Tradecraft Garden Library (LibTCG)
The Tradecraft Garden Library is a collection of common functionality in the Tradecraft Garden projects.
Project Files
Notes
LibTCG is a Crystal Palace shared library. These files are a zipped collection of COFF objects that use Dynamic Function Resolution (MODULE$Function) and avoid global variables. Objects written to these conventions can work in both PIC and PICO contexts. Crystal Palace's mergelib
command merges a shared library into a PIC or PICO. x86 and x64 PIC must opt-into Dynamic Function Resolution (dfr command) to use these libraries. x86 PIC must enable fixptrs.
The DLL loader and API resolution code are refactors of Stephen Fewer's ReflectiveDLLInjection project. Some common OPSEC moves (e.g., not copying over DLL headers, setting proper page permissions) will require modifying this code or re-implementing some of its functionality in your project.
API and Use
To use LibTCG in a project #include "tcg.h"
and mergelib "libtcg.arch.zip"
in your Crystal Palace specification file.
API Resolution
char * findModuleByHash(DWORD moduleHash)Use an ROR13 hash to locate a loaded library in memory.
void * findFunctionByHash(char * module, DWORD wantedFunction)Use an ROR13 hash to locate a function with a library handle
DLL Loading
DLLMAIN_FUNC EntryPoint(DLLDATA * dll, void * dst)Return a function pointer for entry point of a DLL
void LoadDLL(DLLDATA * dll, char * src, char * dst)Load DLL content to destination address
void ParseDLL(char * src, DLLDATA * data)Parse DLL content and populate DLLDATA
structure
Load libraries and resolve APIs using GetProcAddress and LoadLibraryA specified in IMPORTFUNCS
Returns the size of the DLL (post-load)
PICO Running
int PicoCodeSize(char * src)Return the size of the PICO eXecutable code
int PicoDataSize(char * src)
Return the size of the PICO data
PICOMAIN_FUNC PicoEntryPoint(char * src, char * base)
Return a function pointer for entry point of a PICO
void PicoLoad(IMPORTFUNCS * funcs, char * src, char * dstCode, char * dstData)
Populate PICO into dstCode and dstData and resolve Win32 APIs with GetProcAddress/LoadLibraryA from IMPORTFUNCS
. Note: Crystal Palace's import
command allows you to extend IMPORTFUNCS
and pass additional functions into a PICO
Utility
void dprintf(char * format, ...)printf-style debugging. This function uses OutputDebugStringA. You will need DbgView.exe from Microsoft's Sysinternals Suite to view this output.
License
This project is licensed under the BSD License.