Tradecraft Garden ================= (CPL) = Crystal Palace (TCG) = Tradecraft Garden Release 11.10.25 ==== - (CPL) Consolidated dfr, fixptrs, fixbss into a single disassemble, modify, rebuild pass. Part of an architectual effort to allow distinct pass groups of mutually exclusive modifications. - (CPL) Added attach "MODULE$Function" "hook" to attach a hook to calls/references to MODULE$Function in a PIC or PICO. Calls/references to MODULE$Function in hook are not touched. Multiple hooks for one MODULE$Function is OK (so long as each hook calls MODULE$Function) - (CPL) Added redirect "function" "hook" to change calls/references for local function to hook. Similar semantics to attach. References to function within hook AND function are not touched. - (CPL) fixptrs now supports MOV r/m32, imm32 with EAX register - (CPL) fixptrs now supports CMP EAX, imm32 - (CPL) Added preserve "MODULE$Func|symbol" "symbol1, symbol2, ..." to opt specific functions out of attach and redirect instrumentation for the specified target or MODULE$Func symbol - (CPL) Crystal Palace commands that accept a function symbol will now (when possible) suggest a symbol when the specified function doesn't exist. This should aid x86 .specs where the naming conventions (esp. for __stdcall attach hooks) can get a little wonky. - (CPL) Added features to aid GetProcAddress IAT hooking. addhook "MODULE$Function" "_hookSymbol" registers an IAT hook MODULE$function. filterhooks $DLL|$OBJECT filters registered hooks using the import table of $DLL or $OBJECT. And, __resolve_hook(DWORD) is a linker intrinsic to generate inline code to map an ror13 "Function" string hash to a registered hook function. - (CPL) Added protect "func1, func2, ..." to opt functions out of attach/redirect instrumentation. dprintf/_dprintf is automatically in this list. - (CPL) Added danger walk checks to look for dprintf use from fixptrs/fixbss/dfr functions. Why? OutputDebugStringA uses SEH and SEH + these dynamically inserted function calls contexts can cause mem corruptions. These call contexts do a lot of register pushes to protect state and that interferes with the post-exception stack walking heuristics when there's no unwind info - (TCG) Made several (small) changes to LibTCG and tcg.h. I've updated the TCG examples to use these. They'll require some changes to keep your compiler happy too: - Changed function prototypes of findModuleByHash and findFunctionByHash to better align with GetModuleHandle and GetProcAddress. - added adler32sum and ror13hash functions to LibTCG - added __resolve_hook() definition too - (CPL) Added exportfunc "funcsymbol" "__tag_functag" to export a PICO function and associate it w/ a __tag_functag() intrinsic function. Use PicoGetExport in LibTCG to get these function addresses - (TCG) Rewrote Simple Loader (Hooking) and Stack Cutting to demonstrate better modularity practices - (TCG) Slight refactor of Page Streaming to separate DLL loading from page streaming module - (CPL) Added optout "function" "hook1, hook2, etc." to prevent specific attach/redirect hooks in the context of a function. Use this to opt a tradecraft setup out of its own instrumentation without closing the door to layering other tradecraft in to benefit it. - (CPL) Removed reladdr. Use fixptrs to avoid the x86 address hacks. - (CPL) Got rid of implied reladdr "permission" to resolve x86 relocs with partial pointers for data appended to the PIC with link. This effectively makes fixptrs mandatory for x86 PIC that references data appended to it. - (TCG) Updated rdllinjection to use fixptrs - (CPL) Took imul reg, 0 out of code mutator as a reg zeroing option. Release 10.27.25 ==== - (CPL) COFF normalization now skips .rdata$zzz (GCC's ident spam) unless a reloc refers to it - (CPL) Added fixbss "getbss" to restore access to uninitialized global variables in x86/x64 PIC. The getbss function is responsible for returning a pointer to read/write memory for the .bss section. It needs to return the same pointer each time. - (CPL) Fixed DFR "func" "strings" x64 crash by making sure the pushed strings don't break the stack 16b alignment contract. - (CPL) Fix LTO walk bug that would miss function pointer relocations from merged modules - (CPL) Changed missing label/incorrect target exception to a SpecProgramException and it now applies across run/runObject/runDLL - (CPL) Changed the contract of run "file.spec" to work more like a generic include. No need to have the run .spec end by returning bytes[]. The program stack is shared between parent/child script. You get to decide the contract. - (CPL) fixptrs now ignores CALL rel32 relocations. Only time this should come up is with a mistyped/missing function definition. The error message is now clearer "can't resolve reloc" - (CPL) Extended DFR to allow multiple resolvers per PIC with a concept of a default resolver and resolvers that apply to specific modules. dfr "func" "method" "module1, module2" will