Created
January 9, 2022 20:18
-
-
Save odzhan/6a4c571a4a9ba55c786e6645e51de273 to your computer and use it in GitHub Desktop.
User-mode API hooked by EDR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The following is a list of user-mode API that can sometimes be hooked by an EDR. It's not an extensive list by any means. | |
| ntdll!NtAllocateVirtualMemory | |
| ntdll!ZwFreeVirtualMemory | |
| ntdll!NtMapViewOfSection | |
| ntdll!NtOpenProcess | |
| ntdll!NtUnmapViewOfSection | |
| ntdll!NtWriteVirtualMemory | |
| ntdll!NtProtectVirtualMemory | |
| ntdll!NtLoadDriver | |
| ntdll!NtResumeThread | |
| ntdll!LdrLoadDll | |
| ntdll!NtDeviceIoControlFile | |
| ntdll!NtSetContextThread | |
| ntdll!NtSetInformationProcess | |
| ntdll!NtQuerySystemInformation | |
| ntdll!NtQuerySystemInformationEx | |
| ntdll!NtSetInformationThread | |
| ntdll!NtReadVirtualMemory | |
| ntdll!NtQueueApcThread | |
| ntdll!NtQueueApcThreadEx | |
| ntdll!NtQueueApcThreadEx2 | |
| ntdll!NtCreateThreadEx | |
| ntdll!KiUserApcDispatcher | |
| ntdll!NtCreateUserProcess | |
| ntdll!NtTerminateProcess | |
| ntdll!RtlAddVectoredExceptionHandler | |
| ntdll!NtReadFile | |
| ntdll!NtMapUserPhysicalPages | |
| ntdll!RtlQueryEnvironmentVariable | |
| kernel32!Wow64SetThreadContext | |
| kernel32!GetLogicalDriveStringsW | |
| kernel32!GetLogicalDriveStringsA | |
| kernel32!GetDriveTypeW | |
| kernel32!GetDriveTypeA | |
| kernelbase!UnhandledExceptionFilter | |
| kernelbase!LoadLibraryA | |
| kernelbase!CopyFileExW | |
| kernelbase!CreateProcessInternalW | |
| kernelbase!ReadConsoleW | |
| kernelbase!ReadConsoleInputW | |
| kernelbase!FindFirstFileExW | |
| kernelbase!WriteFile | |
| kernelbase!GetComputerNameExW | |
| win32u!NtUserFindWindowEx | |
| win32u!NtUserSetProp | |
| user32!EnumWindows | |
| user32!SetPropW | |
| user32!SetPropA | |
| user32!GetAsyncKeyState | |
| user32!GetKeyState | |
| user32!SetWindowLongW | |
| user32!SetWindowLongA | |
| user32!SetWindowLongPtrW | |
| user32!SetWindowLongPtrA | |
| user32!SetWindowsHookExW | |
| user32!SetWindowsHookExA | |
| user32!SetWinEventHook | |
| user32!RegisterRawInputDevices | |
| user32!CreateWindowExW | |
| user32!CreateWindowExA | |
| user32!ShowWindow | |
| user32!GetMessageW | |
| user32!GetMessageA | |
| user32!PeekMessageW | |
| user32!PeekMessageA | |
| user32!GetKeyboardState | |
| user32!AttachThreadInput | |
| user32!SystemParametersInfoW | |
| user32!SystemParametersInfoA | |
| user32!HMValidateHandle_x64_OS | |
| user32!HMValidateHandle_x86_OS | |
| user32!RegisterDeviceNotificationW | |
| user32!RegisterDeviceNotificationA | |
| mpclient!WDEnable | |
| ole32!CoRegisterClassObject | |
| ole32!CoGetClassObject | |
| ole32!CoGetObject | |
| ole32!CoCreateInstance | |
| ole32!CoGetInstanceFromIStorage | |
| SSPICLI!LsaCallAuthenticationPackage | |
| SSPICLI!InitializeSecurityContextW | |
| urlmon!CreateURLMonikerEx | |
| crypt32!CryptUnprotectData | |
| crypt32!CryptEncryptMessage | |
| gdi32full!BitBlt | |
| winhttp!WinHttpSetStatusCallback | |
| Shell32!Shell_NotifyIconW | |
| jscript!JSCollectGarbage | |
| Advapi32!SaferIdentifyLevel | |
| spoolsv.exe!PrvAddPrinterDriverExW |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment