// Thread Pool Injection Masterclass
8 novel process injection techniques abusing Windows Thread Pools. Demonstrated 100% bypass rate against 5 leading EDRs at Black Hat EU 2023. By SafeBreach Labs (Alon Leviev).
Classic injection techniques, why they get detected, API call patterns EDRs monitor, and the motivation for thread pool abuse.
02 BeginnerTP_POOL, TP_WORK, TP_TIMER, TP_WAIT, TP_IO, worker threads, I/O completion ports, and the user-mode thread pool API.
03 BeginnerTppWorkerThread, work item lifecycle, how the kernel dispatches callbacks, worker factory objects, and TP_POOL deep dive.
04 IntermediateStartRoutine hijacking via NtSetInformationWorkerFactory and TP_WORK item insertion into the target pool’s task queue. Variants 1–2 of PoolParty.
05 IntermediateTP_WAIT insertion with event signaling, TP_IO exploitation via NtSetIoCompletion, and TP_ALPC port abuse. Variants 3–5 of PoolParty.
06 IntermediateTP_JOB insertion for job notification callback triggering and TP_DIRECT fast-path insertion via NtSetIoCompletionEx. Variants 6–7 of PoolParty.
07 AdvancedTP_TIMER item insertion into the target pool’s timer queue, TpSetTimer arming, and timer expiry callback dispatch. Variant 8 of PoolParty.
08 AdvancedAll 8 variants summary, EDR bypass results, detection strategies, IOCP-based detection, and defensive recommendations.
github.com/SafeBreach-Labs/PoolPartysafebreach.com/blog/process-injection-using-windows-thread-poolsThe Pool Party You Will Never Forget (Alon Leviev)github.com/CCob/ThreadlessInjectThread Pools & Worker Factories (Chapter 5)Thread Pool API (TpAllocWork, TpAllocTimer, etc.)docs.microsoft.com/en-us/windows/win32/fileio/i-o-completion-portsAdvanced Local Procedure Call architecture