What’s more relaxing than a beautiful fall day, a crisp breeze, a glass of Sangria, and music from the local orchestra? Of course, I expect you answered: writing position-independent code projects that separate capability from tradecraft. If you didn’t answer that way, you’re wrong.

In the last six months, Tradecraft Garden has covered a lot of ground. This project started as a linker to make it easier to write position-independent code DLL loaders and it has rapidly evolved into an Aspect Oriented Programming tool to weave tradecraft into PIC and PICO capabilities. It can still write position-independent code DLL loaders too (modular and self-incepting DLL loaders, at that)—but there’s a lot more potential here.

One of the needs in the current model, is that while we can separate tradecraft from capability in C—the linker script forces us to define our architecture and tradecraft as one monolithic thing. Separating base architecture and tradecraft, within the specification files themselves, is the theme of this release.

Build Templates with %variables

This release introduces %variables into the Crystal Palace specification language. These are user-defined strings passed in at the beginning of the program. %variables are usable anywhere you would use a “string” argument in Crystal Palace’s specification language.

For example:

load %foo

This command will resolve %foo and load its contents. Easy enough, right?

We also have string concatenation with the <> operator too. So:

load %foo <> “.x64.o”

This will resolve %foo and append .x64.o to it.

With %variables comes the need to better understand what a script is doing. The new echo command prints its arguments to STDOUT (CLI) or to a SpecLogger object (API):

echo “I am looking at: “ %hooks

%variables evolve the Crystal Palace specification file language from a collection of commands into a build templating language. That is, a specification file may now define the architecture of a loader or capability with the information about specific tradecraft getting added later.

Simple Loader – Execution Guardrails uses these new features. The loader is now agnostic to the follow-on specification file it encrypts and packs. The %STAGE2 variable is a stand-in for that file. You can pair this stage with one of the other examples from the Tradecraft Garden (including a COFF loader or just straight PIC).

Populating %variables (“The Glue”)

For this base architecture and specific tradecraft separation to work, we need a glue. That is a means to specify %variables.

Specifying %variables via the Java API is easy. Put a “%variable” key into the environment map with a “string” value.

You may also specify %var=”value” arguments via the ./link and ./piclink CLI tools too.

If you want to keep a variable configuration in a file, add @file.spec to your program’s CLI. This will read file.spec and use its commands to populate variables before the main linker script is run. And yes, we have new commands to set %variables from a Crystal Palace .spec file.

setg sets a variable within the global scope for this build session:

setg “%bar” “0xAABBCCDD”

Crystal Palace has a concept of scope for variables too. You will almost always want global variables in these configuration files. But, local scope exists for variables that are visible only within the current label’s execution context. Use set to set a local variable:

set “%foo” “file.spec”

With any commands that set or update %variables, quote the variable name to prevent Crystal Palace from evaluating the variable to its contents before command execution.

And, pack is a way to marshal %variables (and other strings) into a $VARIABLE byte array.

pack $VAR “template” “arg1” %arg2 …

The Perl programmer in me can’t resist a good pack command. pack accepts a variable, template string, and list of arguments that correspond to the characters in the template string. Think of the template as a condensed C struct definition. Each character specifies how pack will interpret the argument string and what type it will marshal the value to.

While I see these commands as configuration tools, they are generic Crystal Palace commands. You can use them anywhere.

Layering and Chaining

While straight variable substitution is handy, sometimes, we want to mix and match modules of an unknown quantity. That’s where the next feature helps.

Crystal Palace’s foreach command expects a comma-separated list of items as its argument.

foreach %libs: mergelib %_

The foreach command walks the provided list and calls another Crystal Palace command with %_ set to the current element of the list. %libs needs to exist, but an empty value is OK. The goal of foreach is to act as a placeholder for layered tradecraft that’s dynamically brought into a base architecture.

The next command is a list shift and execute tool. next expects a “%variable” name argument and it expects %variable is a comma-separated list of values. If the list is empty, next does nothing. If the list is not empty, next removes %variable’s first item and runs the specified command with %_ set to that element.

next “%NEXT”: run %_

The goal of next is to support chaining tradecraft together, giving cooperating modules a mean to pass execution through each other.

Modular Specification File Contracts

Crystal Palace’s main modularity tool is to create separate .spec files and use run to execute their commands in another file. This release gives us more modularity options.

The run command now accepts positional arguments. And, it passes them on to the child script as %1, %2, %3, etc.

run “file.spec” “arg1” %arg2

The positional arguments of “file.spec” are local to that run of that file. If file.spec runs another .spec file, the positional arguments are local to that specification file’s runs. The local scope is necessary to prevent our .spec files from stepping on each other’s arguments.

This release also adds callable labels to specification files too. Think of them as local runnable files, user-defined commands, or Crystal Palace functions. To create a callable label use:

name.x64:

Then, list your commands like normal. That’s it. These labels are callable with a dot name syntax and accept positional arguments too:

.name “arg1” “arg2”

The nice thing about this feature is we now have a choice or whether to split a function into its own .spec file or let it co-exist inside of the current .spec file. And, while this is nice, that’s not why I chose to build this feature. The real payoff is the call command.

call runs a callable label from another specification file:

call “file.spec” "name" “arg1” “arg2”

call is an encapsulation tool. That is, our base specification defines the architecture of our capability or loader. %variables become the placeholder for our tradecraft implementation. And, callable labels and call let us present the pieces of a tradecraft in a single file, with a common interface (callable labels), that our base architecture expects to act on.

Simple Loader – Hooking demonstrates this idea. It defines a base architecture for hooking a DLL and a modular contract for hooking tradecraft modules. XORhooks demonstrates this contract. Stack Cutting is now a module that composes on top of this base loader. What’s really cool? You can layer them together.. See the Simple Loader – Hooking notes for more on this.

File Paths

One of the mundane, but important details in this scheme is file path resolution. Crystal Palace commands treat file paths as relative to the current .spec file. With %variables, things get messy, because we might specify a file path in one place (e.g., the CLI, @config.spec, an argument to run/call) and it gets used elsewhere. The resolve command brings some predictability to this.

resolve “%files”

resolve will walk through %files (assuming it’s a comma-separated list of files), canonicalize each entry to a filename [relative to the current .spec], and set %files to these full paths. This gives you control over when this path resolution happens and which .spec context its relative to.

The -r CLI option will resolve file paths in a %key=”value” argument provided that way.

Migration Notes

1. The link and piclink shell scripts changed in this version. You’ll want to update to the latest from the Crystal Palace distribution or source archive.
   
   
2. I’ve updated the CLI syntax for piclink and link to accept % and $ sigils for %VAR and $DATAKEY values specified on the command-line. The old behavior of KEY=[bytes] to set $KEY still works, but going forward, the documentation and other materials will use explicit sigils. You may want to update your scripts to use explicit sigils too.
   
   
3. Several of the methods in crystalpalace.spec.LinkerSpec were deprecated. I cleaned up the API to make it easier to share arguments between a configuration LinkSpec and the main LinkSpec. https://tradecraftgarden.org/docs.html#javaapi

Closing Thoughts

This release introduced several commands and features to change how Crystal Palace specification files work together.

The combination of %variables and the ability to set those via the Java API or CLI allow our users to combine a base specification with specific tradecraft choices later on. This turns a base PIC into a re-usable component.

Callable labels and call allow us to encapsulate tradecraft modules into a single file with different touch points (e.g., initialization, apply hooks) available via a common convention. Pair this with foreach and we have a means to specify tradecraft modules in one %variable and use them at the right-spots within the base project.

The goal of this release is to move Tradecraft Garden projects from singular monolithic examples, that each redefine everything, into reusable components to compose tradecraft cocktails with.

To see the full list of what’s new, check out the release notes.

It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engineer everything. One of the hot trends I never understood, was Aspect-Oriented Programming. I now have a healthy respect for AOP’s core ideas, as there’s real overlap with Tradecraft Garden’s goals and the Crystal Palace effort.

Aspect-Oriented Programming

Aspect-Oriented Programming is a paradigm to add functionality to a base program that normally needs code in a lot of places, but to do it from one place. The classic example is logging. A base program might not have any logging built-in at all. Aspect-Oriented Programming is a way to take this cross-code need and uniformly apply it to different points of interest in the program. In some AOP models (as we’ll discuss here) it’s possible to add features without changing the base program at all.

Aspect-Oriented Programming ideas and design patterns are absolutely relevant to separating capability and tradecraft, whether use-case and tool agnostic (as I’m working to do) or to make a C2 modular and flexible.

Here’s a quick run-down of Aspect-Oriented Programming vocabulary:

A cross-cutting concern is functionality one needs to apply into many places in a base program.

Join Points are specific instrumentation opportunities or places in the program one can attach an Advice to. These are the opportunities to get into the flow of the program.

An Advice is code that implements cross-cutting functionality.

A Pointcut is a mechanism to define (and even dynamically select) Join Points to insert Advice into. Pointcut refers to both the mechanism and a specific query to choose Join Points.

An Aspect is a module that packages Advices, Pointcut mechanisms, and Pointcut selectors.

The process of adding Aspects to a program is called Weaving. There are different methods of weaving. Some AOP frameworks process source code directly. Some managed runtime AOPs dynamically generate object proxies. Some AOPs rely on binary transformations like what I’m doing with Crystal Palace. LLVM plugins that dynamically add tradecraft at compile-time is AOP and Weaving too.

Hooking and other instrumentation techniques are a form of weaving. What separates AOP weaving from dynamic instrumentation like Frida, is AOP weaved functionality is part of production use rather than a temporary and risky intrusion into running code.

Crystal Palace PIC and AOP

Crystal Palace’s PIC service modules are an example of Aspect-Oriented Programming. Every PIC needs to resolve functions and the specific method is often painfully tangled with the program. This is true for using (or awkwardly avoiding) global variables too. These are cross-cutting concerns.

In Crystal Palace, Win32 API resolutions are a PIC Join Point. dfr attaches function resolution advice (the resolver) to these join points. dfr demonstrates a selective Pointcut feature too. Crystal Palace dynamically selects DFR advice for each Win32 API using its module as criteria. The end result is that a PIC capability exists blissfully agnostic to the service module that it’s paired with. This is possible because Crystal Palace weaves these Advices into the program through its binary transformation framework..

