needed):
#include "cloakwork.h"String Encryption:
const char* msg = CW_STR("secret message");
// automatically decrypted at runtime only
// multi-layer encryption with polymorphic re-encryption
const char* secure = CW_STR_LAYERED("ultra secret");
// stack-based with auto-cleanup on scope exit
auto stack_str = CW_STR_STACK("temporary secret");
// wide string encryption
const wchar_t* wide = CW_WSTR(L"wide string secret");String Hashing:
// compile-time hash (computed at build time)
constexpr uint32_t hash = CW_HASH("kernel32.dll");
// use for API hiding
void* k32 = cloakwork::imports::getModuleBase(CW_HASH("kernel32.dll"));Obfuscated Values:
// basic obfuscation
int key = CW_INT(0xDEADBEEF);
// MBA (mixed boolean arithmetic) obfuscation
auto mba_val = CW_MBA(42);
// encrypted compile-time constants
int magic = CW_CONST(0xCAFEBABE);
// obfuscated arithmetic operations
int sum = CW_ADD(x, y);
int diff = CW_SUB(x, y);Obfuscated Comparisons:
// hide what you're comparing
if (CW_EQ(password_hash, expected_hash)) {
// authenticated
}
if (CW_LT(health, 0)) {
// game over
}
// all comparison operators: CW_EQ, CW_NE, CW_LT, CW_GT, CW_LE, CW_GEBoolean Obfuscation:
// obfuscated true/false using opaque predicates
if (CW_TRUE) {
// always executes, but looks complex in disassembly
}
// obfuscate any boolean expression
bool result = CW_BOOL(x > 0 && y < 100);Import Hiding:
// resolve APIs without import table
void* ntdll = cloakwork::imports::getModuleBase(CW_HASH("ntdll.dll"));
void* func = cloakwork::imports::getProcAddress(ntdll, CW_HASH("NtClose"));
// or use the macro
auto pVirtualAlloc = CW_IMPORT("kernel32.dll", VirtualAlloc);Direct Syscalls:
// get syscall number for direct invocation
uint32_t syscall_num = CW_SYSCALL_NUMBER(NtClose);Control Flow Obfuscation:
// obfuscated if/else with opaque predicates
CW_IF(is_authenticated)
process_secure_data();
CW_ELSE
handle_error();
// flatten control flow via state machine
auto safe_val = CW_FLATTEN([](int v) { return v * 2; }, user_val);
// insert junk code
CW_JUNK();
CW_JUNK_FLOW();Anti-Debug:
// comprehensive check (crashes if debugger detected)
CW_ANTI_DEBUG();
// analysis check with advanced techniques
CW_CHECK_ANALYSIS();
// inline check (scatter these throughout your code)
CW_INLINE_CHECK();Anti-VM/Sandbox:
// comprehensive check (crashes if VM/sandbox detected)
CW_ANTI_VM();
// or just check
if (CW_CHECK_VM()) {
// running in VM/sandbox
}Integrity Verification:
// check if function is hooked
if (CW_DETECT_HOOK(VirtualAlloc)) {
// function has been hooked!
}
// verify multiple functions
bool clean = cloakwork::integrity::verifyFunctions(&func1, &func2);Tweak features by defining feature macros before including the header:
#define CW_ENABLE_METAMORPHIC 0
#define CW_ENABLE_STRING_ENCRYPTION 1
#include "cloakwork.h"CW_ENABLE_ALL– Master on/off switch (default: 1)CW_ENABLE_STRING_ENCRYPTION– String encryption (default: 1)CW_ENABLE_VALUE_OBFUSCATION– Integer/value obfuscation (default: 1)CW_ENABLE_CONTROL_FLOW– Control flow obfuscation (default: 1)CW_ENABLE_ANTI_DEBUG– Anti-debugging features (default: 1)CW_ENABLE_FUNCTION_OBFUSCATION– Function pointer obfuscation (default: 1)CW_ENABLE_DATA_HIDING– Data scattering/polymorphic values (default: 1)CW_ENABLE_METAMORPHIC– Metamorphic code generation (default: 1)CW_ENABLE_COMPILE_TIME_RANDOM– Compile-time randomization (default: 1)CW_ENABLE_IMPORT_HIDING– Dynamic API resolution (default: 1)CW_ENABLE_SYSCALLS– Direct syscall support (default: 1)CW_ENABLE_ANTI_VM– Anti-VM/sandbox detection (default: 1)CW_ENABLE_INTEGRITY_CHECKS– Code integrity verification (default: 1)CW_ANTI_DEBUG_RESPONSE– Response to debugger detection: 0=ignore, 1=crash, 2=fake data (default: 1)
All features are enabled by default. For minimal configuration:
#define CW_ENABLE_ALL 0 // disable everything first
#define CW_ENABLE_STRING_ENCRYPTION 1 // enable only what you need
#define CW_ENABLE_VALUE_OBFUSCATION 1
#include "cloakwork.h"Performance-focused configuration:
#define CW_ENABLE_METAMORPHIC 0 // disable heavy features
#define CW_ENABLE_CONTROL_FLOW 0
#include "cloakwork.h"Cloakwork supports Windows kernel mode drivers (WDM/KMDF). Kernel mode is automatically detected when WDK headers are present (_KERNEL_MODE, NTDDI_VERSION, _NTDDK_, _WDMDDK_), or can be forced with CW_KERNEL_MODE 1.
