QueueUserAPC() + NtTestAlert()

Use the previously documented QueueUserAPC() function to create an APC in the main thread, but then force the kernel to execute that thread.

​https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc​
DWORD QueueUserAPC(
  PAPCFUNC  pfnAPC,
  HANDLE    hThread,
  ULONG_PTR dwData
);
​
NTSYSAPI 
NTSTATUS
NTAPI
NtTestAlert( );
​
You can use NtTestAlert() to empty APC queue for the current thread. If the queue was empty before the call, NtTestAlert() has no effect.
Create a new sacrificial process in a suspended state
CreateProcess(CREATE_SUSPENDED)
Allocate some memory in the process
VirtualAllocEx()
Write shell-code to the remote process, or write a DLL to the process
GetProcAddress()
LoadLibrary()
WriteProcessMemory()
Queue a new procedure call in the process thread
QueueUserAPC()
Force the alert to the kernel
NtTestAlert()

Remote Process Injection - Previous

QueueUserAPC()

Next - Remote Process Injection

SetWindowsHookEx()

Last modified 2yr ago