Windows ARM64 Malware Development: Rebuilding the Offensive Toolbox for the AArch64 Era + Video

Listen to this Post

Featured Image

Introduction:

The Windows ecosystem is undergoing a fundamental architectural shift as ARM64 devices gain mainstream traction, challenging offensive security practitioners to adapt their tooling and tradecraft. With Windows 11 on ARM delivering native performance and increasing enterprise adoption, the ability to develop, deploy, and evade detection on AArch64 systems is no longer optional—it is a critical skill for modern red team operations. This article explores the Windows ARM64 offensive development landscape, from AArch64 assembly and shellcode construction to advanced persistence techniques and the groundbreaking ARM64X hybrid loader.

Learning Objectives:

  • Understand the Windows ARM64 architecture, ABI, and the MSVC ARM64 toolchain for offensive development.
  • Develop position-independent AArch64 shellcode and master manual DLL mapping via PEB/TEB access.
  • Implement advanced evasion techniques including call stack spoofing, syscall resolution, and reflective loading.
  • Build and deploy an ARM64X hybrid loader capable of executing in both native and emulated x64 processes.

You Should Know:

1. Understanding the Windows ARM64 Landscape and Toolchain

Windows on ARM64 (AArch64) represents a paradigm shift in the Windows ecosystem. Unlike the x86/x64 architectures that have dominated for decades, ARM64 offers a RISC-based approach with 31 general-purpose registers (X0–X30), a dedicated link register (X30), and the stack pointer (SP) and program counter (PC) accessible as special-purpose registers. The architecture’s speed and power efficiency are driving adoption across laptops, tablets, and even cloud instances, making it an increasingly attractive target for both defenders and attackers.

The foundational toolchain for Windows ARM64 development is Microsoft’s MSVC ARM64 compiler, which produces native AArch64 binaries. However, offensive development requires going beyond high-level C/C++—it demands a deep understanding of the Windows ARM64 Application Binary Interface (ABI). The ARM64 ABI specifies calling conventions, register usage, stack alignment (16-byte), and how parameters are passed (first eight arguments in X0–X7). The `x18` register holds the pointer to the Thread Environment Block (TEB), which is critical for accessing the Process Environment Block (PEB) and performing manual DLL mapping.

Step-by-Step: Setting Up Your Windows ARM64 Offensive Development Environment

  1. Provision a Windows 11 ARM64 instance — Use a physical ARM64 device (e.g., Surface Pro X), a cloud instance (Azure ARM64 VMs), or virtualization via Parallels/VMware on Apple Silicon.
  2. Install Visual Studio 2022 with the “Desktop development with C++” workload and ensure the ARM64/ARM64EC components are selected.
  3. Verify the toolchain by compiling a simple “Hello World” with the ARM64 target:
    cl /arch:ARM64 /Fe:test.exe test.cpp
    
  4. Install the Windows SDK for ARM64 to access necessary headers and libraries.
  5. Set up a debugging environment using WinDbg (ARM64 version) or x64dbg with ARM64 support for dynamic analysis.

2. AArch64 Assembly and Position-Independent Shellcode Development

Shellcode for Windows ARM64 must be position-independent, meaning it can execute from any memory location without relocations. This requires careful handling of relative addressing and avoiding absolute memory references. The AArch64 instruction set provides the `ADR` and `ADRP` instructions for PC-relative addressing, which are essential for PIC.

A minimal AArch64 shellcode that executes a command (e.g., calc.exe) typically involves:
– Resolving the base address of `kernel32.dll` via the PEB.
– Walking the export table to find `WinExec` or CreateProcessA.
– Calling the function with the appropriate arguments.

The following AArch64 assembly snippet demonstrates a position-independent command execution payload:

; Windows ARM64 shellcode - Execute command
; Based on position-independent AArch64 assembly

ADRP X0, cmd_str ; PC-relative address of command string
ADD X0, X0, :lo12:cmd_str
MOV X1, 1 ; SW_SHOW
; ... resolve WinExec address via PEB walk ...
BR X9 ; Jump to WinExec

cmd_str:
.asciz "calc.exe"

Step-by-Step: Building and Testing ARM64 Shellcode

  1. Write your AArch64 assembly in a `.asm` file using Microsoft’s ARM assembler (armasm64.exe).

2. Assemble the file:

armasm64.exe shellcode.asm

3. Extract the raw shellcode from the generated object file using a tool like `dumpbin` or a custom Python script.
4. Test the shellcode by embedding it in a loader that allocates executable memory and transfers control.
5. Verify position-independence by moving the shellcode to different memory addresses and confirming execution.

3. PEB/TEB Access, API Hashing, and Syscall Resolution

On ARM64, the `x18` register is reserved for the TEB pointer, providing a direct path to process metadata. The PEB, located at TEB + 0x60, contains the `Ldr` structure, which holds linked lists of loaded modules. By walking these lists, an attacker can locate `kernel32.dll` and `ntdll.dll` without using `GetModuleHandle` or other API calls that might be hooked by EDR.

API hashing is a critical evasion technique that replaces human-readable function names with hashed values, preventing static detection. The syscall mechanism on ARM64 uses the `SVC` (Supervisor Call) instruction with a system service number, bypassing user-mode hooks in ntdll.dll.

Step-by-Step: Manual DLL Mapping via PEB Walk

  1. Retrieve the TEB pointer using `__readx18()` or inline assembly.

2. Calculate the PEB address:

PPEB peb = (PPEB)((BYTE)teb + 0x60);

3. Access the `InMemoryOrderModuleList` from `peb->Ldr`.

  1. Iterate the list to find `kernel32.dll` by comparing the DLL name.
  2. Parse the export table of `kernel32.dll` to resolve function addresses.
  3. Hash the function name and compare to locate the desired API (e.g., CreateFile).

