APC Injection
Earlier in this chapter, you saw that by creating a thread using CreateRemoteThread
, you can invoke functionality in a remote process. However, thread
creation requires overhead, so it would be more efficient to invoke a function on an existing thread. This capability exists in Windows as the asynchronous
procedure call (APC).
APCs can direct a thread to execute some other code prior to executing its regular execution
path. Every thread has a queue of APCs attached to it, and these are processed when the thread is in
an alertable state, such as when they call functions like WaitForSingleObjectEx
, WaitForMultipleObjectsEx
, and
SleepEx
. These functions essentially give the thread a chance to
process the waiting APCs.
If an application ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.