IDLE Abuse :A simple technique to detect when a Windows process becomes idle and inject malicious code into it. This technique relies on an undocumented Windows API function called RegisterWaitForInputIdle, which allows a callback function to be registered and called when a process becomes idle.
The PoC, written by Navneet Raj and ElementalX , demonstrates the use of this technique by registering a callback function that injects a meterpreter shellcode into the Windows calculator process when the process spawned by WinExec function becomes idle. Thanks to folks at Stack Overflow & REACT OS Source code for showing us the correct direction.
Special thanks to modexp for helping us with the code overview.