Asynchronous Procedure Call
View on attack.mitre.org →10 syscalls implement this technique
- NtQueueApcThread
Queues a user-mode asynchronous procedure call (APC) to a target thread.
- NtQueueApcThreadEx
Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.
- NtTestAlert
Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.
- NtAllocateReserveObject
Pre-allocates a kernel reserve object (APC or completion) so future operations cannot fail under memory pressure.
- NtResumeThread
Decrements the suspend count of a thread, resuming execution when the count reaches zero.
- NtAlertResumeThread
Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.
- NtSetContextThread
Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.
- NtWaitForSingleObject
Waits until a dispatcher object becomes signaled or the optional timeout expires.
- NtWaitForMultipleObjects
Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.
- NtSetTimer
Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.