_RastaMouse
@rastamouse.me
Wannabe security guy. Director @ Zero-Point Security.
Nice!
I pushed a 1-change update to Crystal Palace. linkfunc now works with make coff. link (in a make coff context) merges the linked data into the .rdata section.
Both are to support the BOF cocktails idea.
rastamouse.me/bof-cocktails/
Both are to support the BOF cocktails idea.
rastamouse.me/bof-cocktails/
BOF Cocktails
Crystal Palace is a PIC framework that can be used to write, among other things, prepended DLL loaders. The philosophy of the project is to apply evasion tradecraft (also written as PIC), to a capabil...
rastamouse.me
January 15, 2026 at 10:10 AM
Nice!
v0.0.2 of crystal-palace-vsc is up
marketplace.visualstudio.com/items?itemNa...
marketplace.visualstudio.com/items?itemNa...
January 14, 2026 at 9:48 AM
v0.0.2 of crystal-palace-vsc is up
marketplace.visualstudio.com/items?itemNa...
marketplace.visualstudio.com/items?itemNa...
In addition to some new commands, this post goes into a lot of details regarding Crystal Palace's binary transformations. If you're interested in how it does some things under-the-hood, give this a read.
Keeping bin2bin out of the bin
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
Keeping bin2bin out of the bin
Happy New Year. I’ve got another Crystal Palace and Tradecraft Garden update for you. My focus this development cycle was making Crystal Palace’s binary transformation framework more robust. …
aff-wg.org
January 13, 2026 at 10:48 PM
In addition to some new commands, this post goes into a lot of details regarding Crystal Palace's binary transformations. If you're interested in how it does some things under-the-hood, give this a read.
Reposted by _RastaMouse
Keeping bin2bin out of the bin
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
Keeping bin2bin out of the bin
Happy New Year. I’ve got another Crystal Palace and Tradecraft Garden update for you. My focus this development cycle was making Crystal Palace’s binary transformation framework more robust. …
aff-wg.org
January 13, 2026 at 9:05 PM
Keeping bin2bin out of the bin
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
aff-wg.org/2026/01/13/k...
Another TCG update. +shatter, +regdance, and -O1 MinGW support.
Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)
My alter ego has posted a TAS for the Pokémon Yellow Ash% route. Check it out if you like a bit of retro-gaming.
www.youtube.com/watch?v=SqFU...
www.youtube.com/watch?v=SqFU...
Pokemon Yellow Ash% :: 2:27 IGT :: TAS
YouTube video by avatar00000
www.youtube.com
January 3, 2026 at 9:53 AM
My alter ego has posted a TAS for the Pokémon Yellow Ash% route. Check it out if you like a bit of retro-gaming.
www.youtube.com/watch?v=SqFU...
www.youtube.com/watch?v=SqFU...
I managed it: marketplace.visualstudio.com/items?itemNa...
January 2, 2026 at 12:34 AM
I managed it: marketplace.visualstudio.com/items?itemNa...
I've written a VSCode extension that provides syntax highlighting for Crystal Palace spec files. I'll throw it up on the marketplace if I can figure out how 😅
January 1, 2026 at 8:50 PM
I've written a VSCode extension that provides syntax highlighting for Crystal Palace spec files. I'll throw it up on the marketplace if I can figure out how 😅
Reposted by _RastaMouse
To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.
github.com/pard0p/Remot...
github.com/pard0p/Remot...
GitHub - pard0p/Remote-BOF-Runner: Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace.
Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace. - pard0p/Remote-BOF-Runner
github.com
December 31, 2025 at 11:20 AM
To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.
github.com/pard0p/Remot...
github.com/pard0p/Remot...
Pointer patching (aka 'smartinject') doesn't seem possible when you're IAT hooking APIs like GetProcAddress. The pointer that gets patched is that of the hook function, and not the legit API, which causes the loader to crash.
December 31, 2025 at 12:03 PM
Pointer patching (aka 'smartinject') doesn't seem possible when you're IAT hooking APIs like GetProcAddress. The pointer that gets patched is that of the hook function, and not the legit API, which causes the loader to crash.
Reposted by _RastaMouse
WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros 👋. github.com/Henkru/cp-df...
GitHub - Henkru/cp-dfr-defs: Dynamic Function Resolution (DFR) definitions for Crystal Palace
Dynamic Function Resolution (DFR) definitions for Crystal Palace - GitHub - Henkru/cp-dfr-defs: Dynamic Function Resolution (DFR) definitions for Crystal Palace
github.com
December 20, 2025 at 11:02 AM
WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros 👋. github.com/Henkru/cp-df...
Reposted by _RastaMouse
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
December 12, 2025 at 1:57 AM
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
Posting this because I’m not sure Steve is on this platform. He’s made a CLion template for Crystal Palace.
github.com/0xTriboulet/...
github.com/0xTriboulet/...
GitHub - 0xTriboulet/emerald_template: A cmake template for crystal palace
A cmake template for crystal palace. Contribute to 0xTriboulet/emerald_template development by creating an account on GitHub.
github.com
December 10, 2025 at 8:30 AM
Posting this because I’m not sure Steve is on this platform. He’s made a CLion template for Crystal Palace.
github.com/0xTriboulet/...
github.com/0xTriboulet/...
Reposted by _RastaMouse
Implementing PICOs and allowing for easy development in rust github.com/laachy/trade...
@raphaelmudge.bsky.social
@raphaelmudge.bsky.social
github.com
December 9, 2025 at 12:01 AM
Implementing PICOs and allowing for easy development in rust github.com/laachy/trade...
@raphaelmudge.bsky.social
@raphaelmudge.bsky.social
Reposted by _RastaMouse
Seeing is believing. Check out the video to see how version 4.12 makes #CobaltStrike sharper, smarter, and ready for the future. https://linoma.wistia.com/medias/9sku2eat6h
Cobalt Strike 4.12 Video
linoma.wistia.com
December 4, 2025 at 7:10 PM
Seeing is believing. Check out the video to see how version 4.12 makes #CobaltStrike sharper, smarter, and ready for the future. https://linoma.wistia.com/medias/9sku2eat6h
Pushed a big update to Crystal Kit.
github.com/rasta-mouse/...
github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Kit: Evasion kit for Cobalt Strike
Evasion kit for Cobalt Strike. Contribute to rasta-mouse/Crystal-Kit development by creating an account on GitHub.
github.com
December 3, 2025 at 3:14 PM
Pushed a big update to Crystal Kit.
github.com/rasta-mouse/...
github.com/rasta-mouse/...
This is a funny trap people often fall into with some programming languages. C# is a good example as it provides features like inheritance, polymorphism, reflection, extensions, overrides, and so on, to abstract classes and their functionalities. But just because you can, doesn’t mean you should.
Now, for the warning--to myself and others:
With these tools, it's easy to sometimes try to find an unneeded architectural elegance and make shit more complicated than it needs to be.
In the prior release, I wanted to use redirect to make the Hooking example modular, but... I only could do 1:1
With these tools, it's easy to sometimes try to find an unneeded architectural elegance and make shit more complicated than it needs to be.
In the prior release, I wanted to use redirect to make the Hooking example modular, but... I only could do 1:1
December 2, 2025 at 8:04 AM
This is a funny trap people often fall into with some programming languages. C# is a good example as it provides features like inheritance, polymorphism, reflection, extensions, overrides, and so on, to abstract classes and their functionalities. But just because you can, doesn’t mean you should.
Reposted by _RastaMouse
LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block.
github.com/pard0p/LibPi...
github.com/pard0p/LibPi...
GitHub - pard0p/LibPicoManager: LibPicoManager is a unified PICO management framework that provides centralized control over Position Independent Code Objects in shared memory, enabling dynamic code l...
LibPicoManager is a unified PICO management framework that provides centralized control over Position Independent Code Objects in shared memory, enabling dynamic code loading, runtime PICO substitu...
github.com
December 1, 2025 at 11:24 PM
LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block.
github.com/pard0p/LibPi...
github.com/pard0p/LibPi...
[BLOG]
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
December 1, 2025 at 8:12 PM
[BLOG]
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
Reposted by _RastaMouse
December 1, 2025 at 4:26 PM
Reposted by _RastaMouse
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
Tradecraft Orchestration in the Garden
What’s more relaxing than a beautiful fall day, a crisp breeze, a glass of Sangria, and music from the local orchestra? Of course, I expect you answered: writing position-independent code projects …
aff-wg.org
December 1, 2025 at 2:11 PM
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
[BLOG]
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
November 29, 2025 at 10:55 PM
[BLOG]
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
Pretending to be a blue teamer today
November 29, 2025 at 3:46 PM
Pretending to be a blue teamer today
I just had this strange idea... I wrote about modular C2 a while ago, where an implant could be split into multiple parts and loaded into disparate regions of memory across a process.
November 28, 2025 at 11:25 PM
I just had this strange idea... I wrote about modular C2 a while ago, where an implant could be split into multiple parts and loaded into disparate regions of memory across a process.