Raphael Mudge
@raphaelmudge.bsky.social
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
TCG's vision is to separate tradecraft from capability and encourage an ecosystem of ground truth research.
I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win.
Some caveats (see post), exciting.
I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win.
Some caveats (see post), exciting.
January 3, 2026 at 11:30 PM
TCG's vision is to separate tradecraft from capability and encourage an ecosystem of ground truth research.
I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win.
Some caveats (see post), exciting.
I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win.
Some caveats (see post), exciting.
Reposted by Raphael Mudge
I managed it: marketplace.visualstudio.com/items?itemNa...
January 2, 2026 at 12:34 AM
I managed it: marketplace.visualstudio.com/items?itemNa...
This is fork&run to execute BOFs in a remote process, same API, and get output back over a pipe--demonstrated with Havoc.
Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)
Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)
To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.
github.com/pard0p/Remot...
github.com/pard0p/Remot...
GitHub - pard0p/Remote-BOF-Runner: Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace.
Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace. - pard0p/Remote-BOF-Runner
github.com
December 31, 2025 at 11:51 PM
This is fork&run to execute BOFs in a remote process, same API, and get output back over a pipe--demonstrated with Havoc.
Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)
Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)
Reposted by Raphael Mudge
To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.
github.com/pard0p/Remot...
github.com/pard0p/Remot...
GitHub - pard0p/Remote-BOF-Runner: Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace.
Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace. - pard0p/Remote-BOF-Runner
github.com
December 31, 2025 at 11:20 AM
To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.
github.com/pard0p/Remot...
github.com/pard0p/Remot...
Reposted by Raphael Mudge
WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros 👋. github.com/Henkru/cp-df...
GitHub - Henkru/cp-dfr-defs: Dynamic Function Resolution (DFR) definitions for Crystal Palace
Dynamic Function Resolution (DFR) definitions for Crystal Palace - GitHub - Henkru/cp-dfr-defs: Dynamic Function Resolution (DFR) definitions for Crystal Palace
github.com
December 20, 2025 at 11:02 AM
WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros 👋. github.com/Henkru/cp-df...
My open source projects server is down. I got a ticket in with the provider as I believe it's something on their end.
Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.
Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.
December 19, 2025 at 12:20 PM
My open source projects server is down. I got a ticket in with the provider as I believe it's something on their end.
Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.
Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
December 12, 2025 at 1:57 AM
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker."
"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"
github.com/0xTriboulet/...
"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"
github.com/0xTriboulet/...
December 10, 2025 at 12:12 PM
"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker."
"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"
github.com/0xTriboulet/...
"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"
github.com/0xTriboulet/...
Interesting project. Reimplements TCG example loaders in Rust and demonstrates Rust patterns for TCG and Crystal Palace.
One note: my scope, dev, tests, and unit tests are limited to MinGW.
Binary transforms act on patterns gcc generates and moving away from that, you're gonna hit gaps faster.
One note: my scope, dev, tests, and unit tests are limited to MinGW.
Binary transforms act on patterns gcc generates and moving away from that, you're gonna hit gaps faster.
Implementing PICOs and allowing for easy development in rust github.com/laachy/trade...
@raphaelmudge.bsky.social
@raphaelmudge.bsky.social
github.com
December 9, 2025 at 2:44 AM
Interesting project. Reimplements TCG example loaders in Rust and demonstrates Rust patterns for TCG and Crystal Palace.
One note: my scope, dev, tests, and unit tests are limited to MinGW.
Binary transforms act on patterns gcc generates and moving away from that, you're gonna hit gaps faster.
One note: my scope, dev, tests, and unit tests are limited to MinGW.
Binary transforms act on patterns gcc generates and moving away from that, you're gonna hit gaps faster.
Reposted by Raphael Mudge
My PICOs and unit testing library have been updated for the newest version of Crystal Palace and LibTCG :)
December 3, 2025 at 11:05 PM
My PICOs and unit testing library have been updated for the newest version of Crystal Palace and LibTCG :)
Reposted by Raphael Mudge
Pushed a big update to Crystal Kit.
github.com/rasta-mouse/...
github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Kit: Evasion kit for Cobalt Strike
Evasion kit for Cobalt Strike. Contribute to rasta-mouse/Crystal-Kit development by creating an account on GitHub.
github.com
December 3, 2025 at 3:14 PM
Pushed a big update to Crystal Kit.
github.com/rasta-mouse/...
github.com/rasta-mouse/...
Re: the new TCG release. I updated the Simple Hooking example into an empty base architecture and made XOR hooks and Stack Cutting into .spec modules for it:
tradecraftgarden.org/simplehook.h...
Thanks to redirect and foreach, I was able to layer these modules together to compose a tradecraft too.
tradecraftgarden.org/simplehook.h...
Thanks to redirect and foreach, I was able to layer these modules together to compose a tradecraft too.
December 2, 2025 at 3:48 AM
Re: the new TCG release. I updated the Simple Hooking example into an empty base architecture and made XOR hooks and Stack Cutting into .spec modules for it:
tradecraftgarden.org/simplehook.h...
Thanks to redirect and foreach, I was able to layer these modules together to compose a tradecraft too.
tradecraftgarden.org/simplehook.h...
Thanks to redirect and foreach, I was able to layer these modules together to compose a tradecraft too.
Reposted by Raphael Mudge
LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block.
github.com/pard0p/LibPi...
github.com/pard0p/LibPi...
GitHub - pard0p/LibPicoManager: LibPicoManager is a unified PICO management framework that provides centralized control over Position Independent Code Objects in shared memory, enabling dynamic code l...
LibPicoManager is a unified PICO management framework that provides centralized control over Position Independent Code Objects in shared memory, enabling dynamic code loading, runtime PICO substitu...
github.com
December 1, 2025 at 11:24 PM
LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block.
github.com/pard0p/LibPi...
github.com/pard0p/LibPi...
Reposted by Raphael Mudge
[BLOG]
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
December 1, 2025 at 8:12 PM
[BLOG]
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command.
rastamouse.me/pic-symphony/
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
Tradecraft Orchestration in the Garden
What’s more relaxing than a beautiful fall day, a crisp breeze, a glass of Sangria, and music from the local orchestra? Of course, I expect you answered: writing position-independent code projects …
aff-wg.org
December 1, 2025 at 2:11 PM
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
Reposted by Raphael Mudge
[BLOG]
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
November 29, 2025 at 10:55 PM
[BLOG]
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic.
rastamouse.me/cracking-the...
Reposted by Raphael Mudge
The new version of RTO II is finally available to purchase.
www.zeropointsecurity.co.uk/course/red-t...
www.zeropointsecurity.co.uk/course/red-t...
Red Team Ops II
Gain the knowledge and skills necessary to operate against advanced defences.
www.zeropointsecurity.co.uk
November 28, 2025 at 2:30 PM
The new version of RTO II is finally available to purchase.
www.zeropointsecurity.co.uk/course/red-t...
www.zeropointsecurity.co.uk/course/red-t...
Reposted by Raphael Mudge
This iteration leverages the power of @raphaelmudge.bsky.social's Crystal Palace ecosystem to build custom evasion tradecraft, and apply it to Beacon, BOFs and post-ex DLLs.
The new version of RTO II is finally available to purchase.
www.zeropointsecurity.co.uk/course/red-t...
www.zeropointsecurity.co.uk/course/red-t...
Red Team Ops II
Gain the knowledge and skills necessary to operate against advanced defences.
www.zeropointsecurity.co.uk
November 28, 2025 at 2:35 PM
This iteration leverages the power of @raphaelmudge.bsky.social's Crystal Palace ecosystem to build custom evasion tradecraft, and apply it to Beacon, BOFs and post-ex DLLs.
Cobalt Strike thrives and innovates thanks to community + multi-talented dev/R&D/QA team mixing professional engineers & former users/contributors who know and continue the vision. (Or, just had a big wishlist they wanted to see acted on)
<3 the comics.
Fantastic work. Thanks for AFF-WG shout out
<3 the comics.
Fantastic work. Thanks for AFF-WG shout out
Cobalt Strike 4.12 is LIVE, complete with a new look for the GUI! Additionally, we're introducing:
- A REST API
- User Defined Command and Control (UDC2)
- New process injection options
- New UAC bypasses
- and more!
Check out the release blog for more details.
https://ow.ly/e61m50Xx1OU
- A REST API
- User Defined Command and Control (UDC2)
- New process injection options
- New UAC bypasses
- and more!
Check out the release blog for more details.
https://ow.ly/e61m50Xx1OU
November 25, 2025 at 7:05 AM
Cobalt Strike thrives and innovates thanks to community + multi-talented dev/R&D/QA team mixing professional engineers & former users/contributors who know and continue the vision. (Or, just had a big wishlist they wanted to see acted on)
<3 the comics.
Fantastic work. Thanks for AFF-WG shout out
<3 the comics.
Fantastic work. Thanks for AFF-WG shout out
The work under way:
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding...
rastamouse.me
November 20, 2025 at 7:02 AM
The work under way:
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
Reposted by Raphael Mudge
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding...
rastamouse.me
November 19, 2025 at 11:04 PM
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by Raphael Mudge
I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate.
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 9, 2025 at 11:49 PM
I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate.
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
Reposted by Raphael Mudge
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 7, 2025 at 4:10 PM
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 3:38 PM
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.