Payload Compilation Failure on Kali Linux ARM64 (mingw-w64)

[KaOs-12]

Hello,

I am unable to compile any Demon payload on a clean installation of Kali Linux on an ARM64 (aarch64) device. The compilation consistently fails with multiple C-level errors related to pointer types, integer conversions, and implicit function declarations.

Environment:

• OS:

  PRETTY_NAME="Kali GNU/Linux Rolling"
  NAME="Kali GNU/Linux"
  VERSION_ID="2025.2"
  VERSION="2025.2"
  VERSION_CODENAME=kali-rolling
  ID=kali
  ID_LIKE=debian
  

• Kernel:

  Linux kali 6.12.33+kali-arm64 #1 SMP Kali 6.12.33-1kali1 (2025-06-25) aarch64 GNU/Linux
  

• Compiler Version:

  x86_64-w64-mingw32-gcc (GCC) 14-win32
  

• Havoc Version: Latest main branch (also tested v0.7 archive with the same results).

Troubleshooting Steps Taken:

I have already performed extensive troubleshooting, including:

1. Ensuring all system dependencies are installed and up-to-date.
2. Performing a fresh git clone of the repository.
3. Attempting to compile the v0.7 release from a direct ZIP download.
4. Completely purging and reinstalling the mingw-w64 toolchain.
5. Manually patching payloads/Demon/include/core/MiniStd.h to add (PBYTE) casts to MemSet and MemZero macros. This successfully fixed the initial batch of errors.
6. Manually editing payloads/Demon/CMakeLists.txt to add compiler flags (-Wno-incompatible-pointer-types, etc.) to suppress warnings.

Even after all these steps, the compilation still fails with the following errors.

Final Compile Output:

