Why would you want to do something like this? All the APC handling
stuff is undocumented, and as has been tested more than once,
performance of an APC callback solution is poor versus using an I/O
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com]
> Posted At: Wednesday, July 21, 2010 9:47 AM
> Posted To: ntdev
> Conversation: X64 APC Delivering
> Subject: X64 APC Delivering
> Hi all!
> I'm an italian developer. I'm developing a Kernel driver for a
> research that queues an user apc to a process with the objective to
map a dll
> in a user process... Everything work fine: the user mode mapped APC
> APCLoadLibraryFunc PROC
> ; void APCLoadLibraryFunc(PVOID NormalContext, PVOID SystemArgument1,
> SystemArgument2); ; RCX = NormalContext ; RDX = SystemArgument1 ; R8 =
> int 3
> sub RSP, 38h mov
> mov RAX, 123456789ABCDEF7h ; <--- LoadLibraryW address, filled
> call RAX
> mov RAX, [RSP+30h]
> add RSP, 38h
> dummySpace BYTE 14 DUP(90h)
> dummyString WORD 255 DUP(0); <-- Offset +0x040
> In a test program made by me, with SleepEx, all work fine, the APC is
> delivered and the dll is mapped (address of its name is in the
> parameter) in the process. All work fine also in every other Non
> But in almost Microsoft processes like explorer.exe or services.exe
> is broken in the line "call RAX" because it raise an exception in the
> ntdll!RtlQueryInformationActivationContext+0x372 at this statement:
> r12,qword ptr [rsp+0C8h] ss:00000000`024cf028=0000000000000000.
> Someone know why this appened? Why my code in a non Microsoft process
> fine but not in Microsoft Process? Is a sort of protection mechanism?
> RtlQueryInformationActivationContext really does?
> This strange behavior happens only in Windows Server 2008 R2 X64 and
> x64, in the 32 bit os version all work fine... This behaviour is
> if i call any kernel32 API in the APC function (not only loadlibrary
> I will be grateful to whichever can give me a suggestion.
> Thanks very much and sorry for my poor english.
> Andrea Allievi
> __________ Information from ESET Smart Security, version of virus
> database 5297 (20100721) __________
> The message was checked by ESET Smart Security.