Pentesting Tools

Pool Party RS : Leveraging Windows Thread Pools For Advanced Process Injection

pool_party_rs is a cutting-edge remote process injection tool designed for cybersecurity research and penetration testing.

It leverages advanced techniques described in SafeBreach’s blog on Windows thread pool abuse and is inspired by the PoolParty project on GitHub.

This tool currently implements the first two variants of the PoolParty process injection techniques, with plans to expand its capabilities in the future.

How pool_party_rs Works

The tool utilizes Windows Thread Pool mechanisms to inject malicious code into target processes. Here’s a breakdown of its operation:

Variant 1: Worker Factory Start Routine Overwrite

  1. Obtain Target Process Handle: The tool uses OpenProcess to gain access to the target process.
  2. Identify Worker Factory Handle: It enumerates all handles in the target process using NtQueryInformationProcess and checks each handle type with NtQueryObject to locate a “TpWorkerFactory” handle.
  3. Retrieve Start Routine Address: Using NtQueryInformationWorkerFactory, it extracts the start routine address of the worker factory.
  4. Inject Shellcode: The start routine address is overwritten with malicious shellcode using WriteProcessMemory.
  5. Trigger Execution: The tool forces thread creation by calling NtSetInformationWorkerFactory, which executes the shellcode.

Variant 2: Task Queue Manipulation

This variant modifies the thread pool task queue by injecting a malicious task into it. When executed, this task runs the injected shellcode, effectively compromising the target process.

  • OpenProcess: Accesses the target process.
  • NtQueryInformationProcess: Enumerates handles in the process.
  • DuplicateHandle: Duplicates handles for inspection.
  • NtQueryObject: Identifies handle types.
  • WriteProcessMemory: Writes shellcode to memory.
  • NtSetInformationWorkerFactory: Triggers execution of injected code.

To integrate pool_party_rs into your Rust project, add this dependency to your Cargo.toml:

[dependencies]
pool_party_rs = { git = "https://github.com/Teach2Breach/pool_party_rs" }
use pool_party_rs::wrapper;

let info_string = wrapper(&SHELL_CODE, pid, variant);
println!("{}", info_string);

Run the proof-of-concept (PoC) with:

cargo run <pid> <variant>

The current version does not prioritize operational security (OPSEC) considerations like dynamic API resolution. However, an OPSEC-safe version will be released on a dedicated branch approximately one month after the initial release.

pool_party_rs demonstrates innovative abuse of Windows thread pools for process injection, making it a valuable resource for cybersecurity professionals studying evasion techniques.

By exploiting legitimate system functionalities, it highlights gaps in modern detection systems and underscores the importance of continuous advancements in endpoint security solutions.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

1 week ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

1 week ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

1 week ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

1 week ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

1 week ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

2 weeks ago