Tradecraft Garden Library (LibTCG)

The Tradecraft Garden Library is a collection of common functionality in the Tradecraft Garden projects.

Project Files

📃  debug.c
📕  LICENSE.txt
📃  loaddll.c
📃  loaderdefs.h
🔨  Makefile
📃  picorun.c
📃  resolve_eat.c
📃  tcg.h
📃  util.c

Notes

LibTCG is a Crystal Palace shared library. These files are a zipped collection of COFF objects that use Dynamic Function Resolution (MODULE$Function) and avoid global variables. Objects written to these conventions can work in both PIC and PICO contexts. Crystal Palace's mergelib command merges a shared library into a PIC or PICO. x86 and x64 PIC must opt-into Dynamic Function Resolution (dfr command) to use these libraries. x86 PIC must enable fixptrs.

The DLL loader and API resolution code are refactors of Stephen Fewer's ReflectiveDLLInjection project. Some common OPSEC moves (e.g., not copying over DLL headers, setting proper page permissions) will require modifying this code or re-implementing some of its functionality in your project.

API and Use

To use LibTCG in a project #include "tcg.h" and mergelib "libtcg.arch.zip" in your Crystal Palace specification file.

API Resolution

    HANDLE findModuleByHash(DWORD moduleHash)

Use an ROR13 hash to locate a loaded library in memory. This may crash if no matching module exists.

    FARPROC findFunctionByHash(HANDLE module, DWORD wantedFunction)

Use an ROR13 hash to locate a function with a library handle

DLL Loading

    DLLMAIN_FUNC EntryPoint(DLLDATA * dll, void * dst)

Return a function pointer for entry point of a DLL

    void LoadDLL(DLLDATA * dll, char * src, char * dst)

Load DLL content to destination address

    void ParseDLL(char * src, DLLDATA * data)

Parse DLL content and populate DLLDATA structure

    void ProcessImports(IMPORTFUNCS * funcs, DLLDATA * dll, char * dst)

Load libraries and resolve APIs using GetProcAddress and LoadLibraryA specified in IMPORTFUNCS

    DWORD SizeOfDLL(DLLDATA * data)

Returns the size of the DLL (post-load)

PICO Running

    int PicoCodeSize(char * src)

Return the size of the PICO eXecutable code

    int PicoDataSize(char * src)

Return the size of the PICO data

    PICOMAIN_FUNC PicoEntryPoint(char * src, char * base)

Return a function pointer for entry point of a PICO

    PICOMAIN_FUNC PicoGetExport(char * src, char * base, int tag);

Return a function pointer for __tag_function() exported by PICO. Use exportfunc "function" "__tag_function" to export a function and generate its tag intrinsic.

    void PicoLoad(IMPORTFUNCS * funcs, char * src, char * dstCode, char * dstData)

Populate PICO into dstCode and dstData and resolve Win32 APIs with GetProcAddress/LoadLibraryA from IMPORTFUNCS. Note: Crystal Palace's import command allows you to extend IMPORTFUNCS and pass additional functions into a PICO

Utility

    DWORD adler32sum(unsigned char * buffer, DWORD length);

Calculate the Adler-32 checksum of buffer.

    void dprintf(char * format, ...)

printf-style debugging. This function uses OutputDebugStringA. You will need DbgView.exe from Microsoft's Sysinternals Suite to view this output. Note: Do not use dprintf from fixptrs, fixbss, or dfr helper functions. These functions are often called from an instrumentation context that break SEH assumptions dprintf depends on.

    DWORD ror13hash(const char * c);

Calculate the ror13 hash of a string.

License

This project is licensed under the BSD License.

© 2025 Adversary Fan Fiction Writers Guild