@_g0dmode Github Linkedin

QueueUserAPC() + NtTestAlert()

Use the previously documented QueueUserAPC() function to create an APC in the main thread, but then force the kernel to execute that thread.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc

DWORD QueueUserAPC(
  PAPCFUNC  pfnAPC,
  HANDLE    hThread,
  ULONG_PTR dwData
);

NTSYSAPI 
NTSTATUS
NTAPI
NtTestAlert( );

You can use NtTestAlert() to empty APC queue for the current thread. If the queue was empty before the call, NtTestAlert() has no effect.

  • Create a new sacrificial process in a suspended state

    • CreateProcess(CREATE_SUSPENDED)

  • Allocate some memory in the process

    • VirtualAllocEx()

  • Write shell-code to the remote process, or write a DLL to the process

    • GetProcAddress()

    • LoadLibrary()

    • WriteProcessMemory()

  • Queue a new procedure call in the process thread

    • QueueUserAPC()

  • Force the alert to the kernel

    • NtTestAlert()

PreviousQueueUserAPC()NextSetWindowsHookEx()

Last updated