repnz/apc-research repnz/apc-research

  • Stars
    star
    156
  • Rank 239,589 (Top 5 %)
  • Language
    C
  • Created over 4 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
repnz/apc-research
github

repnz

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

APC Internals Research Code

APC Internals Research Code

This repo will contain all the code related to the APC research including reverse engineered sources.

ApcLib

A library with common functionality related to the supplied samples.

ApcDllInjector

Allows to inject a DLL using a user mode APC from user mode.

ApcDllInjector.exe <native/win32/special> <process_id> <dll_path> [thread_id]
  • native: Uses NtQueueApcThread
  • win32: Uses QueueUserAPC
  • special: Uses NtQueueApcThreadEx with the special flag.

The dll_path is written to the remote process using WriteProcessMemory.

The target of the APC is LoadLibrary.

ApcRaceConditionExample

This is an example of a possible race condition that can occur if Special APCs are used without caution.

ApcRoutineUseContextRecord

This is an example of an APC routine that uses the hidden context argument. It prints the RIP at the point the APC "interrupted" the thread.

MemoryReserveApc

This is an example of using Memory Reserve object to reuse the memory of a KAPC object.

SpecialUserApcExample

This is an example showing how special kernel APC is delivered to a thread even if it's not an alertable state.

InitialNtTestAlert

This shows how we can abuse the NtTestAlert call that is called before the win32 start address of the thread to execute an APC.

NtWaitForSingleObjectUserApc

This test shows how NtWaitForSingleObject returns STATUS_USER_APC when an APC is delivered to the thread. WaitForSingleObject() is a wrapper that simply ignores this value and waits again.

InitialNtTestAlertCreateProcessInjection

This is an example of an injection technique that uses the initial NtTestAlert.

AlertableStateApcPending

This example shows what happens when you enter an alertable state after queueing an APC.

QueueApcAndNtTestAlert

This example shows how NtTestAlert can be used to execute pending APCs.

SimpleUserApcDriver

A driver that lets a user mode caller to run 2 functions:

1 - SimpleNtQueueApcThread: A simple implementation that shows how a user APC can be queued from kernel mode.

2 - SimpleNtWaitForSingleObject: A simple implementation of NtWaitForSingleObject for event objects.

SimpleUserApcDriverTester

Test the SimpleNtQueueApcThread function.

SimpleUserApcWaitTester

Test the SimpleNtWaitForSingleObject function.

32bitApc

A x86 sample that uses QueueUserAPC. Can be used to debug the Wow64 APC.

NullApcRoutine

A sample that can be used to debug a user APC with a null ApcRoutine. This is interesting because it actually creates a KernelMode APC.

QueueMultipleUserAPCs

A sample that shows the behavior with multiple pending APCs.

Wow64To64bitInjector

Shows how a Wow64 process can queue an APC in a 64 bit process.

x64ToWow64ApcInjector

Shows how a 64 bit process can queue an APC in a Wow64 process. The APC can be one of 2 kinds:

  1. A 64 bit APC. used to execute a 64 bit ApcRoutine.
  2. A Wow64 APC: The ApcRoutine should run in a Wow64 environment.

More Repositories

1

windbg-cheat-sheet

My personal cheat sheet for using WinDbg for kernel debugging
JavaScript
373
star
2

etw-providers-docs

Document ETW providers
C
203
star
3

autochk-rootkit

Reverse engineered source code of the autochk rootkit
C
195
star
4

ida-plugins

A collection of my IDA plugins
Python
131
star
5

ReversingMinesweeper

Reverse Engineering Minesweeper: Reconstruct Minesweeper Source Code
C
123
star
6

shellcode2exe

Batch script to compile a binary shellcode blob into an exe file
Batchfile
79
star
7

windows-inspector

A driver to intercept low level windows events
C
60
star
8

windows-imports-searcher

Support Windows OS Reversing by searching easily for references to functions across many DLLs
Python
34
star
9

snax86

A snake game written in x86 Assembly language for windows console
Assembly
31
star
10

rpcmon

RPC Monitor based on The ETW Microsoft-Windows-Rpc provider
Python
25
star
11

practical-reverse-engineering

Code for the solutions of practical reverse engineering
C
20
star
12

autoit-analysis

AutoIt Analysis Library: Parser & Emulator For Malware Researchers
Python
16
star
13

simple-os

Simple Protected Mode Kernel for i386
C++
15
star
14

auto-makefile

Generic Makefile Template with Automatic Dependency Generation
Makefile
12
star
15

PE

PE.Parser, PE.Dumper, PE.Loader
C++
11
star
16

checkpoint-ctf-2018

Solutions to the challenges of the checkpoint CSA CTF
Python
8
star
17

set-critical-thread

Use NtSetInformationThread(ThreadBreakOnTermination) for anti-debugging
C++
8
star
18

real-kernel

16 bit Real mode operating system kernel
C++
7
star
19

tracelogging-providers

A dump of all the trace logging providers from system32
PowerShell
7
star
20

simple-etw-provider

hello world ETW provider
C
6
star
21

repnz.github.io

The deployed version of my blog
HTML
5
star
22

gamekid

Gameboy Emulation Library
C
5
star
23

supple

Supple way to load dynamic XML configuration files
C#
4
star
24

bluehat-il-2019-slotd

BlueHat IL 2019 vulnerable debugging interface
C
3
star
25

nc8-reversing-ctf

Solution to the NC8 CTF & nc8 instruction set emulation API
Python
2
star
26

pytreecli

A command line library that allows to build a tree structures command line easily
Python
2
star
27

c-streams

Wrapper for custom streams in the C language
C
2
star
28

dotflow

DotNet Actor Model POC library
C#
1
star
29

calculator-driver

Simple calculator windows driver
C
1
star