├── .gitattributes
├── .gitignore
├── NT APC Injector.sln
├── NT APC Injector
    ├── NT APC Injector.vcxproj
    ├── NT APC Injector.vcxproj.filters
    ├── header.h
    ├── inject.cpp
    ├── inject.h
    ├── main.cpp
    ├── ntapi.cpp
    ├── ntapi.h
    ├── process.cpp
    └── process.h
└── README.md


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | *.d
 3 | 
 4 | # Compiled Object files
 5 | *.slo
 6 | *.lo
 7 | *.o
 8 | *.obj
 9 | 
10 | # Precompiled Headers
11 | *.gch
12 | *.pch
13 | 
14 | # Compiled Dynamic libraries
15 | *.so
16 | *.dylib
17 | *.dll
18 | 
19 | # Fortran module files
20 | *.mod
21 | *.smod
22 | 
23 | # Compiled Static libraries
24 | *.lai
25 | *.la
26 | *.a
27 | *.lib
28 | 
29 | # Executables
30 | *.exe
31 | *.out
32 | *.app
33 | 


--------------------------------------------------------------------------------
/NT APC Injector.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.26730.12
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NT APC Injector", "NT APC Injector\NT APC Injector.vcxproj", "{2AB2B13A-E425-4DD9-B278-231F0722D7D0}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Debug|x64.Build.0 = Debug|x64
18 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Debug|x86.Build.0 = Debug|Win32
20 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Release|x64.ActiveCfg = Release|x64
21 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Release|x64.Build.0 = Release|x64
22 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Release|x86.ActiveCfg = Release|Win32
23 | 		{2AB2B13A-E425-4DD9-B278-231F0722D7D0}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {48E79868-4FBC-4A7D-A645-B60130552404}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/NT APC Injector/NT APC Injector.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{2AB2B13A-E425-4DD9-B278-231F0722D7D0}</ProjectGuid>
 24 |     <RootNamespace>NTAPCInjector</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>10.0.15063.0</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v141</PlatformToolset>
 32 |     <CharacterSet>MultiByte</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v141</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>MultiByte</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v141</PlatformToolset>
 45 |     <CharacterSet>MultiByte</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v141</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>MultiByte</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |   </ImportGroup>
 57 |   <ImportGroup Label="Shared">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <Optimization>Disabled</Optimization>
 77 |       <SDLCheck>true</SDLCheck>
 78 |     </ClCompile>
 79 |   </ItemDefinitionGroup>
 80 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <ClCompile>
 82 |       <WarningLevel>Level3</WarningLevel>
 83 |       <Optimization>Disabled</Optimization>
 84 |       <SDLCheck>true</SDLCheck>
 85 |     </ClCompile>
 86 |   </ItemDefinitionGroup>
 87 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 88 |     <ClCompile>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <Optimization>MaxSpeed</Optimization>
 91 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 92 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 93 |       <SDLCheck>true</SDLCheck>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |     </Link>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
101 |     <ClCompile>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <Optimization>MaxSpeed</Optimization>
104 |       <FunctionLevelLinking>true</FunctionLevelLinking>
105 |       <IntrinsicFunctions>true</IntrinsicFunctions>
106 |       <SDLCheck>true</SDLCheck>
107 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
108 |     </ClCompile>
109 |     <Link>
110 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
111 |       <OptimizeReferences>true</OptimizeReferences>
112 |     </Link>
113 |   </ItemDefinitionGroup>
114 |   <ItemGroup>
115 |     <ClInclude Include="header.h" />
116 |     <ClInclude Include="inject.h" />
117 |     <ClInclude Include="ntapi.h" />
118 |     <ClInclude Include="process.h" />
119 |   </ItemGroup>
120 |   <ItemGroup>
121 |     <ClCompile Include="inject.cpp" />
122 |     <ClCompile Include="main.cpp" />
123 |     <ClCompile Include="ntapi.cpp" />
124 |     <ClCompile Include="process.cpp" />
125 |   </ItemGroup>
126 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
127 |   <ImportGroup Label="ExtensionTargets">
128 |   </ImportGroup>
129 | </Project>


--------------------------------------------------------------------------------
/NT APC Injector/NT APC Injector.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="header.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="inject.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="ntapi.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |     <ClInclude Include="process.h">
28 |       <Filter>Header Files</Filter>
29 |     </ClInclude>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClCompile Include="main.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="ntapi.cpp">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |     <ClCompile Include="process.cpp">
39 |       <Filter>Source Files</Filter>
40 |     </ClCompile>
41 |     <ClCompile Include="inject.cpp">
42 |       <Filter>Source Files</Filter>
43 |     </ClCompile>
44 |   </ItemGroup>
45 | </Project>


--------------------------------------------------------------------------------
/NT APC Injector/header.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include <Windows.h>
3 | #include <winternl.h>
4 | #include <TlHelp32.h>
5 | #include <iostream>
6 | #include "ntapi.h"
7 | #include "process.h"
8 | #include "inject.h"


--------------------------------------------------------------------------------
/NT APC Injector/inject.cpp:
--------------------------------------------------------------------------------
  1 | #include "header.h"
  2 | using namespace std;
  3 | 
  4 | BOOL ApcInjectDll(HANDLE ProcessHandle, BOOL bSuspendWake, char *DllPath)
  5 | {
  6 | 	NTSTATUS NtStatus;
  7 | 	DWORD dwProcessId = GetProcessId(ProcessHandle);
  8 | 	PVOID pvDllMemory = 0; // used later for memory allocation
  9 | 	SIZE_T sDllLength = strlen(DllPath); // calculation for DLL path lenth
 10 | 	SIZE_T NumberOfBytesWritten = 0; // used for memory write
 11 | 
 12 | 	// check if the process handle exists
 13 | 	if (!ProcessHandle || !dwProcessId)
 14 | 	{
 15 | 		return FALSE;
 16 | 	}
 17 | 
 18 | 	// array of function addresses
 19 | 	FARPROC fpAddresses[6] = {
 20 | 		GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"),
 21 | 		GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"),
 22 | 		GetProcAddress(GetModuleHandle("ntdll.dll"), "NtWriteVirtualMemory"),
 23 | 		GetProcAddress(GetModuleHandle("ntdll.dll"), "NtSuspendThread"),
 24 | 		GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAlertResumeThread"),
 25 | 		GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueueApcThread")
 26 | 	};
 27 | 
 28 | 	// loop through the array
 29 | 	for (FARPROC &fpAddress : fpAddresses)
 30 | 	{
 31 | 		if (!fpAddress) // address couldn't be obtained
 32 | 		{
 33 | 			// return nothing
 34 | 			return 0;
 35 | 		}
 36 | 	}
 37 | 
 38 | 	// setup for NTAPI functions
 39 | 	pNtAllocateVirtualMemory fNtAllocateVirtualMemory = (pNtAllocateVirtualMemory)fpAddresses[1];
 40 | 	pNtWriteVirtualMemory fNtWriteVirtualMemory = (pNtWriteVirtualMemory)fpAddresses[2];
 41 | 	pNtSuspendThread fNtSuspendThread = (pNtSuspendThread)fpAddresses[3];
 42 | 	pNtAlertResumeThread fNtAlertResumeThread = (pNtAlertResumeThread)fpAddresses[4];
 43 | 	pNtQueueApcThread fNtQueueApcThread = (pNtQueueApcThread)fpAddresses[5];
 44 | 
 45 | 	// allocate memory with NtAllocateVirtualMemory
 46 | 	if (NT_SUCCESS(fNtAllocateVirtualMemory(ProcessHandle, &pvDllMemory, NULL, &sDllLength, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)))
 47 | 	{
 48 | 
 49 | 		// write to allocated memory with NtWriteVirtualMemory . store DLL file path
 50 | 		if (NT_SUCCESS(fNtWriteVirtualMemory(ProcessHandle, pvDllMemory, DllPath, sDllLength, NULL)))
 51 | 		{
 52 | 
 53 | 			try {
 54 | 
 55 | 				HANDLE ThreadHandle, hThreadHandle;
 56 | 				THREADENTRY32 ThreadEntry32;
 57 | 				ThreadEntry32.dwSize = sizeof(THREADENTRY32);
 58 | 				hThreadHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
 59 | 
 60 | 				// loop threads
 61 | 				do {
 62 | 					// check if the thread is within the target process we want to inject into
 63 | 					if (ThreadEntry32.th32OwnerProcessID == dwProcessId)
 64 | 					{
 65 | 						// open thread handle with NtOpenThread
 66 | 						ThreadHandle = NtOpenThread(dwProcessId, ThreadEntry32.th32ThreadID);
 67 | 
 68 | 						// check if handle could be opened
 69 | 						if (ThreadHandle)
 70 | 						{
 71 | 
 72 | 							if (bSuspendWake)
 73 | 							{
 74 | 								NtStatus = fNtSuspendThread(ThreadHandle, NULL);
 75 | 								if (!NT_SUCCESS(NtStatus))
 76 | 								{
 77 | 									goto cleanup;
 78 | 								}
 79 | 							}
 80 | 
 81 | 							NtStatus = fNtQueueApcThread(ThreadHandle, (PIO_APC_ROUTINE)fpAddresses[0], pvDllMemory, NULL, NULL);
 82 | 
 83 | 							if(bSuspendWake)
 84 | 							{
 85 | 								NtStatus = fNtAlertResumeThread(ThreadHandle, NULL);
 86 | 								if (!NT_SUCCESS(NtStatus))
 87 | 								{
 88 | 									goto cleanup;
 89 | 								}
 90 | 							}
 91 | 						}
 92 | 
 93 | 						// cleanup
 94 | 						CloseHandle(ThreadHandle);
 95 | 					}
 96 | 				} while (Thread32Next(hThreadHandle, &ThreadEntry32)); 
 97 | 			}
 98 | 			catch (...)
 99 | 			{
100 | 				goto cleanup;
101 | 			}
102 | 		}
103 | 	}
104 | 
105 | 	// cleanup
106 | cleanup:
107 | 	if (pvDllMemory)
108 | 	{
109 | 		VirtualFreeEx(ProcessHandle, pvDllMemory, sDllLength, MEM_RELEASE);
110 | 	}
111 | 	return FALSE;
112 | }


