| API Function | Purpose |
|---|---|
CreateProcess / CreateProcessW |
Spawns a new process |
OpenProcess |
Gets a handle to a target process |
GetCurrentProcessId / GetCurrentThreadId |
Returns current PID or TID |
VirtualAllocEx |
Allocates memory in a remote process |
WriteProcessMemory |
Writes shellcode or DLL path into a remote process |
CreateThread / CreateRemoteThread |
Starts thread / start thread in another process (classic injection) |
NtCreateThreadEx |
Low-level thread creation (often bypasses hooks) |
QueueUserAPC |
Schedules APC payload in a remote thread |
SuspendThread / ResumeThread |
Used in process hollowing / thread hijacking |
| API Function | Purpose |
|---|---|
CreateToolhelp32Snapshot |
Takes a snapshot of all processes, threads, modules, or heaps in the system. |
Process32First / Process32FirstW |
Retrieves information about the first process in a snapshot. |
Process32Next / Process32NextW |
Retrieves information about the next process in a snapshot. |
Thread32First / Thread32FirstW |
Retrieves info about the first thread in a snapshot. |
Thread32Next / Thread32NextW |
Retrieves info about the next thread in a snapshot. |
EnumProcesses |
Enumerates process identifiers for all running processes. |
OpenProcess |
Opens a handle to a process (used after enumeration). |
NtQuerySystemInformation |
Undocumented API often used to retrieve process and system information. |
Kernel32.dll
User code (function call)
Extra WinAPI resource: http://malapi.io
On malapi.io, if you check on "mapping mode", you can select the different WinAPI functions that exist in your sample and then "export table" for it
| API Function | Purpose |
|---|---|
LoadLibraryA / LoadLibraryW |
Loads a DLL into the calling process |
GetProcAddress |
Resolves function pointers |
LdrLoadDll (ntdll) |
Manual DLL loading (stealthy) |
NtMapViewOfSection |
Used in process hollowing / mapping PE in memory |
NtUnmapViewOfSection |
Used before remapping a new image |
RtlCreateUserThread |
Alternative to CreateRemoteThread |
SetThreadContext / GetThreadContext |
Used in classic hollowing and injection tricks |
Kernelbase.dll (some functions bypass kernelbase.dll)
| API Function | Notes |
|---|---|
IsDebuggerPresent |
This function checks the PEB flag to see if the current process is being debugged |
CheckRemoteDebuggerPresent |
This function checks to see if a debugger is present on the current process. The name can be misleading |
NtQueryInformationProcess |
Native API function in NTDLL that retrieves information about a given process. If The second parameter is set to ProcessDebugPort (0x7), it is requesting whether the process is being debugged |
OutputDebugString |
Used to send a string to a debugger for display. This can be used to detect the presence of a debugger |
fs:[30] (+2) |
PEB debug flag for a 32-bit process |
gs:[60] (+2) |
PEB debug flag for a 64-bit process |
QueryPerformanceCounter |
This is called to query the processor performance count |
GetTickCount |
This returns the number of milliseconds that have elapsed sinse the last system reboot |
| API Function | Purpose |
|---|---|
NetUserEnum / NetUserGetInfo |
Enumerate local/domain users |
GetUserName / GetUserNameEx |
Gets current user info |
NetLocalGroupEnum |
Lists local groups |
NetSessionEnum |
Lists active sessions |
WNetEnumResource |
Lists shared network resources |
GetComputerName |
Gets the hostname |
GetAdaptersInfo / GetIpAddrTable |
Network enumeration |
EnumServicesStatusEx |
Lists services and their state |
RegOpenKeyEx / RegQueryValueEx |
Registry access (common in persistence) |
