@raphaelmudge.bsky.social
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
I've been playing with a C2 built around PIC modularity for the last few weeks. C2 comms are merged into the agent at link time and output as shellcode. COFFs are transformed into PICOs for postex. Evasion tradecraft can be woven in via spec files. Very scriptable using Sleep.
09.02.2026 16:39 β π 7 π 2 π¬ 0 π 0
The Islands of Invariance
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
And, here's the GitHub project for Eden Loader.
github.com/Cobalt-Strik...
And, just posted too: Will Burgess' Linkers and Loaders: Experiments with Crystal Palace at beac0n 2025.
www.youtube.com/watch?v=GijV...
Will and I know the same tech pains really well. Good play-through with Crystal Palace and ideas around it. I appreciate the kind words & getting the word out
Cobalt Strike blog ppost by x.com/joehowwolf on using Crystal Palace to mash-up Page Streaming and Draugr Call Stack Spoofing into a Cobalt Strike UDRL.
(Again, I really love the comics. They are perfect).
Georgia Weidman has posted some December 2010 NovaHackers talks, including my first talk on Armitage.
x.com/georgiaweidm...
Video link:
www.youtube.com/watch?v=ZtnK...
A nice workaround against my YARA rule.
kuwaitist.github.io/posts/Patchi...
"By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1."
16.01.2026 03:00 β π 4 π 0 π¬ 0 π 0
I pushed a 1-change update to Crystal Palace. linkfunc now works with make coff. link (in a make coff context) merges the linked data into the .rdata section.
Both are to support the BOF cocktails idea.
rastamouse.me/bof-cocktails/
Keeping bin2bin out of the bin
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
The caveat emptor which is in Daniel's post: Crystal Palace needs a patch to get rid of an over broad error check. I'll address this in the next release and even make sure my local unit tests are covering/working with COFF output more.
This does change how I see COFF output in Crystal Palace though
Further, while a transparent time-of-use BOF hook isn't there for CS (yet?):
BOFs could be processed offline to add your favored tradecraft cocktail to them. Any C2 could benefit from that.
Further, any C2 could build this time-of-use hook for their BOFs too.
TCG is C2/capability agnostic
IAT hooking to provide tradecraft to your agent AND any BOFs it might run loses the above benefit. It requires an overbuilt tradecraft package acting on what the agent and potential post-ex tools might do. Forces a trade-off to not do some things.
BOF cocktails allow right-sized tradecraft per BOF.
Let me sell this a little more:
Part of the model of Crystal Palace is to over-build your tradecraft. Come up with hooks, rewrite various APIs, etc. Make one big monster thing. Merge it in. And, Crystal Palace LT-optimizes to right-size the tradecraft to the capability. You get only what you need.
TCG's vision is to separate tradecraft from capability and encourage an ecosystem of ground truth research.
I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win.
Some caveats (see post), exciting.
I managed it: marketplace.visualstudio.com/items?itemNa...
02.01.2026 00:34 β π 4 π 3 π¬ 0 π 0
Comment out line 54 of src/crystalpalace/export/ParseImport.java. That'll take care of the error. Just did a quick hacky POC and it worked with my unit test BOF runner.
I'll work a more permanent fix to that in the next release. (I used LIbTCG only for dprintf).
I think this is an interesting use.
(My original gut with make coff was an intermediate format to build a PIC/PICO tool with Crystal Palace and distribute that as an artifact that another Crystal Palace script, later and separately, could apply tradecraft too. In my roadmap, not this release yet, I'll have to sit with this again)
02.01.2026 00:06 β π 1 π 0 π¬ 1 π 0Yes, merge hooks into the BOF and use attach. make coff output. Leave API alone. Fingers crossed, it's something C2s can use.
Earlier, I listed different possibilities (e.g., PIC, PICOs, etc.)--but for BOF in a C2, I'd think coff output might be the path.
Caution, make coff isn't well exercised.
import to pass an API in if it's make object. For make pic I've merged an API impl and did some remap __imp_BeaconPrintf BEACON$BeaconPrintf and then attach'd t those. For make coff? I haven't touched that feature since it shipped. If using COFF w/ CS, leave imported APIs alone, but merge/attach?
01.01.2026 22:17 β π 1 π 0 π¬ 1 π 0This is fork&run to execute BOFs in a remote process, same API, and get output back over a pipe--demonstrated with Havoc.
Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)
A path (don't know if CS has hooks for this, not sure if make coff would hold up) would be the ability to pair BOFs or other things with +optimize'd tradecraft cocktails (e.g., merge it in, attach/redirect) vs. having them inherit from the parent agent's hooks. Limits exposure of that stuff too.
31.12.2025 22:38 β π 3 π 0 π¬ 3 π 0Sounds like a chicken or egg problem. What if you don't IAT hook GetProcAddress? Doesn't let hooks propagate downstream to BOFs and things, but would solve this issue?
31.12.2025 13:33 β π 2 π 0 π¬ 1 π 0
To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.
github.com/pard0p/Remot...
WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros π. github.com/Henkru/cp-df...
20.12.2025 11:02 β π 10 π 3 π¬ 0 π 0And, migration complete.
Pleased to keep my 1-2 9s of reliability promise.
Server came back a few hours ago. Hypervisor outage. I gave provider a green light to migrate my server.
We'll have some downtime again between when they migrate and I handle the post-migrate configuration changes.
My open source projects server is down. I got a ticket in with the provider as I believe it's something on their end.
Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker."
"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"
github.com/0xTriboulet/...