apply to any imports for module1/module2. dfr "resolver" "method" will set a default resolver--which is only used when no module-specific resolver applies. - (TCG) Added Simple PIC 9 to demonstrate running a PICO as PIC - (CPL) fixptrs is now diligent about saving ecx/edx registers. My caller function doesn't clobber these... but yours might - (CPL) Added remap "old_symbol" "new_symbol" to change a symbol name in current COFF - (TCG) Made Simple Loader 8 simpler with new remap feature (and changes to run) - (CPL) Fixed bug preventing propagation of local func x64 relocations through BTF. This same fix also restores (unresolved) local func x64 symbol names to disassembly output - (CPL) Added common func symbol existence/is a func checks to fixptrs/fixbss values Release 10.13.25 ==== - (CPL) Added Dynamic Function Resolution for x86/x64 PIC! Declare a resolver in your .spec with dfr "resolver" "method" and CPL will rewrite MODULE$Func references to call resolver with either (method=ror13) the ROR hash of MODULE and Func as args or MODULE and Func stack strings as args (method=strings). No more looking up/calculating ROR hashes to use Win32 APIs. - (CPL) Code Mutator now mutates PUSH imm32 (x86) - (CPL) Added BTF transforms to fix x86 pointers to make it more x64 PIC-like. Use Use fixptrs "_function" to specify a function that returns its return address. This opts an x86 program into these transforms. - (CPL) Added mergelib "/path/to/lib.zip" to merge a Crystal Palace library into the PIC/PICO/COFF at the top of the atack. A Crystal Palace library is just a .zip with objects in it. - (CPL) Deprecated "make pic64" -- "make pic" is now the same functionality - (CPL) Added +gofirst PIC option to move go() to position 0 of the program - (TCG) Rewrote the Tradecraft Garden examples to use these new conventions - (CPL) Code Mutator now mutates MOV imm64 %reg (x64) Release 10.13.25 ==== - (TCG) Released Tradecraft Garden examples and projects under the 3-clause BSD license. The code and headers did not change otherwise. https://tradecraftgarden.org/download/tcg20250910-bsd.tgz Release 09.10.25 ==== - (CPL) Rewrote the COFF parser and intermediate representation - (CPL) Added a normalization pass to merge section groups in a COFF before carving data from it - (CPL) Rewrote pic/pic64/object exporters. Functionality should be the same, BUT, PicoCodeSize() no longer rounds up to nearest page. - (CPL) Added 'make coff' to have export output a COFF file - (CPL) Added reladdr "_symbol" to give Crystal Palace permission to resolve relocations for a symbol with a relative address, rather than a direct address. This is necessary for x86 PIC, where one might want to resolve _go to the beginning of the .text section. reladdr symbols require special care in an x86 program to turn into a valid pointer. - (TCG) Updated TCG projects to use reladdr where needed, primarily for _go symbol - (CPL) Added support for IMAGE_REL_AMD32_REL32_1/2/3/4/5 relocations - (CPL) Added coffparse "out.txt" to dump normalized COFF string rep to out.txt - (CPL) Added 'merge' command to merge COFF file (bytes) with object on stack - (TCG) Updated picorun.h to accommodate new loader directives for handling data relocations. The API is the same, but you will want to recompile projects with this updated file. - (TCG) Fixed code mutator bug breaking up an Integer.MIN_VALUE constant Release 07.09.25 ==== - (CPL) Added a link-time optimizer. Use make [type] +optimize (in spec file) to enable - (CPL) Added function "disco": randomizes function order. make [type] +disco enables. - (CPL) Added code mutator. make [type] +mutate enables - (CPL) Added error check for jump tables for PIC/PIC64/PICOs--these are not supported and will cause a crash. - (CPL) make pic/make pic64 warn if "go" (presumed entry point, when it exists) isn't first in the program. - (TCG) Changed function declaration of "go" in PIC to include no_reorder attribute to try and mitigate func. re-ordering when compiled with optimizations on - (CPL) Added to relocation string representation. Gives a better sense of where in program a linking error came from. - (CPL) Added disassemble "file.txt" command to spec file; outputs disassembled PIC/PIC64/PICOs - (CPL) Added ./disassemble [+options] [file.o] command to Crystal Palace, similar to above. - (CPL) Fixed typo in ./coffparse help output. - (CPL) Updated LinkSpec APIs (and CLI) to accept a COFF (PICO) or DLL argument to apply spec to - (CPL) Added test.x86.o and test.x64.o demo programs (Hello World message box) to demonstrate applying a Crystal Palace .spec to a COFF capability - (TCG) Added Simple Loader 7 - COFF Capability to demonstrate pairing COFF with a PIC loader - (TCG) Added Simple Loader 8 - COFF and DLL Capability to demonstrate a project capable of loading either a DLL or COFF. - (TCG) Added #error to resolve_eat.h if WIN_X86 or WIN_X64 not defined. Release 06.04.25 === - Initial release