The hitchhiker’s guide to Windows APIs for Process Injection. — Part 3

<h1>The case for NT functions.</h1> <p>Why bother using function directly from ntdll.dll when lots of them are undocumented and they require extensive preparation and are plainly harder to use?</p> <p>It is easy. They are less detected by EDRs. Since they are not totally documented and might change without a notice, they are not part of the of official API after all, they are less likely to be used malicious actors and as such less monitored.</p> <h1>I am in, what should we do?</h1> <p>To begin using functions exported by ntdll.dll, we ought to import it or rather have a handle to make use of the functions it exports.</p> <h2>Importing DLLs at runtime.</h2> <p>Windows offers various ways to import DLLs at runtime:&nbsp;<strong>GetModuleHandle&nbsp;</strong>and&nbsp;<strong>LoadLibrary.&nbsp;</strong>In this post I will use LoadLibrary, but GetModuleHandle, as they have the same function prototype.</p> <p><a href="https://medium.com/@raafat.abualazm96/the-hitchhikers-guide-to-windows-apis-for-process-injection-part-3-b5760a272025"><strong>Website</strong></a></p>