Injector — Kernel Dll

The driver queues an APC to a thread in the target process, forcing it to execute code that loads the DLL while the thread is in an alertable state.

Queues a kernel-mode APC to execute LoadLibrary in the target thread context. injdrv (GitHub) kernel dll injector

Standard user-mode injection techniques share a common flaw: they are visible to API hooks placed by antivirus (AV) and endpoint detection and response (EDR) solutions. Microsoft’s User Mode API Monitoring, for example, places hooks on NtCreateThreadEx or NtMapViewOfSection . When a malware tries to call these APIs, the security software inspects the call and blocks it. The driver queues an APC to a thread

Antivirus and EDRs have evolved kernel defenses specifically against these techniques. Microsoft’s User Mode API Monitoring, for example, places

Instead of LoadLibrary , the injector maps the DLL as an image section ( ZwCreateSection with SEC_IMAGE ), then duplicates the section handle into the target process via ObDuplicateObject . The driver then rewrites the target’s PEB to point to the new image’s base address—before the process even starts.