src/core/Command.c: In function ‘CommandProcList’:
src/core/Command.c:618:64: error: passing argument 2 of ‘PackageAddBytes’ from incompatible pointer type [-Wincompatible-pointer-types]
618 | PackageAddBytes( Package, SysProcessInfo->ImageName.Buffer, SysProcessInfo->ImageName.Length );
| ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
| |
| PWSTR {aka short unsigned int *}
In file included from include/Demon.h:20,
from src/core/Command.c:1:
include/core/Package.h:53:11: note: expected ‘PBYTE’ {aka ‘unsigned char *’} but argument is of type ‘PWSTR’ {aka ‘short unsigned int *’}
53 | PBYTE data,
| ~~~~~~^~~~
src/core/Command.c: In function ‘CommandFS’:
src/core/Command.c:700:45: error: initialization of ‘UINT32’ {aka ‘unsigned int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
700 | UINT32 PathSize = NULL;
| ^~~~
src/core/Command.c: In function ‘CommandInjectShellcode’:
src/core/Command.c:1289:39: error: passing argument 2 of ‘ParserGetBytes’ from incompatible pointer type [-Wincompatible-pointer-types]
1289 | Payload = ParserGetBytes( Parser, &Size );
| ^~~~~
| |
| DWORD * {aka long unsigned int *}
In file included from include/core/Command.h:4,
from include/core/Package.h:4:
include/core/Parser.h:23:48: note: expected ‘PUINT32’ {aka ‘unsigned int *’} but argument is of type ‘DWORD *’ {aka ‘long unsigned int *’}
23 | PBYTE ParserGetBytes( PPARSER parser, PUINT32 size );
| ~~~~~~~~^~~~
src/core/Command.c:1290:39: error: passing argument 2 of ‘ParserGetBytes’ from incompatible pointer type [-Wincompatible-pointer-types]
1290 | Argv = ParserGetBytes( Parser, &Argc );
| ^~~~~
| |
| DWORD * {aka long unsigned int *}
include/core/Parser.h:23:48: note: expected ‘PUINT32’ {aka ‘unsigned int *’} but argument is of type ‘DWORD *’ {aka ‘long unsigned int *’}
23 | PBYTE ParserGetBytes( PPARSER parser, PUINT32 size );
| ~~~~~~~~^~~~
src/core/Command.c: In function ‘CommandToken’:
src/core/Command.c:1393:53: error: passing argument 2 of ‘PackageAddString’ from incompatible pointer type [-Wincompatible-pointer-types]
1393 | PackageAddString( Package, TokenData->DomainUser );
| ~~~~~~~~~^~~~~~~~~~~~
| |
| LPWSTR {aka short unsigned int *}
include/core/Package.h:59:11: note: expected ‘PCHAR’ {aka ‘char *’} but argument is of type ‘LPWSTR’ {aka ‘short unsigned int *’}
59 | PCHAR data
| ~~~~~~^~~~
src/core/Command.c:1562:48: error: passing argument 2 of ‘StringConcatW’ from incompatible pointer type [-Wincompatible-pointer-types]
1562 | StringConcatW( UserDomain, Deli );
| ^~~~
| |
| CHAR * {aka char *}
In file included from src/core/Command.c:8:
include/core/MiniStd.h:20:45: note: expected ‘PWCHAR’ {aka ‘short unsigned int *’} but argument is of type ‘CHAR *’ {aka ‘char *’}
20 | PWCHAR StringConcatW(PWCHAR String, PWCHAR String2);
| ~~~~~~~^~~~~~~
src/core/Command.c: In function ‘CommandAssemblyListVersion’:
src/core/Command.c:1799:10: error: implicit declaration of function ‘RtMscoree’ [-Wimplicit-function-declaration]
1799 | if ( RtMscoree() )
| ^~~~~~~~~
src/core/Command.c: In function ‘CommandExit’:
src/core/Command.c:3472:15: error: assignment to ‘SIZE_T’ {aka ‘long long unsigned int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
3472 | ImageSize = NULL;
| ^
