Kernel Dll Injector ((full)) -

Kernel DLL Injector: A Powerful Tool for Windows Internals

Introduction

1. The injector finds the target thread’s KTHREAD object.
2. It allocates a KAPC structure.
3. It initializes the APC to point to LoadLibrary (or a custom loader).
4. It inserts the APC into the target thread’s APC queue via KeInitializeApc and KeInsertQueueApc.
5. When the target thread enters an alertable state, the APC fires, and the DLL loads.

mapping a DLL as a memory section

If you absolutely must inject from Ring 0, consider and using RtlCreateUserThread + LdrLoadDll instead — still complex but avoids APC uncertainty.