Important: Due to the constraints of kernel mode (no STL, no CRT atexit, no C++20 concepts), most obfuscation features are disabled by default in kernel mode. See the feature table below for details.
#include <ntddk.h>
#define CW_KERNEL_MODE 1 // optional - auto-detected from ntddk.h
#include "cloakwork.h"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
UNREFERENCED_PARAMETER(RegistryPath);
// compile-time string hashing works (no encryption - see limitations)
constexpr uint32_t nt_hash = CW_HASH("NtClose");
DbgPrint("NtClose hash: 0x%X\n", nt_hash);
// compile-time random works
constexpr uint32_t random_key = CW_RANDOM_CT();
DbgPrint("Compile-time random: 0x%X\n", random_key);
// runtime random with kernel entropy sources
uint64_t runtime_key = CW_RANDOM_RT();
DbgPrint("Runtime random: 0x%llX\n", runtime_key);
// anti-debug detects kernel debuggers
if (cloakwork::anti_debug::is_debugger_present()) {
DbgPrint("Kernel debugger detected!\n");
// KdDebuggerEnabled, KdDebuggerNotPresent, or PsIsProcessBeingDebugged
}
// hardware breakpoint detection via debug registers
if (cloakwork::anti_debug::has_hardware_breakpoints()) {
DbgPrint("Hardware breakpoints detected (DR0-DR3)\n");
}
// NOTE: CW_STR, CW_INT, CW_IF, etc. are NO-OPS in kernel mode
// they compile to plain values without obfuscation
const char* msg = CW_STR("this is NOT encrypted in kernel mode");
DriverObject->DriverUnload = [](PDRIVER_OBJECT) {
DbgPrint("Driver unloading\n");
};
return STATUS_SUCCESS;
}In kernel mode, Cloakwork provides STL-compatible replacements and kernel primitives:
| Component | User Mode | Kernel Mode |
|---|---|---|
| Thread Safety | std::mutex |
KSPIN_LOCK via kernel_spinlock |
| Atomics | std::atomic<T> |
Interlocked* via kernel_atomic<T> |
| Memory Allocation | new/HeapAlloc |
ExAllocatePool2/ExFreePoolWithTag |
| Random Entropy | QueryPerformanceCounter, PIDs, heap addresses |
KeQueryPerformanceCounter, KeQueryInterruptTime, KASLR, pool addresses |
| Debugger Detection | PEB BeingDebugged, IsDebuggerPresent |
KdDebuggerEnabled, KdDebuggerNotPresent, PsIsProcessBeingDebugged |
| Debug Registers | GetThreadContext |
Direct __readdr() intrinsic |
| Exception Safety | SEH (__try/__except) |
MmIsAddressValid checks |
| Type Traits | <type_traits> |
Custom std::is_integral, std::enable_if, etc. |
| Index Sequence | std::index_sequence |
Custom implementation |
| Array | std::array<T, N> |
Custom implementation |
| Rotate | std::rotl/std::rotr |
Custom implementation |
Enabled in kernel mode:
CW_ENABLE_COMPILE_TIME_RANDOM- compile-time and runtime random generationCW_ENABLE_ANTI_DEBUG- kernel debugger detection- String hashing (
CW_HASH,CW_HASH_CI,CW_HASH_WIDE) - consteval, always works
Disabled in kernel mode (compile to no-ops):
| Feature | Reason Disabled | Effect |
|---|---|---|
CW_ENABLE_STRING_ENCRYPTION |
Uses static destructors requiring atexit |
CW_STR(s) → (s) |
CW_ENABLE_VALUE_OBFUSCATION |
Uses C++20 concepts and std::bit_cast |
CW_INT(x) → no obfuscation |
CW_ENABLE_CONTROL_FLOW |
Depends on MBA from value obfuscation | CW_IF → regular if |
CW_ENABLE_FUNCTION_OBFUSCATION |
Uses C++20 concepts | CW_CALL(f) → no obfuscation |
CW_ENABLE_DATA_HIDING |
Uses std::unique_ptr |
CW_SCATTER unavailable |
CW_ENABLE_METAMORPHIC |
Uses std::initializer_list |
Metamorphic functions unavailable |
CW_ENABLE_IMPORT_HIDING |
PEB walking needs usermode structures | CW_IMPORT unavailable |
CW_ENABLE_ANTI_VM |
Uses usermode APIs (GetSystemInfo, registry) |
CW_ANTI_VM() → no-op |
CW_ENABLE_INTEGRITY_CHECKS |
Requires VirtualQuery |