My point summoning all of this isn’t to flex with arcane enterprise programming jargon from 20+ years ago. Rather, it’s to show that there’s a body of work on these ideas that pre-dates a niche profession’s 2025 needs. And, to highlight that others used this paradigm to separate tightly coupled and disparately spread functionality into something architecturally clean, centralized, and swappable. This exists.

Attach, Redirect, Protect, Preserve, and Optout

In the recent Arranging the PIC Parterre, Daniel Duggan speculated:

“CP’s ability to weave helper functions inline with a merged capability provides a lot of exciting potential. A feature that I think would be really useful is changing how an API call is performed after it’s been resolved… but being able to rewrite DFR functions to push execution through a similar proxy, but without having to do explicit hooking, would be awesome.”

I fully agree. And today, I’ve got another update to Crystal Palace and Tradecraft Garden. This update brings weaving-enabled AOP primitives to PIC and PICOs.

One cross-cutting concern is Win32 API calls. Each Win32 API call is an opportunity to choose something equivalent, but stealthier, or to decorate the call with some sort of evasive action (e.g., prepping a fake call stack). To attach Advice (tradecraft) to a Win32 API call, we have the attach command:

attach “MODULE$Function” “_Hook1”

attach disassembles our program, finds references to MODULE$Function (M$F’er), and switches instructions and relocations to use _Hook1. This is weaving.

Crystal Palace applies these changes in a context-aware way. For example, M$F’er calls and references in _Hook1 are not updated. This means you can M$F’er from _Hook1 and access the original functionality.

M$F’er advices stack too. Let’s add this command after the above:

attach “MODULE$Function” “_Hook2”

This attach updates _Hook1’s M$F’er reference to _Hook2. _Hook2’s use of the Win32 API is untouched. A _Hook3 would update _Hook2’s reference to the API. Crystal Palace tracks this chain and knows which functions get which hooks. Each hook decides whether to call the target API and continue the chain. Hooks execute in a first-attached first-executed order.

Crystal Palace’s model to add hooks to a capability is to merge the hooks COFF with the capability COFF. That’s the merge verb introduced a few releases ago.

The updated Stack Cutting project in the Tradecraft Garden demonstrates attach. This IAT hooking demo now uses attach to incept some of the PIC loader’s Win32 API calls and push them through the stack cutting call proxy. I mean, why not?

redirect is another primitive, similar to attach. redirect targets the program’s local function calls:

redirect "function" "_hook"

The semantics of redirect are like attach. Calls and references to the target function within the hook aren’t touched. And, hooks stack too. Calls to function() within _hook and its successors execute the rest of the chain.

While redirect is awesome, don’t use it in place of the obvious. If you wish to lay functionality over a base program with a 1:1 mapping–good ol’ fashioned modular C is the right tool here. Declare an undefined function in a base module, use it, and merge the chosen implementation later.

One design pattern redirect enables is Chain of Responsibility. Imagine a C2 agent ships with a processinject() function. Its implementation is print an “I failed” error. With redirect, an end-user could stack processinject() advices onto this function in a desired handling order. If a processinject() advice is not applicable to the context (or it fails) it calls the next processinject(). On down the chain until one succeeds or the original “I failed” is reached. merge brings processinject() advices in dynamically. Maybe a big library with a bunch of them. With link-time optimization enabled, the unused functions go away. This same pattern could apply to communication modules or any number of things. That’s the power here.

If attach or redirect are used on a non-existing Join Point (e.g., the function or Win32 API doesn’t exist)—the command will do nothing. If link-time optimization is enabled, Advices not attached to something will get removed when the PICO or PIC is exported.

These powerful cross-program hooking tools require ways to isolate parts of the program from these hooks. That’s what protect, preserve, and opt out are for.

protect isolates the listed functions from all attach and redirect hooks. dprintf is opted into this automatically. Use this tool to protect debugging tools and other sensitive code.

protect "function1, function2, etc."

preserve protects a specific target (local function or Win32 API) from attach and redirect hooks in the listed function contexts. Use preserve functions that need direct access to the target function or its pointer.

preserve "target|MODULE$Function" "function1, function2"

optout prevents specific hooks from taking effect within a function. Use optout to isolate a tradecraft setup function from its own hooks. This makes it possible for other tradecraft to modify the setup function later.

optout "function" "hook1, hook2, hook3"

When I started this work, I had ambitions to explore a many to 1 call proxy for attach and redirect. I thought I could come up with a scheme that used %rax/%eax to keep the original function pointer. But, as I thought on this further, I didn’t like it. My thought is that I would need a many to 1 proxy for each number of arguments I expect to proxy (e.g., proxy2, proxy3, etc.). I also didn’t have a means to have Advices follow function pointers. I opted to abandon this approach and go with tractable 1:1 mappings.

I really like this implementation of attach and redirect. Nothing feels janky about it. The program output after attach and redirect is indistinguishable from the original program calling the hook function. In some cases, attach simplifies the instructions some (e.g., it detects load/call to pre-call fetch a Win32 API’s pointer from an IAT slot and simplifies this to call hook).

Right-sized IAT Hooking

One of the tradecraft and capability separation models I cater to is the PIC loader paired with a DLL (or PICO) capability. Here, Win32 APIs are an of-interest Join Point. And, our method to apply Aspects/tradecraft to Win32 API calls is to hook these APIs during the load process.

