_RastaMouse
@rastamouse.me
Wannabe security guy. Director @ Zero-Point Security.
The idea was to merge hooks into a BOF, 'make coff', then run via beacon_inline_execute. I don't think we want to attach the Beacon BOF APIs to funcs within the merged COFF though. What would you attach them to? Can't we just leave/ignore them so Beacon can link them to the proper internal funcs?
January 1, 2026 at 11:35 PM
The idea was to merge hooks into a BOF, 'make coff', then run via beacon_inline_execute. I don't think we want to attach the Beacon BOF APIs to funcs within the merged COFF though. What would you attach them to? Can't we just leave/ignore them so Beacon can link them to the proper internal funcs?
I've written a VSCode extension that provides syntax highlighting for Crystal Palace spec files. I'll throw it up on the marketplace if I can figure out how 😅
January 1, 2026 at 8:50 PM
I've written a VSCode extension that provides syntax highlighting for Crystal Palace spec files. I'll throw it up on the marketplace if I can figure out how 😅
lol nevermind, there were a few mins of 2025 left :D
December 31, 2025 at 11:36 PM
lol nevermind, there were a few mins of 2025 left :D
Pretending to be a blue teamer today
November 29, 2025 at 3:46 PM
Pretending to be a blue teamer today
I hope Fortra legal don't come after me for this one. I just couldn't resist.
November 24, 2025 at 9:50 PM
I hope Fortra legal don't come after me for this one. I just couldn't resist.
Jumping on the bandwagon
November 11, 2025 at 5:22 PM
Jumping on the bandwagon
Did you know that Crystal Palace can merge multiple COFFs straight into a single PIC blob? It means we can produce complete PIC programs from modular parts, without needing a dedicated loader. Plus access to DFR and shared libraries... just lovely.
October 24, 2025 at 6:35 PM
Did you know that Crystal Palace can merge multiple COFFs straight into a single PIC blob? It means we can produce complete PIC programs from modular parts, without needing a dedicated loader. Plus access to DFR and shared libraries... just lovely.
I found it far more enjoyable doing string replacements in Aggressor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.
October 24, 2025 at 3:44 PM
I found it far more enjoyable doing string replacements in Aggressor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof load library calls for clr.dll.
October 22, 2025 at 4:37 PM
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof load library calls for clr.dll.
Crystal Kit is just too powerful.
October 16, 2025 at 3:16 PM
Crystal Kit is just too powerful.
I'm legit blown away. We can use DFR with Nt* APIs now!
October 13, 2025 at 6:58 PM
I'm legit blown away. We can use DFR with Nt* APIs now!
My motivation behind this is to hook & spoof APIs that aren't supported by BeaconGate, such as CreateProcessA. Passing the PICO memory allocation data to Beacon via BUD also ensures that a custom Sleepmask can free it after ExitThread is called.
October 5, 2025 at 11:33 AM
My motivation behind this is to hook & spoof APIs that aren't supported by BeaconGate, such as CreateProcessA. Passing the PICO memory allocation data to Beacon via BUD also ensures that a custom Sleepmask can free it after ExitThread is called.
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
October 4, 2025 at 8:00 PM
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
I learned some Java @raphaelmudge.bsky.social !! 😅
September 13, 2025 at 1:33 PM
I learned some Java @raphaelmudge.bsky.social !! 😅
Playing with @raphaelmudge.bsky.social's latest CP update (it's very cool). I have mixed feelings about merging COFFs though. It simplifies overall development and gives the loader fewer jobs to do, but on the other hand you lose some flexibility about where each "part" goes in memory.
September 12, 2025 at 12:49 PM
Playing with @raphaelmudge.bsky.social's latest CP update (it's very cool). I have mixed feelings about merging COFFs though. It simplifies overall development and gives the loader fewer jobs to do, but on the other hand you lose some flexibility about where each "part" goes in memory.
lol amazing. If only I knew of a cool server to join.
July 31, 2025 at 5:56 PM
lol amazing. If only I knew of a cool server to join.
I think I've got a nice way to produce debug builds for Crystal Palace loaders. It produces an EXE that works with WinDbg so you can debug against the source code, with locals, etc.
July 24, 2025 at 5:36 PM
I think I've got a nice way to produce debug builds for Crystal Palace loaders. It produces an EXE that works with WinDbg so you can debug against the source code, with locals, etc.
Thanks to this excellent video, we now have a new emoji in the ZPS Discord server, the :sadmudge:. Seriously, this is a good video for getting started with PIC dev and cleared up quite a few things for me.
July 16, 2025 at 4:20 PM
Thanks to this excellent video, we now have a new emoji in the ZPS Discord server, the :sadmudge:. Seriously, this is a good video for getting started with PIC dev and cleared up quite a few things for me.
Hooking arbitrary BOFs via @raphaelmudge.bsky.social's Crystal Palace is very cool. I'm going to explore more to see if I can rip out the SleepMask and BeaconGate into their own PICOs, rather than using the official BOF codebases.
July 14, 2025 at 2:13 PM
Hooking arbitrary BOFs via @raphaelmudge.bsky.social's Crystal Palace is very cool. I'm going to explore more to see if I can rip out the SleepMask and BeaconGate into their own PICOs, rather than using the official BOF codebases.
Having another look at Raffi's Crystal Palace PIC loaders today. This time as a post-ex reflective loader with embedded function pointers for GetModuleHandle & GetProcAddress.
June 10, 2025 at 3:48 PM
Having another look at Raffi's Crystal Palace PIC loaders today. This time as a post-ex reflective loader with embedded function pointers for GetModuleHandle & GetProcAddress.
Used some janky glue to tie into the BEACON_RDLL_GENERATE hook.
June 7, 2025 at 3:06 PM
Used some janky glue to tie into the BEACON_RDLL_GENERATE hook.