4. Process Injection, Reflective Loading, and Evasion

Process injection on ARM64 follows similar principles to x64 but requires attention to ABI differences. The classic reflective DLL injection technique—loading a DLL from memory without using LoadLibrary—must be adapted for AArch64. This involves manually mapping the PE sections, resolving imports, and executing the DLL’s entry point.

Advanced evasion techniques on ARM64 include call stack spoofing, which manipulates the return addresses on the stack to hide the true call chain from EDR’s stack-walking detection. The ARM64 Call Stack Spoofing Framework demonstrates dynamic discovery of legitimate return addresses in `ntdll.dll` and multi-frame spoofing to create believable call chains.

Step-by-Step: Reflective DLL Injection on ARM64

  1. Allocate memory in the target process using `VirtualAllocEx` with PAGE_EXECUTE_READWRITE.
  2. Write the raw DLL data into the allocated memory.
  3. Relocate the DLL by applying base relocations to fix absolute addresses.
  4. Resolve imports by walking the import table and using `GetProcAddress` or manual resolution.
  5. Execute the DLL entry point with `DLL_PROCESS_ATTACH` using `CreateRemoteThread` or RtlCreateUserThread.
  6. Clean up by optionally restoring the original memory permissions.

  7. The ARM64X Hybrid Loader: Bridging Native and Emulated Worlds

One of the most innovative concepts in Windows ARM64 is the ARM64X PE format. An ARM64X binary is a hybrid containing both pure ARM64 and ARM64EC (emulation-compatible) code in a single file. This allows the same PE to run natively in ARM64 processes and in emulated x64 processes, making it exceptionally versatile for offensive operations.

The ARM64X hybrid loader built in the course brings together all the major concepts—PE parsing, relocation, import resolution, and architecture detection—into a single, unified loader. The loader detects whether it is running in a native ARM64 or emulated x64 environment and selects the appropriate code path.

Step-by-Step: Building an ARM64X Hybrid Loader

  1. Compile your payload twice—once for ARM64 and once for ARM64EC.
  2. Link both object files using the ARM64X machine type:
    link /machine:arm64x /out:hybrid.exe arm64.obj arm64ec.obj
    
  3. Implement a dispatcher that checks the environment using `IsNativeARM64()` or similar.
  4. Include both payload variants in the data sections of the hybrid PE.
  5. At runtime, the dispatcher copies the appropriate payload into executable memory and transfers control.

6. Persistence and Evasion on Windows ARM64

Persistence mechanisms on ARM64 are similar to x64 but require ARM64-1ative implementations. Common techniques include:
– Scheduled Tasks — Created via `schtasks.exe` or the Task Scheduler COM API.
– Registry Run Keys — HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
– Windows Services — Installing a service that executes the ARM64 payload.
– WMI Event Subscription — Using WMI to trigger execution on system events.

Evasion on ARM64 also leverages the unique characteristics of the architecture:
– Syscall Direct Execution — Using `SVC` instructions to invoke system services directly, bypassing EDR hooks in ntdll.dll.
– Call Stack Spoofing — Manipulating return addresses to hide the true call chain.
– Delay Loops — Using ARM64 `YIELD` instructions or custom loops to evade timing-based detection.

Step-by-Step: Implementing Syscall-Based Execution on ARM64

  1. Identify the syscall number for the desired API (e.g., NtCreateFile) by disassembling ntdll.dll.
  2. Prepare the arguments in the appropriate registers (X0–X7).
  3. Execute the `SVC` instruction with the syscall number in X8:
    MOV X8, SYSCALL_NUMBER
    SVC 0
    RET
    
  4. Handle the return value and any potential errors.

What Undercode Say:

  • Key Takeaway 1: Windows ARM64 is not just a port of x64—it is a fundamentally different architecture with its own ABI, instruction set, and evasion opportunities. Offensive security practitioners must rebuild their toolchains and techniques from the ground up.
  • Key Takeaway 2: The ARM64X hybrid loader represents a paradigm shift in payload delivery, offering unprecedented flexibility by allowing a single PE to operate in both native and emulated environments, greatly expanding the attack surface.
  • Key Takeaway 3: Evasion techniques such as call stack spoofing and direct syscall invocation are even more critical on ARM64 due to the architecture’s growing adoption and the relative immaturity of EDR solutions for ARM64.

Prediction:

  • +1 Windows ARM64 will become a primary target for advanced persistent threats (APTs) and ransomware groups within 18–24 months as enterprise adoption accelerates, driving demand for specialized offensive development skills.
  • +1 The ARM64X hybrid format will be adopted by malware authors to create cross-environment payloads that can evade detection by leveraging the duality of native and emulated execution.
  • -1 EDR vendors will rapidly enhance their ARM64 detection capabilities, forcing offensive developers to innovate with new evasion techniques specifically tailored to the ARM64 architecture.
  • +1 Open-source tooling and frameworks (Metasploit, Cobalt Strike) will expand ARM64 support, democratizing access to ARM64 offensive capabilities.
  • -1 The Windows on ARM ecosystem currently suffers from limited native tooling and debugging support, potentially slowing the development of robust ARM64 security solutions.
  • +1 Training programs like the Windows ARM64 for Malware Development course will become essential for red teams seeking to maintain operational relevance in an ARM64-dominated future.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: John Stigerwalt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky