Skip to content
Cameron Babcock Cameron Babcock
← Back to the archive
May 3, 2026 2 min read

Compile-Time Polymorphism for Evasion: Inside ObfTypes

Exploring a C++26 approach to anti-analysis and signature evasion using compile-time variant dispatch and SIMD.

#cno #obfuscation #c++ #evasion #malware-analysis

In the landscape of Computer Network Operations (CNO) development, static signature detection remains a persistent, albeit manageable, hurdle. EDR and AV engines heavily rely on mathematical signatures of critical logic (like hashing routines or crypto implementations) to quickly classify payloads before execution.

The ObfTypes library (part of the Defensive Toolkit) provides a modern C++26 approach to breaking these signatures at compile time. By wrapping standard integral types, it forces the compiler to generate mathematically identical but binary-distinct variants of standard operations.

The Signature Problem

When an analyst or an automated engine identifies a specific instruction sequence—for instance, a custom XOR-based decryption loop or a specific hash constant—that sequence becomes a static indicator. If your CNO toolkit relies on the standard a ^ b operation across all builds, the resulting assembly (e.g., xor eax, edx) is highly predictable.

To evade this, developers often manually introduce noise, dead code, or alternative logic. However, this is error-prone, hard to maintain, and can sometimes introduce functional bugs.

Enter ObfTypes: Zero-Overhead Variance

ObfTypes abstracts this by overriding standard operators. Instead of uint32_t, you use a wrapped type uint32_dt<Seed>. The Seed (derived from __TIME__ or a build counter) dictates the variant generation.

When the compiler encounters a ^ b, it doesn’t emit a simple XOR. It dispatches to one of many verified variants. For example, a ^ b can be mathematically expanded to:

(a | b) & ~(a & b)
(a & ~b) | (~a & b)
(a + b) - ((a & b) << 1)

Because this dispatch happens entirely at compile time via C++ templates, there is zero runtime overhead. The resulting binary contains an interleaved mix of AND, OR, ADD, SUB, and NOT instructions, entirely obscuring the original intent of a simple XOR operation from basic static analysis.

SIMD and Advanced Dispatch

The toolkit goes further by incorporating SIMD (Single Instruction, Multiple Data) variants. Even for scalar operations (manipulating a single 32-bit integer), ObfTypes can emit SSE2, AVX2, AVX-512 (on x86), or NEON (on ARM) instructions.

An EDR engine expecting standard general-purpose register operations for a string hashing routine will be completely blind-sided by AVX-512 logic performing the same task. This introduces massive variance in the binary footprint.

// A simple operation...
hash = hash * 16777619u;

// ...might compile into AVX2 intrinsic wrappers
// _mm256_mullo_epi32(...)

Formal Verification with Z3

A critical requirement for any CNO tooling is reliability. An obfuscation technique that breaks the underlying logic is useless.

To guarantee safety, ObfTypes pairs its C++ implementation with Python-based formal verification scripts utilizing the Z3 Theorem Prover. Every polymorphic variant in the toolkit has been mathematically proven to be identical to the native operation it replaces.

Conclusion

By leveraging modern C++26 features (like consteval and advanced templating), ObfTypes provides a robust, mathematically proven method for signature evasion. For engineers focused on CNO and adversary emulation, integrating compile-time polymorphism shifts the burden back to the defenders, forcing them to rely on complex behavioral analysis rather than simple, static indicators.