// PIC Reflective Loaders & the Crystal Palace Ecosystem
A deep dive into rasta-mouse's Crystal-Loaders — position-independent reflective loaders built with Raphael Mudge's Crystal Palace linker. Learn how the spec-driven build system, LibTCG PE loading primitives, LibGate indirect syscalls, and Beacon User Data (BUD) combine to create a modular, composable approach to Cobalt Strike loader development. By Daniel Duggan (@_RastaMouse). Crystal Palace by Raphael Mudge.
Why traditional reflective loaders get caught: private-commit RWX memory, PE headers, IAT artifacts, and return-address validation.
02 BeginnerThe spec language, directives (load, make pic, dfr, mergelib, link, export), and how COFF objects become shellcode.
03 IntermediateThe shared PE loading library: ParseDLL, LoadDLL, ProcessImports, PEB walking, and ROR13 hash resolution.
04 IntermediateRecycledGate lineage, SYSCALL_GATE, Hell's Gate + Halo's Gate SSN extraction, and the push/ret trampoline.
05 IntermediateLine-by-line analysis of loader.c: XOR unmasking, PE loading, section permissions, and the three DllMain calls.
06 AdvancedThe USER_DATA structure: SYSCALL_API with 35 Nt* entries, RTL_API, ALLOCATED_MEMORY regions, and sleep mask integration.
07 AdvancedThe postex loader, $GMH/$GPA patching, string-based DFR, .cna hooks, and the full build pipeline.
08 AdvancedModule stomping, sleep masking, call stack spoofing, IAT hooking PICOs, guardrails, and porting beyond Cobalt Strike.
github.com/rasta-mouse/Crystal-Loadersgithub.com/rasta-mouse/LibGategithub.com/thefLink/RecycledGategithub.com/rasta-mouse/Crystal-Kitrastamouse.me/harvesting-the-tradecraft-garden/rastamouse.me/arranging-the-pic-parterre/rastamouse.me/crystal-kit/cobaltstrike.com/product/features/user-defined-reflective-loadergithub.com/stephenfewer/ReflectiveDLLInjectiongithub.com/boku7/BokuLoadergithub.com/kyleavery/AceLdr