GET

Technique Search Instance

GET /api/techniques/181/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 181,
    "key": "shellcode-injection-via-createthreadpoolwait",
    "unprotect_id": "U1236",
    "name": "Shellcode Injection via CreateThreadpoolWait",
    "description": "Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the `CreateThreadpoolWait` function, which is a part of the Windows thread pool API.\r\n\r\nIn the context of shellcode injection, `CreateThreadpoolWait` is used to create a wait object that is associated with a thread pool. The malware can then use this wait object to execute its shellcode within the context of the targeted process, by passing the shellcode as a callback function to the `CreateThreadpoolWait` function.\r\n\r\nHere is a summary of the steps:\r\n\r\n1. The malware creates an event object with the `CreateEvent` function, and sets it to the Signaled state.\r\n\r\n2. The malware allocates read-write-execute (RWX) memory for the shellcode using the `VirtualAlloc` function and writes the shellcode to this memory.\r\n\r\n3. The malware creates a wait object using the `CreateThreadpoolWait` function and specifies the address of the shellcode as the callback function.\r\n\r\n4. The malware sets the wait object using the `SetThreadpoolWait` function.\r\n\r\n5. The malware waits for the wait object to become signaled using the `WaitForSingleObject` function. When the wait object is signaled, the callback function (which contains the shellcode) is executed.\r\n\r\nOther techniques injection includes using APIs such as `CreateRemoteThread`, `QueueUserWorkItem`, and `NtCreateThreadEx`.",
    "resources": "https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait",
    "creation_date": "2022-06-19T05:36:49.903000Z",
    "tags": "Shellcode injection,\r\nProcess injection,\r\nCreateThreadpoolWait,\r\nEvent object,\r\nVirtualAlloc,\r\nCallback function,\r\nSetThreadpoolWait,\r\nWaitForSingleObject,",
    "modification_date": "2023-10-04T10:44:58.752000Z",
    "category": [
        4
    ],
    "rules": [
        132
    ],
    "attachments": [],
    "featured_api": [
        2,
        3,
        449
    ],
    "contributors": []
}