This Crystal Palace update adds some features to help with the above. addhook registers a MODULE$Function hook with Crystal Palace.

addhook “MODULE$Function” “hook”

Specify as many of these as you like. Crystal Palace won’t throw an error if a MODULE$Function hook isn’t used.

These registered hooks are used by the __resolve_hook() linker intrinsic (defined in tcg.h):

FARPROC __resolve_hook(DWORD functionHash);

A linker intrinsic is a pseudo-function that expands into linker generated code later in the process. __resolve_hook() generates code to turn a Function ror13 hash into a hook.

One of the problems with IAT hooks, is we don’t know which capability (or variation) they’re going to get attached to. And, so we run the risk of specifying too many hooks and having a bloated loader/tradecraft layer or specifying too few, in the name of code economy. This release helps with this problem too:

filterhooks $DLL

The filterhooks command walks the imports of a specified $DLL or $OBJECT and removes registered hooks that aren’t needed in this capability context. What this means is our dynamically generated __resolve_hook() function only maps hashes to hooks that are needed by $DLL or $OBJECT. Pair this with link-time optimization and the unused hooks are removed when the final program is generated. Right-sized IAT hooking!

The Simple Loader (Hooking) and Stack Cutting examples demonstrate these IAT hooking features.

Tips for Hooking

Here are some tips to write addhook and attach hook functions, compatible with the original API call:

1. hook should accept the same number and type of arguments as the Win32 API you’re attaching to.
   
2. hook should have the same decorators (e.g., WINAPI) as the Win32 API you’re attaching to. These set things like the calling convention (e.g., __cdecl vs. __stdcall). If the hook and API don’t match here, it’ll bite ya—especially on x86.
   
3. Don’t decorate hooks with __declspec(dllimport) or something that aliases it (e.g., WINBASEAPI, DECLSPEC_IMPORT, etc.). Crystal Palace won’t treat these symbols like local functions.
   
4. Beware: x86 __stdcall convention function symbols have @## after the function name. Crystal Palace expects full function symbols in most places. The ## is the size (in bytes) of arguments pushed onto the stack. Multiply the number of arguments by four and you’ve guessed the ## value. If you forget @## in a symbol, Crystal Palace will throw an error–BUT it’ll also suggest which full symbol name it thinks you meant.

PICO Function Exports

This release adds PICO function exports and a PICO API to get their function pointers.

exportfunc exports a function and assigns it a tag intrinsic:

exportfunc “function” "__tag_function"

This process generates a random integer tag for the function. This tag makes the exported function discoverable via the PICO’s loading directives.

We don’t know this hidden tag value. That’s where __tag_function() comes in. This pseudo-function is replaced with the hidden tag at link time. __tag_function() is available globally to any PIC/PICO exported after exportfunc is used.

Here’s the prototype to declare __tag_function:

int __tag_function();

Use this intrinsic with PicoGetExport to get a pointer to the exported function:

PICOMAIN_FUNC pFunction = PicoGetExport(picoSrc, picoDst, __tag_function());

The purpose of the tag scheme is to make dynamic linking safer. Originally, I had a manual user-assigned tag scheme. And, even I, illustrious developer of this cockamamie tool, found I couldn’t keep an integer synced between two files. I chased a crash because I forgot exportfunc too. If __tag_function() resolves–we know that exportfunc was used on a valid PICO function during this linking session.

Simple Loader (Hooking) merges two PICOs to save a memory allocation and relies on exportfunc to call code in the merged PICO. Simple Loader (Hooking) and Stack Cutting use exportfunc to make post-merge tradecraft setup APIs available between a hooks module and base loader in their shared architecture.

Migration Notes

(1) I’ve changed the function signatures of findFunctionByHash and findModuleByHash in tcg.h to use the right types. You’ll need to update your DFR resolvers to keep the compiler happy:

FARPROC resolve(DWORD modHash, DWORD funcHash) {
	HANDLE hModule = findModuleByHash(modHash);
	return findFunctionByHash(hModule, funcHash);
}

(2) I’ve removed reladdr from Crystal Palace and revoked permission for linked contents to use partial pointers. fixptrs is now required for x86 PIC doing anything interesting.

Closing Thoughts

I led this post with Aspect-Oriented Programming for good reason. Aspect-Oriented Programming is an instrumentation-enabled programming paradigm. AOP does not replace modular C programming. Instead, it’s a complement to layer cross-program changes onto a base program. Evasion tradecraft is a cross-cutting program concern that benefits from AOP-style tools.

While Crystal Palace continues to serve the PIC loader + DLL capability problem set, I think this technology’s most exciting when using PICOs (usable as PIC or with a loader) as an AOP-friendly canvas to compose fully realized tradecraft demonstrations onto.

To see what’s new, check out the release notes.

The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them.

Two weeks ago, I introduced several features that brought a unified convention model for Crystal Palace PIC and its BOF-like PICOs. This release continues that effort by fixing some bugs and expanding on these features.

Dynamic Function Resolution, Revisited

Last release, I added a means for Crystal Palace PIC to call Win32 APIs using the Dynamic Function Resolution convention. The implementation has Crystal Palace disassemble the program, find any calls to a MODULE$Function Win32 API, and dynamically insert a call to a user-provided resolver (specified, in the specification file) to turn that call into a ready-to-use pointer.

