Code Monkey home page Code Monkey logo

poolparty's Introduction

PoolParty

A collection of fully-undetectable process injection techniques abusing Windows Thread Pools. Presented at Black Hat EU 2023 Briefings under the title - The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools

PoolParty Variants

Variant ID Varient Description
1 Overwrite the start routine of the target worker factory
2 Insert TP_WORK work item to the target process's thread pool
3 Insert TP_WAIT work item to the target process's thread pool
4 Insert TP_IO work item to the target process's thread pool
5 Insert TP_ALPC work item to the target process's thread pool
6 Insert TP_JOB work item to the target process's thread pool
7 Insert TP_DIRECT work item to the target process's thread pool
8 Insert TP_TIMER work item to the target process's thread pool

Usage

PoolParty.exe -V <VARIANT ID> -P <TARGET PID>

Usage Examples

Insert TP_TIMER work item to process ID 1234

>> PoolParty.exe -V 8 -P 1234

[info]    Starting PoolParty attack against process id: 1234
[info]    Retrieved handle to the target process: 00000000000000B8
[info]    Hijacked worker factory handle from the target process: 0000000000000058
[info]    Hijacked timer queue handle from the target process: 0000000000000054
[info]    Allocated shellcode memory in the target process: 00000281DBEF0000
[info]    Written shellcode to the target process
[info]    Retrieved target worker factory basic information
[info]    Created TP_TIMER structure associated with the shellcode
[info]    Allocated TP_TIMER memory in the target process: 00000281DBF00000
[info]    Written the specially crafted TP_TIMER structure to the target process
[info]    Modified the target process's TP_POOL tiemr queue list entry to point to the specially crafted TP_TIMER
[info]    Set the timer queue to expire to trigger the dequeueing TppTimerQueueExpiration
[info]    PoolParty attack completed successfully

Default Shellcode and Customization

The default shellcode spawns a calculator via the WinExec API.

To customize the executable to execute, change the path in the end of the g_Shellcode variable present in the main.cpp file.

Author - Alon Leviev

poolparty's People

Contributors

0xdeku avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

fredobedo byinarie bb33bb inosec2 cbhue brother-x86 an0x03e8 robinfassinamoschiniforks sneakid benheise gmh5225 mikrzysiek freeide askyeye seahop ttsite non7043 cc9001 emdnaia cybercraftsmanx chronoss3 linecode ezhangle nj00001 fengjixuchui h1d3r levisre vidura-supun ymjie ongyuann kara-4search jeffchan69 shonker shristi16 a10ncoder thomasxm brucebatman cmjlove1 ccaiccie bahadirtmzr msf-ntdll raystyle reloc2 tobey123 li2856705 marcdommage oops4git hxlxmjxbbxs asdlei99 dmore yunaranyancat crackercat crispud tomfansdwdf startagain2016 justinlwilson tmacbg nuclearatk changheluor007 f11st st-rnd fzxcp3 stevenksaint virgilcj thewhiteevil nejibnbm antondellua maoxian123 killvxk element2023h wbaby gavz flerov sp00ks-git yang-zhiyuan op0ssum bigbrobro drcyb3rr cacker noorahsmith epichoxha j88001 cyb3rm3g pabit korpolerithika0x1 maliciousgroup cyba3r 0xajstrike lleon1435 kunush xalicex lallouslab fadinglr h8suga lkheh mibaltoalex peta909 primody bravery9 sinllaves

poolparty's Issues

Shellcode for LSASS dump

I'm curious about how you developed the shellcode for dumping LSASS memory. Did you simply modify the pathname?

Additionally, I attempted a reverse shell with msfvenom, but the process was terminated. Is this technique not viable with such shellcodes?

32 bit version of this project

Most apps i want to use this to is 32 bit. It auto closes when i try to use this on any 32 bit app. Please make one for 32 bit apps.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.