投递APC失败，是什么原因？

我见网上都是用内存映射的方法！而我为了图方便就用的RtlMoveMemory

但是调试发现KeInsertQueueApc函数成功，但是Thread+0x40，也就是ApcState->ApcListHead没有我的ListEntry,头和尾是一样的！不解，难道非要用内存映射的方法？

还是KeInitializeApc的什么出错了？

kd> dt _KAPC 8728a230

ntdll!_KAPC

+0x000 Type : 0x12 ''

+0x001 SpareByte0 : 0 ''

+0x002 Size : 0x30 '0'

+0x003 SpareByte1 : 0 ''

+0x004 SpareLong0 : 0x87286c10

+0x008 Thread : 0x8657ed48 _KTHREAD

+0x00c ApcListEntry : _LIST_ENTRY [ 0x8657ed90 - 0x8657ed90 ]

+0x014 KernelRoutine : 0x9192d6f0 void MyDriver!ApcKernelRoutine+0

+0x018 RundownRoutine : (null)

+0x01c NormalRoutine : 0x012c0000 void +12c0000

+0x020 NormalContext : (null)

+0x024 SystemArgument1 : (null)

+0x028 SystemArgument2 : (null)

+0x02c ApcStateIndex : 0 ''

+0x02d ApcMode : 1 ''

+0x02e Inserted : 0x1 ''

我是想在远程通过投递APC实现运行我的代码，类似于CreateRemoteThread的效果！

望大牛看看！

NTSTATUS InjectCode(PETHREAD Thread,PVOID UserModeCodeAddress)

{

PRKAPC pApc=NULL;

PVOID pMappedAddress=NULL;

KAPC_STATE ApcState;

NTSTATUS Status=STATUS_UNSUCCESSFUL;

PVOID pApcState;

PKAPC_STATE APCSTATE;

if (MmIsAddressValid((PVOID)Thread)==TRUE)

{

pApc=ExAllocatePool(NonPagedPool,sizeof(KAPC));

if(!pApc)

{

DbgPrint("Fail to allocate memory for the APC structure");

return STATUS_UNSUCCESSFUL;

}

KeInitializeApc(pApc,\

(PETHREAD)Thread,\

OriginalApcEnvironment,\

&ApcKernelRoutine,\

NULL,\

(PKNORMAL_ROUTINE)UserModeCodeAddress,\

UserMode,\

(PVOID)NULL

);

if(!KeInsertQueueApc(pApc,0,NULL,0))

{

DbgPrint("KernelExec->Failed to insert APC");

ExFreePool(pApc);

return STATUS_UNSUCCESSFUL;

}else{

DbgPrint("APC delivered");

}

APCSTATE=(PKAPC_STATE)((ULONG)Thread+(ULONG)0x40);

APCSTATE->UserApcPending=TRUE;

}

}