--------------------------------------------------------------------------------
/NT APC Injector/inject.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "header.h"
3 | 
4 | BOOL ApcInjectDll(HANDLE ProcessHandle, BOOL bSuspendWake, char *DllPath);


--------------------------------------------------------------------------------
/NT APC Injector/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "header.h"
 2 | using namespace std;
 3 | 
 4 | int main()
 5 | {
 6 | 	HANDLE ProcessHandle = NtOpenProcess(dwRetProcessId("notepad.exe"));
 7 | 	if (ProcessHandle)
 8 | 	{
 9 | 		ApcInjectDll(ProcessHandle, TRUE, "C:\\opcode.dll");
10 | 	}
11 | 	getchar();
12 | 	return 0;
13 | }


--------------------------------------------------------------------------------
/NT APC Injector/ntapi.cpp:
--------------------------------------------------------------------------------
 1 | #include "header.h"
 2 | 
 3 | HANDLE NtOpenProcess(DWORD dwProcessId)
 4 | {
 5 | 	FARPROC fpNtOpenProcess = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtOpenProcess");
 6 | 	if (fpNtOpenProcess && dwProcessId != NULL)
 7 | 	{
 8 | 		HANDLE ProcessHandle = 0;
 9 | 		CLIENT_ID ClientId;
10 | 		OBJECT_ATTRIBUTES ObjectAttributes;
11 | 		InitializeObjectAttributes(&ObjectAttributes, NULL, NULL, NULL, NULL);
12 | 		ClientId.UniqueProcess = (PVOID)dwProcessId;
13 | 		ClientId.UniqueThread = (PVOID)0;
14 | 		pNtOpenProcess fNtOpenProcess = (pNtOpenProcess)fpNtOpenProcess;
15 | 		if (NT_SUCCESS(fNtOpenProcess(&ProcessHandle, MAXIMUM_ALLOWED, &ObjectAttributes, &ClientId)))
16 | 		{
17 | 			return ProcessHandle;
18 | 		}
19 | 	}
20 | 	return 0;
21 | }
22 | 
23 | HANDLE NtOpenThread(DWORD dwProcessId, DWORD dwThreadId)
24 | {
25 | 	FARPROC fpNtOpenThread = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtOpenThread");
26 | 	if (fpNtOpenThread)
27 | 	{
28 | 		HANDLE ThreadHandle = 0;
29 | 		OBJECT_ATTRIBUTES ObjectAttributes;
30 | 		CLIENT_ID ClientId;
31 | 		InitializeObjectAttributes(&ObjectAttributes, NULL, NULL, NULL, NULL);
32 | 		ClientId.UniqueProcess = (PVOID)dwProcessId;
33 | 		ClientId.UniqueThread = (PVOID)dwThreadId;
34 | 		pNtOpenThread fNtOpenThread = (pNtOpenThread)fpNtOpenThread;
35 | 		if (NT_SUCCESS(fNtOpenThread(&ThreadHandle, MAXIMUM_ALLOWED, &ObjectAttributes, &ClientId)))
36 | 		{
37 | 			if (ThreadHandle)
38 | 			{
39 | 				return ThreadHandle;
40 | 			}
41 | 		}
42 | 	}
43 | 	return 0;
44 | }


--------------------------------------------------------------------------------
/NT APC Injector/ntapi.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "header.h"
 3 | 
 4 | #define STATUS_SUCCESS 0x00000000
 5 | #define STATUS_UNSUCCESSFUL 0xC0000001
 6 | #define STATUS_ACCESS_DENIED 0xC0000022
 7 | 
 8 | typedef struct _CLIENT_ID {
 9 | 	PVOID UniqueProcess;
10 | 	PVOID UniqueThread;
11 | }CLIENT_ID, *PCLIENT_ID;
12 | 
13 | typedef NTSTATUS(NTAPI *pNtOpenProcess)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
14 | typedef NTSTATUS(NTAPI *pNtOpenThread)(PHANDLE ThreadHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID);
15 | typedef NTSTATUS(NTAPI *pNtSuspendThread)(HANDLE ThreadHandle, PULONG SuspendCount);
16 | typedef NTSTATUS(NTAPI *pNtAlertResumeThread)(HANDLE ThreadHandle, PULONG SuspendCount);
17 | typedef NTSTATUS(NTAPI *pNtAllocateVirtualMemory)(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
18 | typedef NTSTATUS(NTAPI *pNtWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten);
19 | typedef NTSTATUS(NTAPI *pNtQueueApcThread)(HANDLE ThreadHandle, PIO_APC_ROUTINE ApcRoutine, PVOID ApcRoutineContext OPTIONAL, PIO_STATUS_BLOCK ApcStatusBlock OPTIONAL, ULONG ApcReserved OPTIONAL);
20 | 
21 | HANDLE NtOpenProcess(DWORD dwProcessId);
22 | HANDLE NtOpenThread(DWORD dwProcessId, DWORD dwThreadId);


--------------------------------------------------------------------------------
/NT APC Injector/process.cpp:
--------------------------------------------------------------------------------
 1 | #include "header.h"
 2 | 
 3 | DWORD dwRetProcessId(std::string processname)
 4 | {
 5 | 	HANDLE hProcess;
 6 | 	PROCESSENTRY32 processEntry32;
 7 | 	processEntry32.dwSize = sizeof(PROCESSENTRY32);
 8 | 	hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 9 | 	do {
10 | 		if (!strcmp(processEntry32.szExeFile, processname.c_str()))
11 | 		{
12 | 			CloseHandle(hProcess);
13 | 			return processEntry32.th32ProcessID;
14 | 		}
15 | 	} while (Process32Next(hProcess, &processEntry32));
16 | 	CloseHandle(hProcess);
17 | 	return 0;
18 | }


--------------------------------------------------------------------------------
/NT APC Injector/process.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "header.h"
3 | 
4 | DWORD dwRetProcessId(std::string processname);


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NT APC Injector
2 | 
3 | bonjour
4 | 
5 | This project demonstrates how you can use Asynchronous Procedure Calls (APC) to inject a DLL into another process; this project uses the NTAPI functions instead of Win32 API (NtQueueApcThread instead of QueueUserAPC and NtOpenThread instead of OpenThread). There is also an additional feature which supports suspending the thread (NtSuspendThread) prior to the APC injection and then resuming the thread with NtAlertResumeThread (wakes it up for APC to be executed - all optional though).
6 | 
7 | I am not responsible for how you use this project, use it responsibly please.
8 | 
9 | Merci bien


--------------------------------------------------------------------------------