Tradecraft Garden
Crystal Palace Quick Reference
Crystal Palace is a linker and linker script language specialized to the needs of writing position-independent DLL loaders.
Requirements
Crystal Palace requires:
Crystal Palace assumes a Linux (or Windows Subsystem for Linux) development environment.
Command-line Usage
To use Crystal Palace on the command-line, use:
./link /path/to/loader.spec demo/test.x64.dll out.x64.bin
Crystal Palace includes a shellcode runner and a "Hello World" DLL in the demo/ folder. Try it with your position-independent DLL loader:
./demo/run.x64.exe out.x64.bin
Specification Files
The Crystal Palace linker is driven by specification files. These files are Crystal Palace's linker script.
| Command | Pop | Push | Description |
|---|---|---|---|
| coffparse "file.txt" | OBJECT | OBJECT | Parse object on stack and output a string representation to file.txt. The COFF parsing will occur at export, after +options are applied, and before patched values are acted on. |
| dfr "resolver" "method" | OBJECT | OBJECT | (PIC only) Sets default dynamic function resolution resolver function. Rewrites MODULE$Function references in PIC to call resolver. ror13 method passes ror13 module and function hashes to resolver. strings method passes module and function stack strings to resolver. |
| dfr "res." "method" "M1, M2" | OBJECT | OBJECT | (PIC only) Set dynamic function resolution resolver function for Win32 APIs from MODULE1 and MODULE2. This resolver has priority over the default resolver. |
| disassemble "file.txt" | OBJECT | OBJECT | Disassemble object on stack and write output to file.txt. The disassemble will occur at export, after +options are applied, and before patched values are acted on. |
| export | OBJECT | BYTES | Turn object on stack into bytes |
| fixbss "getBSS" | OBJECT | OBJECT | (PIC only) Rewrites PIC .bss (uninitialized global variables) references to call getBSS(size of bss section) and reference global variables as an offset of the returned pointer. This restores uninitialized global variables in PIC programs. |
| fixptrs "_caller" | OBJECT | OBJECT | (x86 PIC only) Rewrite x86 PIC to turn partial pointers into full pointers with the help of _caller function. Allows access to strings and linked data without hacks. |
| generate $VAR ## | Generate ## random bytes and assign to $VAR | ||
| import "A, B, C, ..." | OBJECT | OBJECT | Import functions A, B, and C into COFF object. "A, B, C, ..." maps members of IMPORTFUNCS struct passed to PicoLoader to function symbols in COFF. First two values are always LoadLibraryA and GetProcAddress. Extend IMPORTFUNCS struct to pass the other pointers |
| load "file" | BYTES | Load contents of file onto stack | |
| load $VAR "file" | Load contents of file into $VAR | ||
| link "section" | BYTES, OBJECT | OBJECT | Link bytes on the stack to object on stack |
| make coff [+options] | BYTES | OBJECT | Turn contents on stack into a COFF-exporter object.
Options are +optimize (Link-time optimization), +disco (randomize function order), and +mutate (code mutator) |
| make object [+options] | BYTES | OBJECT | Turn contents on stack into a PICO-exporter object.
Options are +optimize (Link-time optimization), +disco (randomize function order), and +mutate (code mutator) |
| make pic [+options] | BYTES | OBJECT | Turn contents on stack into PIC-exporter object.
Options are +optimize (Link-time optimization), +disco (randomize function order), +mutate (code mutator), and +gofirst (make go the first function) |
| merge | BYTES, OBJECT | OBJECT | Merge bytes on stack (COFF content) to object on stack |
| mergelib "lib.x##.zip" | OBJECT | OBJECT | Merges each COFF file within zip archive to object on stack |
| patch "symbol" $VAR | OBJECT | OBJECT | Patch "symbol" within COFF/PIC with contents of $VAR |
| preplen | BYTES | BYTES | Prepend length (of content) to the content on the stack Length is a 4-byte integer in arch-native byte order. |
| prepsum | BYTES | BYTES | Calculate and prepend Adler32 checksum to content on the stack Checksum is a 4-byte integer in arch-native byte order. |
| push $VAR | BYTES | Push $var onto stack | |
| rc4 $VAR | BYTES | BYTES | RC4 encrypt content on stack with $VAR as key |
| reladdr "_symbol" | OBJECT | OBJECT | (x86 PIC only) Allow linker to resolve _symbol with a partial pointer. |
| remap "old" "new" | OBJECT | OBJECT | Rename a symbol in the current COFF. (Use ./coffparse to see symbol names) |
| run "foo.spec" | Run another .spec, using the same target, $VARs, and stack as the current script. | ||
| xor $VAR | BYTES | BYTES | Mask content on stack using $VAR as key |
Java API
Use the following Java API to apply a .spec file from a Java program.