|You are here|
Asynchronous Procedure Call (APC) consists in invoking a function in an existing thread.
Applications in an alertable state execute instructions in the APC queue.
Malware force the application to be in the alertable state to get immediate execution of the queue (inluding the injected malicious code).
svchost.exe is often targeted because its thread are often in an alertable state.
User-mode and kernel-mode APC
- User-mode APC
- APC generated for an application
- kernel-mode APC
- APC generated for the system or a driver