Merge branch 'feat/412-changes' into 'main'

Christopher Graham (Cobalt Strike) · Christopher Graham (Cobalt Strike) · commit 95aabd243aae · 2025-11-04T08:36:47.000-06:00
Update template with 4.12 changes

See merge request cobalt-strike-research/bof-vs!12
diff --git a/BOF-Template/base/mock.cpp b/BOF-Template/base/mock.cpp
@@ -350,29 +350,24 @@ namespace bof {
         }
     }
 
-    std::vector<bof::output::OutputEntry> runMockedSleepMask(SLEEPMASK_FUNC sleepMaskFunc, PSLEEPMASK_INFO sleepMaskInfo, PFUNCTION_CALL functionCall) {
+    std::vector<bof::output::OutputEntry> runMockedSleepMask(SLEEPMASK_FUNC sleepMaskFunc, PBEACON_INFO beaconInfo, PFUNCTION_CALL functionCall) {
         // Reset the global output container
         bof::output::reset();
         // Execute the entrypoint
-        sleepMaskFunc(sleepMaskInfo, functionCall);
+        sleepMaskFunc(beaconInfo, functionCall);
         // Return the stored outputs
         return bof::output::getOutputs();
     }
 
     std::vector<bof::output::OutputEntry> runMockedSleepMask(SLEEPMASK_FUNC sleepMaskFunc, const bof::profile::Stage& stage, const bof::mock::MockSleepMaskConfig& config) {
         BEACON_INFO beaconInfo = bof::mock::setupMockBeacon(stage);
-        SLEEPMASK_INFO sleepmaskInfo = {
-            .version = bof::CsVersion,
-            .reason = DEFAULT_SLEEP,
-            .sleep_time = config.sleepTimeMs,
-            .beacon_info = beaconInfo,
-        };
-        bof::mock::resolveMockUpSleepmaskLocation(sleepmaskInfo.beacon_info);
+        FUNCTION_CALL functionCall = bof::mock::createFunctionCallStructure(Sleep, SLEEP, TRUE, 1, config.sleepTimeMs);
+        bof::mock::resolveMockUpSleepmaskLocation(beaconInfo);
         bof::mock::setBeaconInfo(beaconInfo);
 
         std::vector<bof::output::OutputEntry> output;
         do {
-            output = runMockedSleepMask(sleepMaskFunc, &sleepmaskInfo, NULL);
+            output = runMockedSleepMask(sleepMaskFunc, &beaconInfo, &functionCall);
         } while (config.runForever);
 
         return output;
@@ -393,15 +388,9 @@ namespace bof {
 
     std::vector<bof::output::OutputEntry> runMockedBeaconGate(SLEEPMASK_FUNC sleepMaskFunc, PFUNCTION_CALL functionCall, const bof::profile::Stage& stage) { 
         BEACON_INFO beaconInfo = bof::mock::setupMockBeacon(stage);
-        SLEEPMASK_INFO sleepmaskInfo = {
-            .version = bof::CsVersion,
-            .reason = BEACON_GATE,
-            .sleep_time = 0,
-            .beacon_info = beaconInfo,
-        };
-        bof::mock::resolveMockUpSleepmaskLocation(sleepmaskInfo.beacon_info);
+        bof::mock::resolveMockUpSleepmaskLocation(beaconInfo);
         bof::mock::setBeaconInfo(beaconInfo);
-        return runMockedSleepMask(sleepMaskFunc, &sleepmaskInfo, functionCall);
+        return runMockedSleepMask(sleepMaskFunc, &beaconInfo, functionCall);
     }
 
     std::vector<bof::output::OutputEntry> runMockedBeaconGate(SLEEPMASK_FUNC sleepMaskFunc, PFUNCTION_CALL functionCall) {
@@ -430,6 +419,11 @@ extern "C"
         va_end(args);
     }
 
+    BOOL BeaconDownload(const char* filename, const char* buffer, unsigned int length) {
+        std::cerr << "Not implemented: " << __FUNCTION__ << std::endl;
+        return FALSE;
+    }
+
     void BeaconOutput(int type, const char *data, int len) {
         bof::output::addEntry(type, data, len);
         printf("[Output Callback: %s (0x%X)]\n%.*s", bof::utils::typeToStr(type), type, len, data);
diff --git a/BOF-Template/base/mock.h b/BOF-Template/base/mock.h
@@ -4,7 +4,7 @@
 #include "../sleepmask.h"
 
 namespace bof {
-    const DWORD CsVersion = 0x041000;
+    const DWORD CsVersion = 0x041200;
 
     namespace profile {
         /**
@@ -276,7 +276,7 @@ namespace bof {
      * @param functionCall the pointer to the FUNCTION_CALL structure
      * @return A vector of OutputEntry objects
      */
-    std::vector<bof::output::OutputEntry> runMockedSleepMask(SLEEPMASK_FUNC sleepMaskFunc, PSLEEPMASK_INFO sleepMaskInfo, PFUNCTION_CALL functionCall);
+    std::vector<bof::output::OutputEntry> runMockedSleepMask(SLEEPMASK_FUNC sleepMaskFunc, PBEACON_INFO beaconInfo, PFUNCTION_CALL functionCall);
 
     /**
      * Setup a mock-up Beacon and execute the sleepmask function as Beacon Gate with the default stage block.
diff --git a/BOF-Template/beacon_gate.h b/BOF-Template/beacon_gate.h
@@ -32,6 +32,10 @@ typedef enum _WinApi {
     READPROCESSMEMORY,
     WRITEPROCESSMEMORY,
     EXITTHREAD,
+    VIRTUALFREEEX,
+    VIRTUALQUERYEX,
+    WAITFORSINGLEOBJECT,
+    SLEEP
 } WinApi;
 
 /**
diff --git a/BOF-Template/bof.cpp b/BOF-Template/bof.cpp
@@ -41,10 +41,10 @@ extern "C" {
         }
     }
 
-    /*
-    void sleep_mask(PSLEEPMASK_INFO info, PFUNCTION_CALL funcCall) {
-    }
-    */
+    
+    /*void sleep_mask(PBEACON_INFO info, PFUNCTION_CALL funcCall) {
+        // BeaconGateWrapper(info, funcCall);
+    }*/
 }
 
 // Define a main function for the bebug build

Original file line number	Diff line number	Diff line change
`@@ -41,10 +41,10 @@ extern "C" {`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`
`44`		`- /*`
`45`		`- void sleep_mask(PSLEEPMASK_INFO info, PFUNCTION_CALL funcCall) {`
`46`		`- }`
`47`		`- */`
	`44`	`+`
	`45`	`+ /*void sleep_mask(PBEACON_INFO info, PFUNCTION_CALL funcCall) {`
	`46`	`+ // BeaconGateWrapper(info, funcCall);`
	`47`	`+ }*/`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`// Define a main function for the bebug build`