Hook detection unavailable |
CW_ENABLE_SYSCALLS |
Already in kernel, not applicable | CW_SYSCALL_NUMBER → 0 |
The kernel mode anti-debug uses these detection methods:
- KdDebuggerEnabled - Global kernel flag set when kernel debugger is attached
- KdDebuggerNotPresent - Inverse flag (false = debugger present)
- PsIsProcessBeingDebugged - Per-process debug port check (dynamically resolved via
MmGetSystemRoutineAddress) - Debug Registers - Direct
__readdr()intrinsic to read DR0-DR3 hardware breakpoints - Timing Analysis -
KeQueryPerformanceCountervs RDTSC comparison for step detection
// comprehensive kernel debugger check
if (cloakwork::anti_debug::comprehensive_check()) {
// kernel debugger or hardware breakpoints detected
KeBugCheckEx(0xDEAD, 0, 0, 0, 0);
}
// individual checks
if (cloakwork::anti_debug::is_debugger_present()) {
// KdDebuggerEnabled or PsIsProcessBeingDebugged
}
if (cloakwork::anti_debug::has_hardware_breakpoints()) {
// DR0-DR3 are non-zero
}
// timing check with callback
bool suspicious = cloakwork::anti_debug::timing_check([]() {
volatile int x = 0;
for (int i = 0; i < 100; i++) x += i;
}, 50000);Runtime random in kernel mode combines multiple entropy sources:
__rdtsc()- CPU cycle counterPsGetCurrentProcess()/PsGetCurrentThread()- KASLR randomized addressesPsGetCurrentProcessId()/PsGetCurrentThreadId()- Process/thread IDsKeQueryPerformanceCounter()- High-precision timerKeQuerySystemTime()- System timeKeQueryInterruptTime()- Interrupt time (very high resolution)- Pool allocation address - KASLR randomized heap location
- Stack address - KASLR randomized
All sources are mixed using xorshift64* for fast, quality pseudorandom output.
CW_STR(s)– Compile-time encrypted string, decrypts at runtimeCW_STR_LAYERED(s)– Multi-layer encrypted string with polymorphic re-encryptionCW_STR_STACK(s)– Stack-based encrypted string with auto-cleanup on scope exitCW_WSTR(s)– Wide string (wchar_t) encryption
CW_HASH(s)– Compile-time FNV-1a hash of string (case-sensitive, for function names)CW_HASH_CI(s)– Compile-time case-insensitive hash (for module names)CW_HASH_WIDE(s)– Compile-time hash of wide stringcloakwork::hash::fnv1a_runtime(str)– Runtime hash of stringcloakwork::hash::fnv1a_runtime_ci(str)– Case-insensitive runtime hash
CW_INT(x)– Obfuscated integer/numeric valueCW_MBA(x)– MBA (Mixed Boolean Arithmetic) obfuscated valueCW_CONST(x)– Encrypted compile-time constantCW_ADD(a, b)– Obfuscated addition using MBACW_SUB(a, b)– Obfuscated subtraction using MBACW_AND(a, b)– Obfuscated bitwise AND using MBACW_OR(a, b)– Obfuscated bitwise OR using MBA
CW_EQ(a, b)– Obfuscated equality (a == b)CW_NE(a, b)– Obfuscated not-equals (a != b)CW_LT(a, b)– Obfuscated less-than (a < b)CW_GT(a, b)– Obfuscated greater-than (a > b)CW_LE(a, b)– Obfuscated less-or-equal (a <= b)CW_GE(a, b)– Obfuscated greater-or-equal (a >= b)
CW_TRUE– Obfuscated true using opaque predicatesCW_FALSE– Obfuscated false using opaque predicatesCW_BOOL(expr)– Obfuscates any boolean expression
CW_SCATTER(x)– Scatters data across heap allocationsCW_POLY(x)– Polymorphic value that mutates internally
CW_IF(expr)– Obfuscated if with opaque predicatesCW_ELSE– Obfuscated else clauseCW_BRANCH(cond)– Indirect branching with obfuscationCW_FLATTEN(func, ...)– Flattens control flow via state machineCW_JUNK()– Insert junk computationCW_JUNK_FLOW()– Insert junk with fake control flow
CW_CALL(func)– Obfuscates function pointer with multi-layer encryptionCW_SPOOF_CALL(func)– Call with spoofed return address
