This repository demonstrates APC (Asynchronous Procedure Call) injection, using the Windows API function QueueUserAPC to execute Calculator obfuscated payload in either the local or a remote process/thread.
For educational and research purposes only. Do not use this for unauthorized access or malicious activity.
APC Injection is a stealthy code injection technique where a function (typically payload) is queued for execution in the context of a target thread. When that thread enters an alertable/suspended state, the payload is executed.
This repo contains:
- Local APC Injection: Injects the Payload into the current process using
QueueUserAPC. - Remote APC Injection: Injects the Payload into another process (RuntimeBroker.exe) by creating a thread and queueing an APC call.
-
create a thread that runs the alertableFunction to make it in alertable state . -> the thread can be created in suspended state but you need to resume it after calling
QueueUserAPCusingResumeThreadwinAPI so you can execute the payload -
inject the payload to the address space memory after deobfuscating it
-
pass alerted thread's handle and deobfuscated payload address to the
QueueUserAPCwin API function
-
Open target process in Debugged State -> you can create a suspended process using
CREATE_SUSPENDEDflage and you need to resume it so you can execute the payload. -
inject the payload to the address space memory of the target process after deobfuscating it
-
pass the debugged thread's handle and the deobfuscated payload to
QueueUserAPCWINAPI. -
Stop the debugging of the remote process using
DebugActiveProcessStopwhich resumes its threads and executes the payload.
-
Clone the repository:
git clone https://github.com/Zanebilal/APC-Injection-Techniques
-
open the desired file.c in Microsoft Visual Studio and run it