src/core/ObjectApi.c: In function ‘BeaconSpawnTemporaryProcess’:
src/core/ObjectApi.c:477:111: error: passing argument 9 of ‘Instance->Win32.CreateProcessW’ from incompatible pointer type [-Wincompatible-pointer-types]
477 | bSuccess = Instance->Win32.CreateProcessW(NULL, Path, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, sInfo, pInfo);
| ^~~~~
| |
| STARTUPINFO * {aka STARTUPINFOA *}
src/core/ObjectApi.c:477:111: note: expected ‘LPSTARTUPINFOW’ {aka ‘struct _STARTUPINFOW *’} but argument is of type ‘STARTUPINFO *’ {aka ‘STARTUPINFOA *’}
src/core/ObjectApi.c:481:140: error: passing argument 8 of ‘Instance->Win32.CreateProcessWithTokenW’ from incompatible pointer type [-Wincompatible-pointer-types]
481 | bSuccess = Instance->Win32.CreateProcessWithTokenW(hToken, LOGON_WITH_PROFILE, NULL, Path, CREATE_UNICODE_ENVIRONMENT, NULL, NULL, sInfo, pInfo);
| ^~~~~
| |
| STARTUPINFO * {aka STARTUPINFOA *}
src/core/ObjectApi.c:481:140: note: expected ‘LPSTARTUPINFOW’ {aka ‘struct _STARTUPINFOW *’} but argument is of type ‘STARTUPINFO *’ {aka ‘STARTUPINFOA *’}
src/core/Socket.c: In function ‘SocketNew’:
src/core/Socket.c:78:95: error: passing argument 6 of ‘Instance->Win32.WSASocketA’ makes integer from pointer without a cast [-Wint-conversion]
78 | WinSock = Instance->Win32.WSASocketA( AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, NULL );
| ^~~~
| |
| void *
src/core/Socket.c:78:95: note: expected ‘DWORD’ {aka ‘long unsigned int’} but argument is of type ‘void *’
src/core/Socket.c: In function ‘SocketRead’:
src/core/Socket.c:323:77: error: passing argument 3 of ‘Instance->Win32.ioctlsocket’ from incompatible pointer type [-Wincompatible-pointer-types]
323 | if ( Instance->Win32.ioctlsocket( Socket->Socket, FIONREAD, &PartialData.Length ) == SOCKET_ERROR )
| ^~~~~~~~~~~~~~~~~~~
| |
| UINT32 * {aka unsigned int *}
src/core/Socket.c:323:77: note: expected ‘u_long *’ {aka ‘long unsigned int *’} but argument is of type ‘UINT32 *’ {aka ‘unsigned int *’}
src/core/Socket.c:338:93: error: passing argument 4 of ‘RecvAll’ from incompatible pointer type [-Wincompatible-pointer-types]
338 | if ( ! RecvAll( Socket->Socket, PartialData.Buffer, PartialData.Length, &PartialData.Length ) ) {
| ^~~~~~~~~~~~~~~~~~~
| |
| UINT32 * {aka unsigned int *}
src/core/Socket.c:7:65: note: expected ‘PDWORD’ {aka ‘long unsigned int *’} but argument is of type ‘UINT32 *’ {aka ‘unsigned int *’}
7 | BOOL RecvAll( SOCKET Socket, PVOID Buffer, DWORD Length, PDWORD BytesRead )
| ~~~~~~~^~~~~~~~~
src/core/Syscalls.c: In function ‘FindSsnOfHookedSyscall’:
src/core/Syscalls.c:207:31: error: initialization of ‘WORD’ {aka ‘short unsigned int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
207 | WORD NeighbourSsn = NULL;
| ^~~~
src/core/Token.c: In function ‘ProcessUserToken’:
src/core/Token.c:846:10: error: implicit declaration of function ‘GetTokenInfo’; did you mean ‘GetIconInfo’? [-Wimplicit-function-declaration]
846 | if ( GetTokenInfo( hToken, &TokenType, &Integrity, &ImpersonationLevel, &UserDomain ) )
| ^~~~~~~~~~~~
| GetIconInfo
src/core/Token.c:854:18: error: implicit declaration of function ‘IsNotCurrentUser’; did you mean ‘NtCurrentPeb’? [-Wimplicit-function-declaration]
854 | if ( IsNotCurrentUser( CheckUsername, CurrentUser, &UserDomain ) )
