Windows API Call Flow

Interactive visualization showing how API calls flow from user applications through system layers to the Windows kernel. Essential for understanding malware evasion techniques.

By Mohamed Habib Jaouadi•January 7, 2025•

Post Related

#windows-api

#malware-development

#system-internals

#security

#evasion

Explore how a simple API call travels from your application through multiple layers to reach the Windows kernel. Understanding this flow is crucial for malware development and evasion techniques.

User Application

Application calls Windows API function

#include <windows.h>

HANDLE hFile = CreateFileW(
    L"C:\\temp\\test.txt",
    GENERIC_WRITE,
    ...

Subsystem DLL

kernel32.dll processes the request

// Inside kernel32.dll
HANDLE WINAPI CreateFileW(
    LPCWSTR lpFileName,
    DWORD dwDesiredAccess,...

Ntdll.dll

Native API transition to kernel mode

// Inside ntdll.dll
NTSTATUS NtCreateFile(
    PHANDLE FileHandle,
    ACCESS_MASK DesiredAccess,
  ...

System Call

Transition from user mode to kernel mode

; Assembly level transition
mov eax, 0x55       ; System call number for NtCreateFile
mov r10, rcx  ...

Kernel

Kernel executes the requested operation

// Kernel space (ntoskrnl.exe)
NTSTATUS NtCreateFile(/* parameters */) {
    // Validate object path...

User Application

Application calls Windows API function

Key Points:

•High-level API call from user code
•Familiar function names and parameters
•Most commonly used by developers
•Easy to detect and monitor

Code Example:

#include <windows.h>

HANDLE hFile = CreateFileW(
    L"C:\\temp\\test.txt",
    GENERIC_WRITE,
    0,
    NULL,
    CREATE_ALWAYS,
    FILE_ATTRIBUTE_NORMAL,
    NULL
);