Most malware want to quickly implant and exit the first stage of the payload execution. They do this by writing the second stage payload bytes to some executable memory and passing control there, either by creating a new thread or by redirecting an existing legitimate thread. In this post we examine the four main ways that most malware accomplish this.

CreateThread and CreateRemoteThread

QueueUserAPC

Set Thread IP

SetWindowsHookExA