| ^~~~~~~~~~~~~~~~
| NtCurrentPeb
src/core/Win32.c: In function ‘LdrModuleSearch’:
src/core/Win32.c:179:16: error: assignment to ‘PLDR_DATA_TABLE_ENTRY’ {aka ‘struct _LDR_DATA_TABLE_ENTRY *’} from incompatible pointer type ‘struct _LIST_ENTRY *’ [-Wincompatible-pointer-types]
179 | Entry = Instance->Teb->ProcessEnvironmentBlock->Ldr->InLoadOrderModuleList.Flink;
| ^
src/core/Win32.c:184:12: error: implicit declaration of function ‘EndsWithIW’ [-Wimplicit-function-declaration]
184 | if ( ! EndsWithIW( ModuleName, Dll ) )
| ^~~~~~~~~~
src/core/Win32.c:193:16: error: implicit declaration of function ‘StringCompareIW’; did you mean ‘StringNCompareIW’? [-Wimplicit-function-declaration]
193 | if ( ! StringCompareIW( Name, Entry->BaseDllName.Buffer ) ) {
| ^~~~~~~~~~~~~~~
| StringNCompareIW
src/core/Win32.c:197:15: error: assignment to ‘PLDR_DATA_TABLE_ENTRY’ {aka ‘struct _LDR_DATA_TABLE_ENTRY *’} from incompatible pointer type ‘struct _LIST_ENTRY *’ [-Wincompatible-pointer-types]
197 | Entry = Entry->InLoadOrderLinks.Flink;
| ^
src/core/Win32.c: In function ‘listDir’:
src/core/Win32.c:1503:38: error: initialization of ‘UINT32’ {aka ‘unsigned int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
1503 | UINT32 PathSize = NULL;
| ^~~~
src/inject/InjectUtil.c: In function ‘GetReflectiveLoaderOffset’:
src/inject/InjectUtil.c:47:147: error: passing argument 2 of ‘Rva2Offset’ makes integer from pointer without a cast [-Wint-conversion]
47 | ExportDir = ReflectiveLdrAddr + Rva2Offset( NtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ].VirtualAddress, ReflectiveLdrAddr );
| ^~~~~~~~~~~~~~~~~
| |
| PVOID {aka void *}
src/inject/InjectUtil.c:12:41: note: expected ‘UINT_PTR’ {aka ‘long long unsigned int’} but argument is of type ‘PVOID’ {aka ‘void *’}
12 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
| ~~~~~~~~~^~~~~~~~~~~~~
src/inject/InjectUtil.c:48:86: error: passing argument 2 of ‘Rva2Offset’ makes integer from pointer without a cast [-Wint-conversion]
48 | AddrOfNames = ReflectiveLdrAddr + Rva2Offset( ExportDir->AddressOfNames, ReflectiveLdrAddr );
| ^~~~~~~~~~~~~~~~~
| |
| PVOID {aka void *}
src/inject/InjectUtil.c:12:41: note: expected ‘UINT_PTR’ {aka ‘long long unsigned int’} but argument is of type ‘PVOID’ {aka ‘void *’}
12 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
| ~~~~~~~~~^~~~~~~~~~~~~
src/inject/InjectUtil.c:48:25: error: assignment to ‘UINT_PTR’ {aka ‘long long unsigned int’} from ‘PVOID’ {aka ‘void *’} makes integer from pointer without a cast [-Wint-conversion]
48 | AddrOfNames = ReflectiveLdrAddr + Rva2Offset( ExportDir->AddressOfNames, ReflectiveLdrAddr );
| ^
src/inject/InjectUtil.c:49:93: error: passing argument 2 of ‘Rva2Offset’ makes integer from pointer without a cast [-Wint-conversion]
49 | AddrOfNameOrdinals = ReflectiveLdrAddr + Rva2Offset( ExportDir->AddressOfNameOrdinals, ReflectiveLdrAddr );
| ^~~~~~~~~~~~~~~~~
| |
| PVOID {aka void *}
src/inject/InjectUtil.c:12:41: note: expected ‘UINT_PTR’ {aka ‘long long unsigned int’} but argument is of type ‘PVOID’ {aka ‘void *’}
12 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
| ~~~~~~~~~^~~~~~~~~~~~~
