<img style="float:right" src="atlas.png" width="35%"/>

Windows API Abuse Atlas

WindowsAPIAbuseAtlas is an evolving map of the sneaky and lesser-known ways malware twists Windows APIs to hide, evade, and attack. It’s packed with practical reverse engineering insights, ready-to-use YARA rules, and clear behavioral clues that help defenders spot these tricks in the wild. Whether you’re hunting threats, building detections, or just curious about how bad actors operate behind the scenes, this atlas sheds light on complex Windows behavior ... empowering the cyber community to stay one step ahead.

Index

This is a living roadmap. As I knock out each entry, I’ll link it here, and I might add new ones along the way. If you don’t see a link yet, it’s either a placeholder for something I plan to write, or just an API that’s on the radar.

ADVAPI32.DLL

• AdjustTokenPrivileges
• ChangeServiceConfig2
• ControlService
• CreateProcessAsUserW
• CreateProcessWithTokenW
• CreateService
• CredEnumerateW
• CredReadW
• CryptEnumProviders
• DuplicateTokenEx
• ImpersonateLoggedOnUser
• LsaOpenPolicy
• LsaRetrievePrivateData
• OpenProcessToken
• OpenSCManager
• QueryServiceStatusEx
• RegCreateKeyEx
• RegEnumKeyEx
• RegSetValueEx

AMSI.DLL

• AmsiInitialize
• AmsiOpenSession
• AmsiScanBuffer
• AmsiScanString

DBGHELP

• MiniDumpWriteDump

DNSAPI.DLL

• DnsQuery

FWPUCLNT.DLL

• FwpmCalloutAdd
• FwpmCalloutRegister
• FwpmEngineOpen
• FwpmFilterAdd
• FwpIpsecRoutine0

KERNEL32.DLL

• ConvertThreadToFiber
• CreateEvent
• CreateFiber
• CreateFile
• CreateFileMapping
• CreateFileTransacted
• CreateNamedPipe
• CreateProcessInternalW
• CreateRemoteThread
• CreateToolhelp32Snapshot
• EnumProcesses
• EnumSystemLocalesW
• GetSystemFirmwareTable
• LoadLibrary
• MapViewOfFile + LoadLibraryA/W
• PssCaptureSnapshot
• QueueUserAPC
• SetDllDirectory
• SetProcessMitigationPolicy
• SetSearchPathMode
• SetThreadContext
• UpdateProcThreadAttribute
• VirtualAllocEx
• VirtualProtectEx
• WriteProcessMemory
• WriteProfileString

MPR.DLL

• WNetAddConnection2

NETAPI32.DLL

• DsGetDcName
• NetLocalGroupGetMembers
• NetRemoteTOD
• NetSessionEnum
• NetUserAdd
• NetWkstaUserEnum

NTDLL.DLL

• DbgUiRemoteBreakin
• EtwEventWrite
• EtwNotificationRegister
• EtwProviderEnabled
• LdrGetProcedureAddress
• LdrLoadDll
• NtAllocateVirtualMemory
• NtAlertResumeThread
• NtAlpcConnectPort
• NtCreateFile
• NtCreateKey
• NtCreateSection
• NtCreateThreadEx
• NtDeviceIoControlFile
• NtImpersonateThread
• NtLoadDriver
• NtMapViewOfSection
• NtOpenFile
• NtOpenProcessToken
• NtOpenThread
• NtProtectVirtualMemory
• NtQueueApcThread
• NtQueryInformationProcess
• NtQuerySystemInformation
• NtQueryVirtualMemory
• NtRaiseHardError
• NtReadVirtualMemory
• NtResumeThread
• NtSetDebugFilterState
• NtSetInformationFile
• NtSetInformationProcess
• NtSetInformationThread
• NtSetInformationToken
• NtSuspendProcess
• NtSystemDebugControl
• NtTraceEvent
• NtUnmapViewOfSection
• NtWriteVirtualMemory
• RtlCreateUserProcess
• RtlCreateUserThread
• SetThreadContext / GetThreadContext
• Wow64DisableWow64FsRedirection
• ZwQuerySystemInformationEx
• ZwUnmapViewOfSection

OLE32.DLL

• CoCreateInstance
• CoCreateInstanceEx
• CoGetClassObject
• CoSetProxyBlanket

PSAPI.DLL

• EnumProcessModules
• GetModuleFileNameEx
• GetModuleInformation
• GetProcessMemoryInfo

RASAPI32.DLL

• RasEnumConnections
• RasGetEntryDialParams
• RasGetEntryProperties

SETUPAPI.DLL

• InstallHinfSection
• SetupCopyOEMInf
• SetupDiGetClassDevs
• SetupDiEnumClassDeviceInfo
• SetupInstallFile
• SetupUninstallOEMInf

SHELL32.DLL

• ShellExecute
• SHGetKnownFolderPath

UIAUTOMATIONCORE

• AddAutomationEventHandler

URLMON.DLL

• URLDownloadToFile

USER32.DLL

• LockWorkStation
• Open Desktop
• SetClipboardData
• SetWindowsHookEx

WINHTTP.DLL

• WinHttpConnect

WINSTA.DLL

• WinStationQueryInformationW