The hitchhiker’s guide to Windows APIs for Process Injection. — Part 3
<h1>The case for NT functions.</h1>
<p>Why bother using function directly from ntdll.dll when lots of them are undocumented and they require extensive preparation and are plainly harder to use?</p>
<p>It is easy. They are less detected by EDRs. Since they are not totally documented and might change without a notice, they are not part of the of official API after all, they are less likely to be used malicious actors and as such less monitored.</p>
<h1>I am in, what should we do?</h1>
<p>To begin using functions exported by ntdll.dll, we ought to import it or rather have a handle to make use of the functions it exports.</p>
<h2>Importing DLLs at runtime.</h2>
<p>Windows offers various ways to import DLLs at runtime: <strong>GetModuleHandle </strong>and <strong>LoadLibrary. </strong>In this post I will use LoadLibrary, but GetModuleHandle, as they have the same function prototype.</p>
<p><a href="https://medium.com/@raafat.abualazm96/the-hitchhikers-guide-to-windows-apis-for-process-injection-part-3-b5760a272025"><strong>Website</strong></a></p>