Force a thread to enter the alertable state and execute the queued APC

对网上相关知识的整理

http://www.codeguru.com/forum/archive/index.php/t-429599.html

 

 

目的: Force a thread to enter the alertable state and execute the queued APC?

Normal:

I want to queue a user APC to a thread in the other running process (code injection issue resolved), but it is never executed. I guess the problem is the thread never enter the alertable state.

One special case:

However, if I create that foreign process with CREATE_SUSPEND, queue the APC to the primary thread, resume it, the APC will be executed correctly, no problem.
Explanation:

That's a special case. The kernel launches a user-mode thread by queuing a user APC to run loader code in ntdll and then coercing an alertable state. If you queue any other user APC before the thread starts it will execute as well.

具体做的事情：

I am looking for a userland solution. Maybe using some native APIs in NTDLL.DLL, but I've not got any luck.
(1)
SuspendThread(hThread);
QueueUserAPC(apcFunc, hThread, NULL);
NtAlertResumeThread(hThread, &suspendCount);
(2)
QueueUserAPC(apcFunc, hThread, NULL);
NtAlertThread(hThread);

Neither of the above two method works. Do I miss something?

 

Explanation：You missed your own recognition that user APCS were not designed for asynchronous thread interruption and can't be used that way.

 

Suggestion：I believe that the way the POSIX subsystem (R.I.P.??) implements signals is to suspend the thread and then change its context using SetThreadContext()/NtSetContextThread(). Use this idea at your own risk...

Answer：This is interesting, but my purpose is to execute the user APC in the context of a target thread in "another" process.