This appendix describes Windows functions that are commonly used for some of the evasion techniques discussed in this book. While it’s not a comprehensive list of functions that might be abused by threat actors, these are some of the ones I believe are the most interesting or important to be familiar with for the purposes of malware analysis.

Note that the functions are written without their A and W suffixes. For example, CreateFileW is listed only as CreateFile. Also, some functions have both an Nt and a Zw variant, such as NtLoadDriver and ZwLoadDriver, but only the Nt variant is listed here. For more ...