Havoc Extension to a PoC Windows Thread Pool Injection created by Alon Leviev
PoC Github: https://github.com/SafeBreach-Labs/PoolParty
| Variant ID | Varient Description | Status |
|---|---|---|
| 1 | Overwrite the start routine of the target worker factory | (IN PROGRESS) |
| 2 | Insert TP_WORK work item to the target process's thread pool | (IN PROGRESS) |
| 3 | Insert TP_WAIT work item to the target process's thread pool | (IN PROGRESS) |
| 4 | Insert TP_IO work item to the target process's thread pool | READY |
| 5 | Insert TP_ALPC work item to the target process's thread pool | READY |
| 6 | Insert TP_JOB work item to the target process's thread pool | READY |
| 7 | Insert TP_DIRECT work item to the target process's thread pool | READY |
| 8 | Insert TP_TIMER work item to the target process's thread pool | READY |
Can be installed directly through Havoc Extensions.
OR
- Clone this repository
- Modify the current working directory in poolparty.py
- Import poolparty.py into Havoc
poolparty generate -a {x86/x64} -l {listener name}
poolparty run -V {4,5,6,7,8} -P {PID}
My good friend 0xEr3bus for having patience :)
Check out his BOF implementation : https://github.com/0xEr3bus/PoolPartyBof