| API Function | Purpose |
|---|---|
NtQueryInformationProcess |
Leak process info like PEB, command line |
NtProtectVirtualMemory |
Change memory permissions (for unhooking) |
NtReadVirtualMemory / NtWriteVirtualMemory |
Low-level memory access |
VirtualQueryEx |
Checks memory layout of another process |
ReadProcessMemory |
Reads target memory (for parsing shellcode, etc.) |
GetModuleHandle |
Grabs a loaded DLL’s base address |
GetThreadStartAddress (via NtQueryInformationThread) |
Used to detect or hijack thread execution |
| API Function | Purpose |
|---|---|
OpenProcessToken |
Retrieves a handle to a process's access token |
LookupPrivilegeValue |
Gets the LUID for a privilege |
AdjustTokenPrivileges |
Enables or disables privileges (e.g., SeDebugPrivilege) |
ImpersonateLoggedOnUser |
Runs code under another user’s security context |
DuplicateTokenEx |
Clones an existing token |
LogonUser |
Authenticates a user and returns a token (useful for pivoting) |
| API Function | Purpose |
|---|---|
LSAGetLogonSessionData |
Dump session info from LSASS |
LsaEnumerateLogonSessions |
Get list of user sessions |
LsaRetrievePrivateData |
Extract sensitive LSA secrets (requires SeTrustedCredManAccessPrivilege) |
CryptUnprotectData |
Decrypt DPAPI secrets (Chrome creds, etc.) |
OpenProcess + ReadProcessMemory |
For dumping LSASS manually |
MiniDumpWriteDump |
Used to dump LSASS memory with debugging privileges |
| API Function | Purpose |
|---|---|
WSAStartup |
Initializes Winsock library (required before using sockets). |
WSASocketA / WSASocketW & WSACleanup |
Creates a socket (TCP/UDP). & terminate use of winsock library |
connect / send / recv / closesocket / select |
Establish a connection / send data / receive data / close socket / ceck socket stat |
getaddrinfo |
Resolves a hostname to an IP address (modern). |
InternetOpenA / InternetOpenW |
Initializes an Internet session (WinInet API). |
InternetConnectA / InternetConnectW |
Connects to an HTTP/HTTPS server. |
HttpOpenRequestA / HttpOpenRequestW |
Creates an HTTP request handle. |
HttpSendRequestA / HttpSendRequestW |
Sends an HTTP request. |
InternetReadFile |
Reads data from an HTTP response. |
InternetCloseHandle |
Closes an Internet handle (session, request, etc.). |
InternetSetOption |
Configures Internet connection options (proxy, SSL, etc.). |
InternetCrackUrlA / InternetCrackUrlW |
Parses a URL into components. |
WinHttpOpen |
Initializes a WinHTTP session. |
WinHttpConnect |
Connects to an HTTP/HTTPS server. |
WinHttpOpenRequest |
Creates an HTTP request (WinHTTP API). |
WinHttpSendRequest |
Sends the HTTP request. |
WinHttpReceiveResponse |
Receives the server’s HTTP response. |
WinHttpReadData |
Reads response data from a WinHTTP request. |
WinHttpCloseHandle |
Closes a WinHTTP session or request handle. |
DnsQuery_A / DnsQuery_W |
Queries DNS records (A, TXT, MX, etc.). |
DnsQueryConfig |
Retrieves DNS client configuration settings. |
GetAddrInfoW |
Resolves a domain name to an IP (Unicode). |
GetAddrInfoEx |
Extended name resolution (with more control/parameters). |
GetNameInfoW |
Resolves an IP address to a hostname (reverse lookup). |
URLDownloadToFileA / URLDownloadToFileW |
Downloads a file directly from a URL (URLMon API). |
| API Function | Purpose |
|---|---|
CreateService / StartService |
Abuse for persistence or privilege escalation |
ChangeServiceConfig |
Modify existing services |
RegisterScheduledTask |
Create scheduled task persistence |
RegSetValueEx |
Registry-based persistence |
ShellExecuteEx / WinExec |
Execute commands through COM/Shell |
Ntdll.dll
syscall
ntoskrnl.exe