BOFMask
BOFMask is a proof-of-concept for masking Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). Normally, Beacon is left exposed during BOF execution. If some behavior from a user-provided BOF triggers a memory scan by an EDR product, then Beacon will likely be detected in memory. Since Cobalt Strike's 4.7 release, users are able to provide a Sleep Mask to hide Beacon while it is sleeping, which is implemented as a BOF provided by the user. This demonstrates that it is possible to execute a BOF while Beacon is masked.The actual implementation of this is simple: A setup function, GetBeaconBaseAddress, is used to generate a key and find Beacon's base address. Beacon's base address is located by going up two stack frames to find the return address after the BOF finishes executing. This will be an address within Beacon's .text section, which we can pass in to the VirtualQuery API to get the base address of the .text section. Then, a simple XOR mask is used to hide Beacon, and the memory protection setting changed with the VirtualProtect API.
URL - https://github.com/xforcered/bofmask