整体的思想的代码：
//in kernel mode
PKAPC OurApc;
void SendApc(ulong addr,ulong arg1,ulong arg2,ulong arg3)
{
    PKTHREAD thread=KeGetCurrentThread();
    OurApc=ExAllocatePool(NonPagedPool, sizeof(struct _KAPC));

  KeInitializeApc(OurApc, thread, 0,
      (PKKERNEL_ROUTINE)&MyApcRoutine, 0,
  (PKNORMAL_ROUTINE)addr, 1, (PVOID)arg1);
  KeInsertQueueApc(OurApc, (PVOID)arg2, (PVOID)arg3, 0);
  *((unsigned char *)thread+0x4a)=1;//这句代码强制线程发生APC调用~
  //kthread+0x4a的地方是KTHREAD->ApcState(kthread+0x34)->UserApcPending(ApcState+0x16)~~~
  //xixi~~~
  return ;
}
//in user mode
void Ring3App(ulong arg1,ulong arg2,ulong arg3)
{
.
}
 
void SendQp(..)
{
.
SendBuf = BuildUpIrp(IRP_XXX_YYYY);
SendBuf->BackAddr=(ULONG)Ring3App;
.
ReturnBuf = SendIrp(hDevice,SendBuf,sizeof(SendBuf));
.
.