Part of where I’m going with this work, is I’d like one set of conventions to write PICOs and PIC–with the same program working as-is in either context. When I introduced PIC DFR, I realized… shit… I painted myself into a corner here.

PICO loaders have a convention to act on libraries that are not loaded in the current process yet. The current DFR model for PIC doesn’t. I ran into this problem when recording my PIC ergonomics video. I had to debug why a call to User32$MessageBoxA crashed. No User32 library. 😦 The solution was to add LoadLibraryA(“User32”) at the beginning of the program.

This release solves the above problem. Crystal Palace specification files can now specify multiple Dynamic Function Resolution resolvers and either associate a resolver with a specific set of modules OR set a default resolver.

Now, it’s possible to do this:

dfr “resolve” “ror13” “KERNEL32, NTDLL”

And Crystal Palace will use the resolve() function with the ror13 module and function arguments to resolve APIs tied to Kernel32 or NTDLL.

And, for everything else, we can set a default resolver:

dfr “resolve_ext” “strings”

The above is the same syntax introduced in the last release. Any API not matched to another resolver will fall back to the default resolver. And, it’s perfectly OK for the default resolver to use KERNEL32 and NTDLL APIs to aid its work (since they’re resolved in a different resolver):

char * resolve_ext(char * mod, char * func) {
    HANDLE hModule = KERNEL32$GetModuleHandleA(mod);
    if (hModule == NULL)
        hModule = LoadLibraryA(mod);
 
    return (char *)GetProcAddress(hModule, func);
}

Say yes to the .bss (PIC Global Variables)

One of the ass-pains that inspired Crystal Palace was my attempt to implement Page Streaming as a DLL loader without access to global variables to keep state. Clearly, there’s a lot we can do in PIC without global variables—but it’s nice to have the option when it’s needed.

Crystal Palace’s fixbss command is a way to bring (uninitialized) global variables to Crystal Palace position-independent code. Like fixptrs and dfr, this command relies on a binary transform and a helper function. When a fixbss function is provided, Crystal Palace will disassemble your program, find instructions that reference .bss data (uninitialized global variables), and dynamically insert a call to your function. This function must reliably return the same pointer to read/write memory where the .bss data can live in memory. The beautiful part of restoring just the .bss section, is we don’t have to worry about copying over any initial data. We just need read/write memory of a suitable size that is initialized (or already set to) zeroes.

Now, the question becomes… how to implement our fixbss function? This is a tradecraft question and there are certainly different creative ways to do this.

The Simple PIC Tradecraft Garden example demonstrates one way. Its specification file defines getBSS as our .bss fixing function.

fixbss “getBSS”

Simple PIC implements getBSS by looking for a data cave. What is a data cave? It’s unused space within a loaded library or program we can stash data into. Simple PIC’s getBSS uses the slack space between a read/write mapped section’s real size and it’s rounded-up to the nearest page virtual size. We simply walk a few modules (in my example, I walk the current program and Kernel32), find their mapped .data section, and check if the slack space is large enough to accommodate our program’s .bss section. This space is already read/write, it’s predictable to find with a walk, and it’s initialized to zero. Perfect for our demonstration. But, beware—my implementation is not friendly to multiple PICs in the same process using this technique.

Other caveats apply. Crystal Palace only transforms certain common instruction forms (here: load address, load, store, and store a constant for byte/word/dword/qword types) with this feature. As soon as you start doing esoteric stuff or enabling optimizations—you may run into instruction forms Crystal Palace can’t handle.

While I think transparent availability of globals in PIC is a cool trick, I want to clarify something important. This is not a push to always use transformed PIC. My goal is more parity between PIC and PICOs. In situations where I’m allocating or repurposing eXecutable memory in the current process for a capability… I think the better choice is a loaded PICO (globals, strings, Win32 API, etc. without binary transforms). What we get with this parity is code re-use between PIC and PICOs, a common set of skills to write PIC and PICOs, and flexibility to choose the right output for the needs of the situation. That’s why I’ve made this work part of the Crystal Palace effort.

Remap

This release adds a symbol remapping command (e.g., remap “old” “new”). This is a dumb primitive to simply rename a symbol in your COFFs symbol table.

One use of symbol remapping is to aid those of you who dislike the Dynamic Function Resolution convention. Simply create a .spec file of APIs you might use and fill it with:

x86:
  remap “__imp__Function@8” “__imp__MODULE$Function@8”
  remap “__imp__VirtualAlloc@16” “__imp__KERNEL32$VirtualAlloc@16"

x64:
  remap “__imp_Function” “__imp_MODULE$Function”
  remap “__imp_VirtualAlloc” “__imp_KERNEL32$VirtualAlloc

Remap won’t complain if a function you intend to remap doesn’t exist.

The above isn’t the only use of remap. The remap command is also a way to build one binary and, in the context of a specification file, remap one of several stand-by implementations of an expected function to the expected name. This is better described with an example.

Tradecraft Garden’s Simple Object and DLL loader demonstrated (with too much complexity) what it looks like to write a loader that works for a PICO or a DLL. The remap command gives us a tool to simplify this example some.

Rather than have two Makefiles (one for a DLL loader, another for an Object loader)—we instead compile one loader binary. And, our loader binary as-built has no go() function defined. Instead, it has go_dll and go_object.

With remap, our specification file can remap “go_object” “go” when we have an object target. And, we can also remap “go_dll” “go” when we have a DLL target.

What about the extra unneeded function? Use make pic +optimize and let the link-time optimizer get rid of the unused function. The end result is starting with one binary, we’re able to use our .spec file context to tailor that program down to exactly what’s needed for the situation.

Migration Notes

None.

Closing Thoughts

With these new features introduced, let’s revisit this logical line of separation thing.

One of the responsibilities of a DLL loader is to bootstrap the needed execution “stuff” to allow loading a DLL. That is finding Win32 APIs, allocating memory, etc. These bootstrapping behaviors are a detection opportunity and an area for exploring/finding alternate techniques.

Today, it’s easy to think of a PIC program as a monolithic thing that must do everything, including its own bootstrapping. But, with Crystal Palace we now have a clear line between bootstrapping and capability within PIC itself.

The bootstrapping functionality for our PIC loaders is the stuff that Crystal Palace’s helper functions implement: the x86 pointer fixing, the .bss fixing to get global variables back, and our strategy to satisfy the contract of dynamic function resolution. The choices made for each of these bootstrapping chores is a tradecraft choice and it makes sense to keep these bootstrapping cocktails separate of and agnostic to the follow-on PIC. We can do this now.

The new Simple PIC example in the Tradecraft Garden demonstrates this separation well. I’ve implemented a PIC bootstrapping cocktail as something I call a service module. This service module is scoped to the functionality our PIC capability needs to restore key language features and start doing real work in a Win32 process space. It handles bootstrapping like a loader, but it’s not a loader—because it doesn’t load anything.

Crystal Palace’s model to pair a service module with a capability is to merge the two programs into one and dynamically weave calls to the different helper functions into the end-capability to make everything work as expected. [I intend to explore what else this approach can buy us.]

The Simple PIC project merges its service module with an arbitrary PICO to make a functional PIC program. This separation makes the code easier to digest, it makes the follow-on loader agnostic to these bootstrapping choices, and it containerizes an important set of discrete tradecraft choices (e.g., we could have an arsenal of PIC bootstrappers to choose from and they could stand-alone as self-contained units of study).

Thoughtful containerization, finding these lines of separation, is the name of the game here. This is all part of an effort to reframe offensive security research as a systemic security science. And, I believe componentization of the attack chain is a needed step to enable this.

To see what’s new, check out the release notes.

Enjoy the release.

When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible with a linker. The initial Tradecraft Garden examples were built with these primitives.

Crystal Palace doesn’t just merge and append COFFs though. It’s a powerful binary transformation framework as well. That is, Crystal Palace has the ability to disassemble a compiled program, turn it into an abstract form, manipulate it, and put it back together. This technology is the foundation of Crystal Palace’s code mutation, link-time optimization, and function disco features.

Before we go further, I’d like to shout out Austin Hudson’s Orchestrating Modern Implants with LLVM Fortra booth presentation at BlackHat 2025. One of the LLVM uses he described was transforming non-PIC x86 programs to working PIC. It’s a cool talk and it inspired me to look at binary transformations to make Crystal Palace PIC more ergonomic. Which gets to the new features…

This release adds features to transform x86 and x64 programs, written to PICO conventions, into working position-independent code. While these binary transformations are opt-in (you can still manually copy and paste ror13 hashes from elsewhere, if you really want to), they greatly simplify writing PIC and I’m all-in with them. All of the examples in the Tradecraft Garden were simplified with these new tools.

And, taking full advantage of unified conventions for x86 PIC, x64 PIC, and x86/x64 PICOs—this release introduces a Crystal Palace concept of shared libraries to aid modularity, code re-use, and open up opportunities to participate in the ground truth eco-system this project seeks to build.

Dynamic Function Resolution for PIC

One of the defining features of Cobalt Strike BOFs and Crystal Palace PICOs are Dynamic Function Resolution (DFR). That is, calling Win32 APIs as MODULE$Function to give their loaders the needed hints to resolve the right function pointer.

Crystal Palace now has Dynamic Function Resolution for x86 and x64 PIC. Because PIC has no loader, acting on this convention requires a different approach. Here, the binary transformation framework helps. Crystal Palace walks your program, finds instructions that reference __imp_MODULE$Function symbols, and dynamically inserts code to call a user-provided resolver function. This new code replaces the original instruction that would have expected a patch from the loader.

To opt into this feature, specify a DFR resolver in your Crystal Palace specification file:

dfr “resolver” “method”

There are two resolver methods right now: ror13 and strings. The method dictates the arguments generated and passed to the resolver function.

The ror13 method will turn MODULE and Function into ror13 hashes and pass them as arguments to your resolver function. The strings method pushes strings onto the stack and calls your resolver with pointers to these strings. Most Tradecraft Garden Simple Loaders demonstrate the ror13 method. Simple Loader – Pointer Patching (which patches-in a pre-existing GetProcAddress/GetModuleHandle) demonstrates the strings method.

With this feature, this goes away:

And, we get this instead:

Crystal Palace’s PIC DFR convention expects you’re resolving Win32 APIs from already loaded libraries. If you’re writing a full-fledged capability as PIC, make sure you load any needed libraries at the beginning of your program.

