This Rtl function was in NT since its very begin, it was used by winsrv for remote break-in and by posix subsystem to perform signal handling. I think the main reason for this function was non-existence of user APC support prior NT 4.0. In NT 4.0 and 2000 it still persisted but I think it could be re-implemeted via apc. Since XP this function became rudimetary. I think using RtlRemoteCall for arbitrary thread is not good because it works with CONTEXT_FULL. Imagine thread that waits (in kernel mode), you get/set its context, you must wait (how long?) for the thread to return from the wait with a wait return value. The the thread goes to your target function and then you're about to return the thread's context, you will return it, but you will return bad wait return value (value as it was before the wait was satisfied)! For known-thread scenario one could use APC - server: QueueUserAPC, client: alertable wait. Compared to CreateRemoteThread, RtlRemoteCall requires a handle to the target thread in addition but well, it doesn't send dll notifications.


https://www.openrce.org/blog/view/608/Re:_RtlRemoteCall