CW_IMPORT(mod, func)– Resolve function without import tablecloakwork::imports::getModuleBase(hash)– Get module base by hashcloakwork::imports::getProcAddress(mod, hash)– Get function by hash
CW_SYSCALL_NUMBER(func)– Get syscall number for ntdll functioncloakwork::syscall::getSyscallNumber(hash)– Get syscall by function hash
CW_ANTI_DEBUG()– Crashes if debugger detectedCW_CHECK_ANALYSIS()– Advanced anti-analysis checkCW_INLINE_CHECK()– Inline anti-debug checkcloakwork::anti_debug::is_debugger_present()– Basic debugger detectioncloakwork::anti_debug::comprehensive_check()– Multi-layer detection
CW_ANTI_VM()– Crashes if VM/sandbox detectedCW_CHECK_VM()– Returns true if VM/sandbox detectedcloakwork::anti_debug::anti_vm::comprehensive_check()– Full VM/sandbox detectioncloakwork::anti_debug::anti_vm::is_hypervisor_present()– Hypervisor detectioncloakwork::anti_debug::anti_vm::detect_vm_vendor()– VM vendor detectioncloakwork::anti_debug::anti_vm::detect_sandbox_dlls()– Sandbox DLL detection
CW_DETECT_HOOK(func)– Check if function is hookedCW_INTEGRITY_CHECK(func, size)– Wrap function with integrity checkingcloakwork::integrity::computeHash(data, size)– Compute hash of memorycloakwork::integrity::detectHook(func)– Check for hook patternscloakwork::integrity::verifyFunctions(...)– Verify multiple functions
CW_RANDOM_CT()– Compile-time random value (unique per build)CW_RAND_CT(min, max)– Compile-time random in rangeCW_RANDOM_RT()– Runtime random value (unique per execution)CW_RAND_RT(min, max)– Runtime random in range
cloakwork::obfuscated_value<T>– Generic value obfuscationcloakwork::mba_obfuscated<T>– MBA-based obfuscationcloakwork::bool_obfuscation::obfuscated_bool– Multi-byte boolean storagecloakwork::data_hiding::scattered_value<T, Chunks>– Data scatteringcloakwork::data_hiding::polymorphic_value<T>– Polymorphic valuecloakwork::obfuscated_call<Func>– Function pointer obfuscationcloakwork::metamorphic::metamorphic_function<Func>– Metamorphic wrappercloakwork::constants::runtime_constant<T>– Runtime-keyed constantcloakwork::integrity::integrity_checked<Func>– Integrity-checked function
All features are header-only and are Windows-focused (with advanced anti-debug using Win32 APIs). C++20 or above required.
- Deep integration possible with scatter/polymorphic wrappers for sensitive data structures.
- Metamorphic function patterns confuse code flow analysis.
- Import hiding removes sensitive APIs from import table, resolving at runtime via PEB walking.
- Direct syscalls bypass usermode hooks entirely.
- Anti-debug techniques include:
- PEB inspection (BeingDebugged flag)
- Hardware breakpoint detection via debug registers
- Timing analysis (RDTSC vs QueryPerformanceCounter)
- Parent process analysis
- Debugger window class detection
- Anti-anti-debug plugin detection (ScyllaHide, TitanHide, HyperHide)
- Kernel debugger detection
- Memory breakpoint (PAGE_GUARD) detection
- Anti-VM techniques include:
- Hypervisor bit detection via CPUID
- VM vendor string matching
- Low resource detection (CPU count, RAM, disk size)
- VM-specific registry keys
- VM MAC address prefix detection
- Sandbox DLL detection
- Control flow flattening uses runtime-keyed state machines to frustrate static analysis.
- String encryption uses multi-layer XOR with position-dependent keys and optional polymorphic re-encryption.
- Inspired by legendary tools: obfusheader.h, nimrodhide.h, and the anti-re tools of unknowncheats.
- Created by helz.dev/Helzky / Discord:
helz.dev - Open for contributions and issues!
MIT License – do what you want, no warranty.
Cloakwork: Ultra-obfuscated, ultra-useful... Happy hiding!