From aldeid
Jump to navigation Jump to search
You are here
Asynchronous Procedure Call (APC) Injection


Asynchronous Procedure Call (APC) consists in invoking a function in an existing thread.

Applications in an alertable state execute instructions in the APC queue.

Malware force the application to be in the alertable state to get immediate execution of the queue (inluding the injected malicious code).

svchost.exe is often targeted because its thread are often in an alertable state.

User-mode and kernel-mode APC

User-mode APC
APC generated for an application
kernel-mode APC
APC generated for the system or a driver

Pages in category "Digital-Forensics/APC-Injection"

The following 10 pages are in this category, out of 10 total.