Pool Party Windows Process Injection
This Metasploit-Framework release includes a new injection technique deployed on core Meterpreter functionalities such as process migration and DLL Injection.
The research of a new injection technique known as PoolParty highlighted new ways to gain code execution on a remote process by abusing Thread-Pool management features included on Windows kernel starting from Windows Vista. During our research effort to integrate the new injection technique inside the Meterpreter code-base we encountered some technical challenges we would like to share.. Currently Meterpreter makes use of the (in)famous system feature provided by Microsoft, the kernel32!CreateRemoteThread to achieve code injection. Although nowadays every EDR should be able to prevent an injection using this API call, this still is the most features rich way to inject code in a target process. Our goal during the porting of this technique was to find the variant more suitable for our needs:
Able to pass a parameter pointer
Able to be injected and later executed, like a Suspended Thread
Be able to be injected from and to a WoW64 processes
Leave less footprints as possible on the target process
From the Original Pool Party PoC we selected three candidates:
TP_WAIT_INSERTION
TP_DIRECT_INSERTION
WORKER_THREAD_FACTORY_OVERWRITE
In order to achieve the same flexibility offered by the CreateRemoteThread an intermediate stub was developed in order to have correct parameter ordering, controlled execution over a duplicated handle and cleanup of the injection after successful execution making the migration chain looking like:
