// LLVM Self-Masking Functions Masterclass
Compiler-level per-function self-masking via LLVM X86 backend modifications. Each registered function is XOR-encrypted at rest and only decrypted when called, keeping ~98% of code masked even at sleep 0. Defeats memory scanners while maintaining CET/Shadow Stack compatibility. By MDSec ActiveBreach (@saab_sec).
Why memory scanners catch implants, how traditional sleep obfuscation works, its limitations, and the paradigm shift to per-function masking.
02 BeginnerLLVM IR, the X86 backend, MachineFunction passes, the PreEmit phase, and why compiler-level instrumentation beats source-level approaches.
03 BeginnerPE section headers, creating .funcmeta and .stub custom sections, section alignment, VirtualProtect permissions, and the modifyEP.py post-processor.
04 IntermediateThe MachineFunctionPass that instruments functions, attribute-based registration, prologue/epilogue injection points, and the PreEmit pipeline stage.
05 IntermediateThe 0x46-byte prologue stub, call/pop PIC trick for RIP-relative addressing, epilogue re-encryption, and how stubs bridge user code to the handler.
06 AdvancedThe ~380-byte handler routine, PE header validation, .funcmeta traversal, VirtualProtect RW/RX transitions, byte-level XOR, and TEB UserReserved fields.
07 AdvancedThe .stub entry point, TEB GS segment setup, runtime call flow tracing from encrypted function through handler to execution and re-encryption.
08 AdvancedCET/Shadow Stack compatibility, comparison with Ekko/Zilean/FOLIAGE, Nighthawk 0.3.3 “Evanesco” production implementation, and detection strategies.
github.com/mdsecactivebreach/FunctionPeekaboomdsec.co.uk/2025/10/function-peekaboo-crafting-self-masking-functions-using-llvm@saab_sec (MDSec ActiveBreach)nighthawkc2.io/evanesco (v0.3.3, Nov 2024)llvm.org/docs/WritingAnLLVMBackend.htmlIntel Control-flow Enforcement Technologygithub.com/Cracked5pider/EkkoSleep encryption via APC queuing and NtContinue