Tradecraft Garden
Crystal Palace Quick Reference
Crystal Palace is a linker and linker script language specialized to the needs of writing position-independent DLL loaders.
Requirements
Crystal Palace requires:
Crystal Palace assumes a Linux (or Windows Subsystem for Linux) development environment.
Command-line Usage
To use Crystal Palace on the command-line, use:
./link /path/to/loader.spec demo/test.x64.dll out.x64.bin
Crystal Palace includes a shellcode runner and a "Hello World" DLL in the demo/ folder. Try it with your position-independent DLL loader:
./demo/run.x64.exe out.x64.bin
Specification Files
The Crystal Palace linker is driven by specification files. These files are Crystal Palace's linker script.
| Command | Pop | Push | Description |
|---|---|---|---|
| export | OBJECT | BYTES | Turn object on stack into PIC |
| generate $VAR ## | Generate ## random bytes and assign to $VAR | ||
| import "A, B, C, ..." | OBJECT | OBJECT | Import functions A, B, and C into COFF object. "A, B, C, ..." maps members of IMPORTFUNCS struct passed to PicoLoader to function symbols in COFF. First two values are always LoadLibraryA and GetProcAddress. Extend IMPORTFUNCS struct to pass the other pointers |
| load "file" | BYTES | Load contents of file onto stack | |
| load $VAR "file" | Load contents of file into $VAR | ||
| link "section" | BYTES, OBJECT | OBJECT | Link bytes on the stack to object on stack |
| make object | BYTES | OBJECT | Turn contents on stack into a COFF object |
| make pic | BYTES | OBJECT | Turn contents on stack into PIC object |
| make pic64 | BYTES | OBJECT | (x64 only) Turn contents on stack into PIC object This PIC includes the .rdata section; you can use strings with no hackery. |
| patch "symbol" $VAR | OBJECT | OBJECT | Patch "symbol" within COFF/PIC with contents of $VAR Limited to symbols in .text or .data sections (x86/x64 COFF). Or .text only (x64 PIC) |
| preplen | BYTES | BYTES | Prepend length (of content) to the content on the stack Length is a 4-byte integer in arch-native byte order. |
| prepsum | BYTES | BYTES | Calculate and prepend Adler32 checksum to content on the stack Checksum is a 4-byte integer in arch-native byte order. |
| push $VAR | BYTES | Push $var onto stack | |
| rc4 $VAR | BYTES | BYTES | RC4 encrypt content on stack with $VAR as key |
| run "foo.spec" | BYTES | Run another .spec file, using the same target, same $VARs, and push results onto stack. | |
| xor $VAR | BYTES | BYTES | Mask content on stack using $VAR as key |
Java API
Use the following Java API to apply a .spec file from a Java program.