shows how malware can use QueueUserAPC to force a DLL to be loaded in the context of another process, although before we arrive at this code, the malware has already picked a target thread.

shows an example of these functions in use in a rootkit.

, ESI will contain the KAPC structure. Once KeInsertQueueApc is successful, the APC will be queued to run.

In this example, the malware targeted svchost.exe, but to make that determination, we would need to trace back the second-to-last parameter pushed on the stack to KeInitializeApc. This parameter contains the thread that will be injected. In this case, it is contained in arg_0, as seen at ❸. Therefore, we would need to look back in the code to check how arg_0 was set in order to see that svchost.exe’s threads were targeted.

Назад: Detours

Дальше: Conclusion

Отправить

sss

sss