There is still no insider knowledge of APC injection methods, QUEUEUSERAPC ((Papcfunc) LoadLibraryA, Hthread, (ULONG_PTR) param);
But look at its invocation method can guess one or two. , the basic is also inserted into the thread before loading the DLL.
Before in the hacker line of defense saw the main thread injection mode load DLL, studied, found that it is like the manual implementation of the QUEUEUSERAPC function ... However, this is more free and flexible than calling the API directly.
I don't know what's going on, and there's some discrepancy between the WIN7 and the details of the article in the hacker line.
First of all, the hacker defense in the way to find the main thread, he compared the thread time, I did not look at, observed a while, found that the general first thread is the main course, just so on
Analysis: "Mainly used for memo, people can understand I do not know."
One, read the waiting state of the thread of data, the thread is generally waiting and activation state, if no task will be in the waiting state, when there is an operation is in the active state.
Second, write the injected code into the injection process
1, save and rewrite the thread ret when the ESP value, which is placed in the function to call the address of the next command to store ... Point to inject code
2, in the injected code, implement the load DLL, and then remove the saved ESP value, jump to the address that the ESP points to
Three, activate the thread.
__declspec (naked) void remotesub ()
{
_asm
{
Push EBX
Push EAX
Pushfd
mov ecx, 00000000
Push ECX
Add ecx, 8
Push ECX
Sub ECX, 4
CALL[ECX]
Pop ecx
Popfd
Pop eax
Pop ebx
JMP DWORD Ptr[ecx]
}
}
The main thread way to inject DLL