If you’re worried that the above introduces unwelcome fixed constants into your program, fear not. Crystal Palace’s code mutation, when enabled with “make pic +mutate”, will rewrite these constants for you.

Fixing x86 PIC Pointers

One of the barriers to unified code for x86 PIC and x64 PIC is the addressing model. x86 programs reference data using a model known as direct addressing, that is they expect to know the full address of any data they work with. Crystal Palace PIC, so far, has worked around x86’s direct addressing model with hacks. That is, Crystal Palace patches in an offset to any referenced data and expects, somehow, that the PIC’s C code takes special steps to turn that offset into a full pointer. These hacks are why Tradecraft Garden was full of #ifdef macros like this:

But, thanks to another opt-in transform—we can get away from the above:

fixptrs  “_caller”

The fixptrs command accepts the name of a caller function. This is a simple contract. The caller function’s job is simply to return its return address. And, the above becomes this:

When fixptrs is set, Crystal Palace will walk your x86 PIC, find any data references, and rewrite the instructions to create a full pointer. (The caller function aids this process.) This means you don’t have to rely on #ifdef hacks and manually calculated instruction offsets to referenced linked data or function pointers in x86 PIC.

This also opens another door. Crystal Palace’s “make pic” now appends .rdata to x86 and x64 PIC programs. Thanks to the fixptrs feature, x86 instruction references to .rdata now work too—giving x86 PIC access to string constants without any special handling in your C code.

The above makes “make pic64” redundant and I’ve removed “make pic64” from Crystal Palace. “make pic64” was an opt-in way to append .rdata to x64 PIC programs and (thanks indirect addressing) get access to string constants from x64 PIC.

While the above is a lot of fun, there are some caveats. x86 references to .rdata, especially with compiler optimizations enabled, generate a lot of possible instruction forms. Crystal Palace only has strategies for the most common forms. When a novel instruction form is encountered, Crystal Palace will catch it, and fail with an error stating it can’t fix the pointer. This is a good hint to either disable optimizations in your x86 PIC or… at least… to disable optimizations within the offending function.

What should go() first?

In position-independent code, your entry point must live at position 0 of your program. Tradecraft Garden used to satisfy this requirement by specifying a go() function at the top of a program, before anything else is included, and having it call the real entry point:

Now, you can declare your entry point as go. And, with make pic +gofirst—Crystal Palace will move this function to position 0 of your PIC.

This is a minor ergonomic feature for developers and another way to make PIC work more like PICOs. Like all of the above features, it’s opt-in via your Crystal Palace specification file.

Shared Libraries

With the above work, Crystal Palace now has shared conventions for x86 PIC, x64 PIC, and x86/x64 PICOs. In practice, this means a compiled object written to these conventions should “just work” in an x86, x64 PIC or PICO context. And, this paves the way for Crystal Palace shared libraries.

Crystal Palace shared libraries are zip files with compiled objects that use these common conventions to offer easy code re-use between PIC and PICO projects. Note: Crystal Palace PIC does not support read/write global variables, where PICOs do. Shared libraries that wish to work with PIC and PICOs should not use read/write global variables either.

The first Crystal Palace shared library is LibTCG, the Tradecraft Garden Library. LibTCG is all of the common functionality in the Tradecraft Garden examples now. It offers DLL parsing and loading, PICO running, printf debugging, and Export Address Table API resolution. LibTCG replaces all of the duplicate #include header files that implemented this functionality in the previous iterations of the Tradecraft Garden examples.

Use Crystal Palace’s mergelib "lib.x64.zip" command to merge all of the objects from a Crystal Palace shared library into a PIC or PICO.

Now, you may have some concerns about the above in the context of offensive security use cases. The first concern is size. Naturally, a shared library will come with a lot of stuff your current program doesn’t need—making it artificially larger than it would be. Well, you can still load and merge individual objects if you like. But, there’s another solution to this problem too: link-time optimization. Crystal Palace’s link-time optimization walks your program, starting at the entry point go, and builds a set of all called/referenced functions. It then rewrites your program to keep the used stuff and get rid of the unused stuff. So, that’s one solution.

Of course, incorporating a shared library means a static content fingerprinting playground. But, that’s why we have code mutation. And, you can use function disco to shuffle functions and effectively interweave imported content with your bespoke content. It’s up to you. Further, if a shared library has a stable API—there’s nothing to say you can’t maintain a private version of that library and keep it for your projects while letting the generic fingerprinted version demonstrate functionality publicly.

Shared Libraries also fill an eco-system gap in Tradecraft Garden’s model. Up until now, I struggled with how I (or others) might expose one-off tradecraft ideas or variations of existing ideas—without writing a bespoke loader for each. Crystal Palace’s shared libraries are path to package and document one-off or like ideas into something easy to incorporate and use from both PIC and PICOs.

License Change

When I initially released the Tradecraft Garden, I chose the BSD license for Crystal Palace. This was a deliberate choice to welcome this component’s integration and use in commercial and open source projects.

Separately, I chose the GPLv2 for Tradecraft Garden’s example loaders. I liked the idea of the GPLv2 as a way to keep the derived tradecraft open. My goal isn’t just an open source eco-system though. I want something that welcomes security conversation-aligned commercial players to co-create value with this commons. A permissive license better serves my goal to create this security conversation-aligned eco-system and more opportunities for offensive security research.

So, in the spirit of weeding the garden and cleaning things up, I’m relicensing the Tradecraft Garden example loaders under the BSD license. (And, for those of you who’ve built on the previous code, I’ve released an updated package with those materials under a BSD license—which you’re welcome to use if you wish for the permissive freedoms). For anyone building open source on this tech, I encourage you to use a permissive license (e.g., BSD, MIT, Apache 2.0).

Migration Path

Here are the migration notes for projects updating to the latest release of Crystal Palace:

This release deprecates “make pic64”. Use make pic instead.

The Makefile for LibTCG requires zip in your WSL environment. Use sudo apt-get install zip to install it

The rest of the features are opt-in and won’t break existing code and specification files. But, I recommend looking at these new conventions as they are the future of Tradecraft Garden:

1. Use “make pic +gofirst” in all of your PIC programs and rename the intended entry point to go()
2. Move away from explicit ROR13 hashes and port your PIC programs to use Dynamic Function Resolution
3. Opt into the x86 pointer fixing with fixptrs and get rid of the manual #ifdef hacks and pointer offsetting required before.
4. Ditch the original Tradecraft Garden common functionality headers and move over to the Tradecraft Garden library. You just need to #include “tcg.h” and use mergelib to include libtcg.x86.zip (or libtcg.x64.zip) in your program.

To see what’s new, check out the release notes.

Enjoy the release.

Today, I’m releasing another update to the various Tradecraft Garden projects. This update is a dose of Future C2 and some cool updates to the Crystal Palace tech. Here’s the latest:

Code Mutation and More…

This release adds a Binary Transformation Framework (BTF) to Crystal Palace. The BTF is the ability to disassemble programs, modify them, and put them back together into a working program.

Tools built on the Binary Transformation Framework are exposed as +options to Crystal Palace’s make object/make pic specification file commands.

x64:
	load "bin/loader.x64.o"
		make pic +optimize

		push $OBJECT
			make object +optimize
			export
			link "my_data"

		disassemble "out.txt"

		export

The options are:

+optimize enables a link-time optimization pass over the COFF. This is a way to remove unused functions from the COFF or PIC. For example, if you #include a mini C runtime into your loaders/programs, this will get rid of any functions you didn’t use.

+disco is a feature I call function disco. It randomizes the order of functions within the COFF or PIC, but if you’re using “make pic” it respects the first function as the required entry point and doesn’t randomize that.

+mutate is a code mutator. The intent of this feature isn’t to frustrate reverse engineering, rather it’s to bring some variety to the code and create content signature resilience. The initial Crystal Palace mutator focuses on breaking up constants, stack strings, and creating some noise in the program.

Future C2 Pivot

I don’t see Tradecraft Garden as a Future C2 effort. Rather, my goal is to containerize and separate evasion tradecraft from C2s. I see this as helpful to socialize security research as security ground truth, something applicable to uses beyond security testing exercises. I see this as a path to invite a broader market for this capability. This isn’t an abandonment of red teaming, quite the opposite: red teaming is the idea factory. My goal is more opportunities for researchers and the intellectual freedom to pursue our work without harassment.

Bigger ends aside, I appreciate that pursuing the above requires this project to go where researcher interests live.

To accommodate those of you working with position-independent code projects, I’ve added a ./piclink command (and Java API) to use a Crystal Palace specification file to assemble a position-independent code project without a target capability to pair with. This gives you the benefit of Crystal Palace’s error checking, code mutation, link-time optimization, and ability to pack multiple resources together and link them to symbols within your PIC (or… PICOs).

If I were looking to replace DLLs as a capability container, I wouldn’t bet everything on position-independent code. I would also look at COFF combined with a PIC loader, similar to what we do with memory-injected DLLs now. The one downside of the loader is the need to allocate new memory for the capability (vs. executing it in place). But, the upside is you can instrument a COFF and separate tradecraft much the same way that’s possible with a DLL (e.g., the Tradecraft Garden design patterns for proxying calls, execution guardrails, etc. are the same). The benefit of COFF is it’s still very small, it’s mutate-able, and it’s easier to work with than position-independent code. Further, executing a capability via a PIC loader with follow-on one-time and persistent tradecraft pieces allows memory clean-up of the tradecraft as its loading and executing.

To support the above, I’ve made some changes to Crystal Palace:

The ./link command and Java API in Crystal Palace now transparently accept PICOs (Crystal Palace COFF) or DLL. If a COFF file is specified, it’s set to $OBJECT. To state the obvious: the specification file (and loader code) need to accommodate your PICO too, but it’s possible to support DLL and COFF capability via a single specification file.

I’ve also ported the test demonstration program from DLL to COFF. And, so, Crystal Palace now comes with test.x86.o and test.x64.o which will pop a “Hello World” message box. Pretty exciting, right? And, I’ve added Simple Loaders to Tradecraft Garden to demonstrate the basics of building a tradecraft that can accommodate either a DLL or COFF.

And, some helpful material…

And, I’ve also published a video on PIC development fundamentals to the Tradecraft Garden Amphitheater. The goal of this video is share some fundamental knowledge for writing PIC whether its using Crystal Palace, Stardust, or something else.

Check out the release notes to see a full list of what’s changed.

Enjoy!