An ARM64 ELF Packer/Loader for AArch64 Linux Binaries
A comprehensive security research tool that encrypts ARM64 ELF executables using multi-layer encryption and provides runtime in-memory execution without writing the original binary to disk.
- Features
- Quick Start
- Installation
- Usage
- Technical Details
- Security Features
- Architecture
- Contributing
- License
- π― ARM64 ELF Support: Specifically designed for AArch64 Linux binaries
- π Multi-Layer Encryption: Triple encryption using AES-256, ChaCha20, and RC4
- πΎ Memory Execution: Runtime decryption and execution entirely in memory using
memfd_create - π Code Obfuscation: Advanced obfuscation techniques for anti-analysis
- β CRC32 Verification: Integrity checking to detect tampering
- π¦ Self-Contained: Packed binaries are completely standalone
- π‘οΈ Core Dump Prevention: Prevents memory dumps using
setrlimit - π§Ή Secure Memory Wiping: Multi-pass memory erasure for sensitive data
- π§ Direct Syscalls: Bypasses userland hooks for enhanced stealth
# Clone the repository
git clone https://github.com/litemars/hARMless.git
cd hARMless
# Build everything
make all
# Pack a binary
make pack INPUT=/bin/ls OUTPUT=packed_ls
# Run the packed binary
./packed_ls- ARM64/AArch64 Linux system or cross-compilation toolchain
- GCC for ARM64 (
aarch64-linux-gnu-gccor native) - Make
- Standard development tools (
git,build-essential)
# 1. Clone the repository
git clone https://github.com/litemars/hARMless.git
cd hARMless
# 2. Build all components
make all
# This creates:
# - build/packer : Binary packer
# - build/loader : Stub loader
# - build/stubgen : Stub generator# Install ARM64 cross-compiler
sudo apt-get install gcc-aarch64-linux-gnu
# Build with cross-compiler
make CC=aarch64-linux-gnu-gcc all# Pack an ARM64 binary
make pack INPUT=your_arm64_binary OUTPUT=packed_binary
# Alternative: Use tools directly
./build/packer your_arm64_binary packed_data
./build/stubgen ./build/loader packed_data packed_binary# Simply execute the packed binary
./packed_binary
# The packed binary will:
# 1. Read its own embedded encrypted data
# 2. Decrypt the original ELF in memory
# 3. Verify integrity with CRC32
# 4. Execute directly from memory using memfd_create# Testing using /bin/ls
make test
# Output: packed_binary: packed_ls
The packer uses a triple-layer encryption approach:
- RC4 Stream Cipher: Initial obfuscation layer
- AES-256-CTR: Industry-standard symmetric encryption
- ChaCha20: Modern stream cipher for additional security
Original Binary β RC4 β AES-256 β ChaCha20 β Packed Data
Key Generation: Cryptographically secure random keys from /dev/urandom (256 bits per layer)
The loader uses direct syscalls to bypass userland hooks:
| Syscall | Number | Purpose |
|---|---|---|
memfd_create |
279 | Create anonymous file descriptor |
execve |
221 | Execute decrypted binary |
mmap |
222 | Memory mapping |
write |
64 | Output operations |
fexecve |
281 | Execute from file descriptor |
Syscall Convention (ARM64):
// x8 = syscall number
// x0-x5 = arguments
// svc #0 = invoke- Secure Wiping: 3-pass overwrite (zeros, ones, random)
- No Disk Writes: Original binary never touches filesystem
- Stack Protection: Non-executable stack
- ASLR Compatible: Position-independent code
setrlimit(RLIMIT_CORE, &(struct rlimit){0, 0});Ensures sensitive memory is never written to disk, even during crashes.
CRC32 checksums detect any tampering with:
- Encrypted payload
- Decryption keys
- Loader code
- No debug symbols: Stripped binaries
- Obfuscated control flow: Reduces reverse engineering surface
- Direct syscalls: Evades LD_PRELOAD and EDR hooks
- In-memory execution: No
/tmpartifacts
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Original Binary β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β Packer (packer.c) β
β - Read ELF β
β - Generate keys β
β - Triple encrypt β
β - Compute CRC32 β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β Packed Data File β
β [encrypted payload] β
βββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β Stub Generator β
β (stubgen.c) β
β - Embed loader β
β - Append data β
βββββββββββββ¬ββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Packed Binary (Output) β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Loader Stub (loader.c) β β
β β - Read embedded data β β
β β - Decrypt (ChaCha20 β AES β RC4) β β
β β - Verify CRC32 β β
β β - Create memfd β β
β β - Execute via fexecve β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Encrypted Payload + Metadata β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββ
β Runtime Execution β
β (in-memory only) β
βββββββββββββββββββββββββ
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
- Authorized penetration testing
- Security research and education
- Red team operations
- Malware analysis
Unauthorized use is prohibited and may be illegal.
This project is licensed under the MIT License - see the LICENSE file for details.