Red Team Codex
  • Welcome to Red Team Codex (RTC)
  • Posts
    • Red Teaming
      • Initial Foothold Reconnaissance
  • Active Directory Enumeration
    • Overview
    • Domain Enumeration
      • Domain Name
      • Domain Forest Trusts
      • Password Policy
    • Computer Enumeration
      • Domain Controllers
    • User Enumeration
    • Group Enumeration
    • AppLocker Enumeration
  • Payload Development
    • VBA Macros and the Windows API
      • Windows Defender
  • AV / EDR
    • Windows Advanced Threat Protection (ATP)
  • Remote Process Injection
    • CreateRemoteThread()
    • QueueUserAPC()
    • QueueUserAPC() + NtTestAlert()
    • SetWindowsHookEx()
    • SetThreadContext()
    • Process Hollowing
  • My Config Files
    • Windows Terminal
    • Tmux Configuration
    • .bashrc and PS1 Environment
Powered by GitBook
On this page

Was this helpful?

  1. Remote Process Injection

QueueUserAPC()

Using Asynchronous Procedure Calls (APC) (QueueUserAPC) to perform Remote Process Injection.

PreviousCreateRemoteThread()NextQueueUserAPC() + NtTestAlert()

Last updated 4 years ago

Was this helpful?

DWORD QueueUserAPC(
  PAPCFUNC  pfnAPC,
  HANDLE    hThread,
  ULONG_PTR dwData
);

  • Get a handle to an existing process on the system or create a new sacrificial process

    • OpenProcess()

    • CreateProcess()

    • CreateProcessAsUser()

  • Allocate some memory in the chosen remote process

    • VirtualAllocEx()

  • Write shell-code to the remote process, or write a DLL to the remote process

    • GetProcAddress()

    • LoadLibrary()

    • WriteProcessMemory()

  • Queue a new procedure call in the remote process thread, and wait for it to be executed

    • Thread32First()

    • Thread32Next()

    • OpenThread()

    • QueueUserAPC()

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc