pool_party_rs
is a cutting-edge remote process injection tool designed for cybersecurity research and penetration testing.
It leverages advanced techniques described in SafeBreach’s blog on Windows thread pool abuse and is inspired by the PoolParty project on GitHub.
This tool currently implements the first two variants of the PoolParty process injection techniques, with plans to expand its capabilities in the future.
pool_party_rs
WorksThe tool utilizes Windows Thread Pool mechanisms to inject malicious code into target processes. Here’s a breakdown of its operation:
OpenProcess
to gain access to the target process.NtQueryInformationProcess
and checks each handle type with NtQueryObject
to locate a “TpWorkerFactory” handle.NtQueryInformationWorkerFactory
, it extracts the start routine address of the worker factory.WriteProcessMemory
.NtSetInformationWorkerFactory
, which executes the shellcode.This variant modifies the thread pool task queue by injecting a malicious task into it. When executed, this task runs the injected shellcode, effectively compromising the target process.
To integrate pool_party_rs
into your Rust project, add this dependency to your Cargo.toml
:
[dependencies]
pool_party_rs = { git = "https://github.com/Teach2Breach/pool_party_rs" }
use pool_party_rs::wrapper;
let info_string = wrapper(&SHELL_CODE, pid, variant);
println!("{}", info_string);
Run the proof-of-concept (PoC) with:
cargo run <pid> <variant>
The current version does not prioritize operational security (OPSEC) considerations like dynamic API resolution. However, an OPSEC-safe version will be released on a dedicated branch approximately one month after the initial release.
pool_party_rs
demonstrates innovative abuse of Windows thread pools for process injection, making it a valuable resource for cybersecurity professionals studying evasion techniques.
By exploiting legitimate system functionalities, it highlights gaps in modern detection systems and underscores the importance of continuous advancements in endpoint security solutions.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…