I've been working on a gap in the open-source security tooling space: ARM64 Linux malware analysis and evasion research. While frameworks like UPX, Msfvenom, and other packers dominate x86/x64, ARM64 (AArch64) has almost nothing.
That's a problem because ARM64 is now everywhere: AWS Graviton instances, mobile edge devices, IoT infrastructure, and increasingly, production servers. Yet the security community treats ARM64 as second-class when it comes to offensive tooling and EDR evasion research.
So I built hARMless, focused ARM64 ELF packer and in-memory loader designed specifically for security research and red team operations.
The interesting part (for me) was understanding how modern EDRs detect process injection and in-memory execution on ARM64. The x86 equivalents are well-researched, but ARM64-specific EDR evasion is almost unstudied. I documented the techniques I found so defenders can build better detection.
I'd love technical feedback, especially from: - what are we missing on ARM64? - how would you catch these techniques in general?
https://github.com/litemars/hARMless
Open to discussion on ARM64 malware analysis, syscall evasion, or detection challenges.
Cheers, litemars