Quang Vo
@mr-r3bot.bsky.social
Offensive Security with passionate for Malware Development and Windows internal stuffs.
#redteam
#redteam
Reposted by Quang Vo
The Islands of Invariance
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
The Islands of Invariance
Crystal Palace now has a Yara rule generator. In this blog post, I’ll walk you through the design and evaluation of this feature. rule PageStream_rDLL_03495de1 { meta: description = “PageStre…
aff-wg.org
February 2, 2026 at 5:03 PM
The Islands of Invariance
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
Reposted by Quang Vo
Playing in the (Tradecraft) Garden of Beacon and finding Eden. In our latest blog, learn how to utilize Crystal Palace, an open source project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft.
https://ow.ly/zxMP50Y1NQ5
https://ow.ly/zxMP50Y1NQ5
January 23, 2026 at 3:45 PM
Playing in the (Tradecraft) Garden of Beacon and finding Eden. In our latest blog, learn how to utilize Crystal Palace, an open source project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft.
https://ow.ly/zxMP50Y1NQ5
https://ow.ly/zxMP50Y1NQ5
Reposted by Quang Vo
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
December 12, 2025 at 1:57 AM
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
Reposted by Quang Vo
Posting this because I’m not sure Steve is on this platform. He’s made a CLion template for Crystal Palace.
github.com/0xTriboulet/...
github.com/0xTriboulet/...
GitHub - 0xTriboulet/emerald_template: A cmake template for crystal palace
A cmake template for crystal palace. Contribute to 0xTriboulet/emerald_template development by creating an account on GitHub.
github.com
December 10, 2025 at 8:30 AM
Posting this because I’m not sure Steve is on this platform. He’s made a CLion template for Crystal Palace.
github.com/0xTriboulet/...
github.com/0xTriboulet/...
Reposted by Quang Vo
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
Tradecraft Orchestration in the Garden
What’s more relaxing than a beautiful fall day, a crisp breeze, a glass of Sangria, and music from the local orchestra? Of course, I expect you answered: writing position-independent code projects …
aff-wg.org
December 1, 2025 at 2:11 PM
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
Reposted by Quang Vo
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by Quang Vo
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 7, 2025 at 4:10 PM
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
Reposted by Quang Vo
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 3:38 PM
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Reposted by Quang Vo
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
GitHub - pard0p/LibWinHttp: LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO...
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTT...
github.com
November 4, 2025 at 9:21 PM
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
Reposted by Quang Vo
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Tradecraft Garden’s PIC Parterre
The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them. T…
aff-wg.org
October 27, 2025 at 3:48 PM
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Reposted by Quang Vo
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com
October 16, 2025 at 4:13 PM
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
Its growing
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
a man with glasses looks at a plant in a can that says pepsi on it
ALT: a man with glasses looks at a plant in a can that says pepsi on it
media.tenor.com
October 17, 2025 at 3:10 PM
Its growing
Reposted by Quang Vo
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
October 13, 2025 at 3:13 PM
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Reposted by Quang Vo
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
September 26, 2025 at 5:12 PM
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
Reposted by Quang Vo
""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
rastamouse.me/modular-pic-...
Modular PIC C2 Agents (reprise)
A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability ...
rastamouse.me
September 12, 2025 at 10:57 PM
""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""
Reposted by Quang Vo
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
rastamouse.me/modular-pic-...
Modular PIC C2 Agents (reprise)
A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability ...
rastamouse.me
September 12, 2025 at 10:30 PM
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
rastamouse.me/modular-pic-...
Reposted by Quang Vo
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Beacon %25
The fourth year of Beacon: London's home of hackers, hunters and EDR dodgers.
www.eventbrite.co.uk
September 9, 2025 at 8:46 PM
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Reposted by Quang Vo
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
PIC Development Crash Course
Some helpful content for writing position independent code.
vimeo.com
July 16, 2025 at 3:40 PM
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
ي
Tradecraft Garden: Tilling the Soil
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
Tradecraft Garden: Tilling the Soil
Today, I’m releasing another update to the various Tradecraft Garden projects. This update is a dose of Future C2 and some cool updates to the Crystal Palace tech. Here’s the latest: Code Mutation …
aff-wg.org
July 10, 2025 at 1:59 PM
ي
Reposted by Quang Vo
Potato exploits have been a cornerstone of local priv esc on Windows for years, but how & why do the inner starchy workings of the potatoes function?
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
June 20, 2025 at 4:55 PM
Potato exploits have been a cornerstone of local priv esc on Windows for years, but how & why do the inner starchy workings of the potatoes function?
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
Reposted by Quang Vo
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
April 1, 2025 at 5:48 PM
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
Yo this is supercool
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
June 7, 2025 at 3:08 PM
Yo this is supercool
When James Forshaw post, you read 🫡
A companion blog to my Bluehat 2024 presentation on OleView.NET is up now. googleprojectzero.blogspot.com/2024/12/wind...
googleprojectzero.blogspot.com
December 13, 2024 at 11:47 AM
When James Forshaw post, you read 🫡
Good article about obfuscator
blog.back.engineering/06/05/2022/
blog.back.engineering/06/05/2022/
Theodosius - Jit linker, Symbol Mapper, and Obfuscator
Existing software protection frameworks typically operate at a small range of compilation levels. The highest level of obfuscation typically operates upon source code directly (source2source), the sec...
blog.back.engineering
December 9, 2024 at 2:00 PM
Good article about obfuscator
blog.back.engineering/06/05/2022/
blog.back.engineering/06/05/2022/