How to hide strings in C++ binaries with consteval
The problem
Every C++ binary has strings. strings.exe reads them. Competitors see your API keys. Reverse engineers find your logic. Anti-cheat detects your function names.
The old way - xorstr (constexpr XOR)
auto key = xorstr_("my_api_key");
Problem: constexpr depends on the optimizer. MSVC doesn't fold it - plaintext leaks to .rodata. Also: dangling pointer in xorstr_() macro (returns char* from temporary).
StealthLib - consteval (compiler-independent)
auto key = S("my_api_key");
consteval forces compile-time evaluation on every compiler. Plaintext is consumed during translation - never emitted. Verified by binary_scan_test on MSVC + GCC + Clang.
Differential testing
Same strings, same compiler, same platform:
- StealthLib: 7/7 PASS
- xorstr: 3/7 FAIL (dangling pointer)
What else is inside
- Hash-based API resolution (no API names in binary)
- 4-channel anti-debug (PEB + NtQuery + rdtsc + DR registers)
- IAT/EAT integrity checks
- VM detection (CPUID + DMI + disk)
- FIPS-180-4 SHA-256
- Per-build key rotation (16 variants)
- RAII auto re-encrypt guards
Quality
- 6 SAST tools clean: PVS-Studio (0 findings), SonarCloud (A ratings), CodeQL, Coverity (0.17 density), Semgrep, Codacy.
- 4.5 billion fuzz executions, 0 crashes.
- 40 mutation tests, 100% killed.
- 94.6% coverage.
Comments
No comments yet. Start the discussion.