This repo will contain all the code related to the APC research including reverse engineered sources.
A library with common functionality related to the supplied samples.
Allows to inject a DLL using a user mode APC from user mode.
ApcDllInjector.exe <native/win32/special> <process_id> <dll_path> [thread_id]
- native: Uses NtQueueApcThread
- win32: Uses QueueUserAPC
- special: Uses NtQueueApcThreadEx with the special flag.
The dll_path is written to the remote process using WriteProcessMemory.
The target of the APC is LoadLibrary.
This is an example of a possible race condition that can occur if Special APCs are used without caution.
This is an example of an APC routine that uses the hidden context argument. It prints the RIP at the point the APC "interrupted" the thread.
This is an example of using Memory Reserve object to reuse the memory of a KAPC object.
This is an example showing how special kernel APC is delivered to a thread even if it's not an alertable state.
This shows how we can abuse the NtTestAlert call that is called before the win32 start address of the thread to execute an APC.
This test shows how NtWaitForSingleObject returns STATUS_USER_APC when an APC is delivered to the thread. WaitForSingleObject() is a wrapper that simply ignores this value and waits again.
This is an example of an injection technique that uses the initial NtTestAlert.
This example shows what happens when you enter an alertable state after queueing an APC.
This example shows how NtTestAlert can be used to execute pending APCs.
A driver that lets a user mode caller to run 2 functions:
1 - SimpleNtQueueApcThread: A simple implementation that shows how a user APC can be queued from kernel mode.
2 - SimpleNtWaitForSingleObject: A simple implementation of NtWaitForSingleObject for event objects.
Test the SimpleNtQueueApcThread function.
Test the SimpleNtWaitForSingleObject function.
A x86 sample that uses QueueUserAPC. Can be used to debug the Wow64 APC.
A sample that can be used to debug a user APC with a null ApcRoutine. This is interesting because it actually creates a KernelMode APC.
A sample that shows the behavior with multiple pending APCs.
Shows how a Wow64 process can queue an APC in a 64 bit process.
Shows how a 64 bit process can queue an APC in a Wow64 process. The APC can be one of 2 kinds:
- A 64 bit APC. used to execute a 64 bit ApcRoutine.
- A Wow64 APC: The ApcRoutine should run in a Wow64 environment.