src/inject/InjectUtil.c:49:25: error: assignment to ‘UINT_PTR’ {aka ‘long long unsigned int’} from ‘PVOID’ {aka ‘void *’} makes integer from pointer without a cast [-Wint-conversion]
49 | AddrOfNameOrdinals = ReflectiveLdrAddr + Rva2Offset( ExportDir->AddressOfNameOrdinals, ReflectiveLdrAddr );
| ^
src/inject/InjectUtil.c:54:92: error: passing argument 2 of ‘Rva2Offset’ makes integer from pointer without a cast [-Wint-conversion]
54 | FunctionName = ( PCHAR )( ReflectiveLdrAddr + Rva2Offset( DEREF_32( AddrOfNames ), ReflectiveLdrAddr ) );
| ^~~~~~~~~~~~~~~~~
| |
| PVOID {aka void *}
src/inject/InjectUtil.c:12:41: note: expected ‘UINT_PTR’ {aka ‘long long unsigned int’} but argument is of type ‘PVOID’ {aka ‘void *’}
12 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
| ~~~~~~~~~^~~~~~~~~~~~~
src/inject/InjectUtil.c:59:96: error: passing argument 2 of ‘Rva2Offset’ makes integer from pointer without a cast [-Wint-conversion]
59 | AddrOfFunctions = ReflectiveLdrAddr + Rva2Offset( ExportDir->AddressOfFunctions, ReflectiveLdrAddr );
| ^~~~~~~~~~~~~~~~~
| |
| PVOID {aka void *}
src/inject/InjectUtil.c:12:41: note: expected ‘UINT_PTR’ {aka ‘long long unsigned int’} but argument is of type ‘PVOID’ {aka ‘void *’}
12 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
| ~~~~~~~~~^~~~~~~~~~~~~
src/inject/InjectUtil.c:59:29: error: assignment to ‘UINT_PTR’ {aka ‘long long unsigned int’} from ‘PVOID’ {aka ‘void *’} makes integer from pointer without a cast [-Wint-conversion]
59 | AddrOfFunctions = ReflectiveLdrAddr + Rva2Offset( ExportDir->AddressOfFunctions, ReflectiveLdrAddr );
| ^
src/inject/InjectUtil.c:62:61: error: passing argument 2 of ‘Rva2Offset’ makes integer from pointer without a cast [-Wint-conversion]
62 | return Rva2Offset( DEREF_32( AddrOfFunctions ), ReflectiveLdrAddr );
| ^~~~~~~~~~~~~~~~~
| |
| PVOID {aka void *}
src/inject/InjectUtil.c:12:41: note: expected ‘UINT_PTR’ {aka ‘long long unsigned int’} but argument is of type ‘PVOID’ {aka ‘void *’}
12 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
| ~~~~~~~~~^~~~~~~~~~~~~
src/Demon.c: In function ‘DemonMetaData’:
src/Demon.c:253:36: error: passing argument 1 of ‘Instance->Win32.RtlGetVersion’ from incompatible pointer type [-Wincompatible-pointer-types]
253 | Instance->Win32.RtlGetVersion( &OsVersions );
| ^~~~~~~~~~~
| |
| OSVERSIONINFOEXW *
src/Demon.c:253:36: note: expected ‘PRTL_OSVERSIONINFOW’ but argument is of type ‘OSVERSIONINFOEXW *’
In file included from include/Demon.h:11,
from src/Demon.c:1:
src/Demon.c: In function ‘DemonInit’:
src/Demon.c:371:53: error: passing argument 1 of ‘Instance->Win32.RtlGetVersion’ from incompatible pointer type [-Wincompatible-pointer-types]
371 | if ( NT_SUCCESS( Instance->Win32.RtlGetVersion( &OSVersionExW ) ) ) {
| ^~~~~~~~~~~~~
| |
| OSVERSIONINFOEXW *
include/common/Macros.h:12:60: note: in definition of macro ‘NT_SUCCESS’
12 | #define NT_SUCCESS(Status) ( ( ( NTSTATUS ) ( Status ) ) >= 0 )
| ^~~~~~
src/Demon.c:371:53: note: expected ‘PRTL_OSVERSIONINFOW’ but argument is of type ‘OSVERSIONINFOEXW *’
371 | if ( NT_SUCCESS( Instance->Win32.RtlGetVersion( &OSVersionExW ) ) ) {
| ^~~~~~~~~~~~~
include/common/Macros.h:12:60: note: in definition of macro ‘NT_SUCCESS’
12 | #define NT_SUCCESS(Status) ( ( ( NTSTATUS ) ( Status ) ) >= 0 )
| ^~~~~~

It seems the codebase has a fundamental incompatibility with the current mingw-w64 toolchain on the aarch64 platform. Any help would be greatly appreciated.

Thank you for your time.

[bushidokarat3]

New MinGW/GCC Compiler Compatibility Fixes

This document describes the changes made to fix compilation issues with newer versions of MinGW GCC (15.x and later).

Problem

When using newer MinGW GCC compilers (version 15.x+), the Demon payload fails to compile with errors like:

error: too many arguments to function 'SysInvoke'; expected 0, have 4

This occurs because newer GCC versions (especially those with C23 awareness) interpret empty parentheses () in function declarations as (void) - meaning "no arguments" - rather than the older K&R style interpretation of "unspecified arguments".

Root Cause

The SysInvoke assembly function is declared with K&R style empty parentheses:

NTSTATUS SysInvoke();

In older C standards and compilers, this meant "function taking unspecified arguments". In C23 and strict modern compilers, this means "function taking no arguments", causing the compilation to fail when the SYSCALL_INVOKE macro passes arguments to it.

Files Modified

File	Change Description
teamserver/pkg/common/builder/builder.go	Added -std=gnu11 flag and fixed relative path resolution

Solution

1. Add -std=gnu11 Compiler Flag

File: teamserver/pkg/common/builder/builder.go
Lines: 200 and 209

Added -std=gnu11 to the compiler flags to force GNU C11 standard, which preserves the older behavior where () means unspecified arguments.

Original Code:

// Line 200 (Debug mode)
"-Os -fno-asynchronous-unwind-tables -masm=intel",

// Line 209 (Release mode)
"-Os -fno-asynchronous-unwind-tables -masm=intel",

New Code:

// Line 200 (Debug mode)
"-std=gnu11 -Os -fno-asynchronous-unwind-tables -masm=intel",

// Line 209 (Release mode)
"-std=gnu11 -Os -fno-asynchronous-unwind-tables -masm=intel",

2. Relative Compiler Path Resolution Fix

File: teamserver/pkg/common/builder/builder.go
Lines: 371-382

Fixed an issue where relative compiler paths in the profile (like data/x86_64-w64-mingw32-cross/bin/...) weren't being resolved correctly because the build command runs from the payload source directory, not the teamserver directory.

Original Code:

// add compiler
if b.config.Arch == ARCHITECTURE_X64 {
    CompileCommand += b.compilerOptions.Config.Compiler64 + " "
} else {
    CompileCommand += b.compilerOptions.Config.Compiler86 + " "
}

New Code:

// add compiler - resolve relative paths from teamserver directory
var compilerPath string
if b.config.Arch == ARCHITECTURE_X64 {
    compilerPath = b.compilerOptions.Config.Compiler64
} else {
    compilerPath = b.compilerOptions.Config.Compiler86
}
// If compiler path is relative, resolve it from the teamserver directory
if !path.IsAbs(compilerPath) {
    compilerPath = utils.GetTeamserverPath() + "/" + compilerPath
}
CompileCommand += compilerPath + " "

Header Files (No Changes Required)

The following files use K&R style declarations which now work correctly with the -std=gnu11 flag:

• payloads/Demon/include/core/Syscalls.h - NTSTATUS SysInvoke();
• payloads/Demon/include/core/SysNative.h - SYSCALL_INVOKE macro

Applying the Fix

After making these changes, rebuild the teamserver:

sudo make ts-build

Compatibility

These changes maintain compatibility with:

• Older MinGW GCC versions (11.x, 12.x, 13.x, 14.x)
• Newer MinGW GCC versions (15.x+)
• Both bundled cross-compilers and system-installed MinGW

Using System MinGW Instead of Bundled

If you prefer to use the system-installed MinGW compilers instead of the bundled ones, you can either:

1. Comment out the Build section in your profile - the teamserver will auto-detect system compilers:

   Teamserver {
       Host = "0.0.0.0"
       Port = 40056
   
       Build {
   #        Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
   #        Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
           Nasm = "/usr/bin/nasm"
       }
   }
   

2. Explicitly specify system paths:

   Build {
       Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
       Compiler86 = "/usr/bin/i686-w64-mingw32-gcc"
       Nasm = "/usr/bin/nasm"
   }
   

Technical Background

K&R vs ANSI C Function Declarations

• K&R style: int foo() - unspecified number of arguments
• ANSI C style: int foo(void) - explicitly no arguments
• C23 standard: () is equivalent to (void)

The -std=gnu11 flag tells GCC to use GNU C11 semantics, where () still means "unspecified arguments" for compatibility with legacy code like assembly stubs.