Links

QueueUserAPC()

Using Asynchronous Procedure Calls (APC) (QueueUserAPC) to perform Remote Process Injection.
DWORD QueueUserAPC(
PAPCFUNC pfnAPC,
HANDLE hThread,
ULONG_PTR dwData
);
  • Get a handle to an existing process on the system or create a new sacrificial process
    • OpenProcess()
    • CreateProcess()
    • CreateProcessAsUser()
  • Allocate some memory in the chosen remote process
    • VirtualAllocEx()
  • Write shell-code to the remote process, or write a DLL to the remote process
    • GetProcAddress()
    • LoadLibrary()
    • WriteProcessMemory()
  • Queue a new procedure call in the remote process thread, and wait for it to be executed
    • Thread32First()
    • Thread32Next()
    • OpenThread()
    • QueueUserAPC()