The hitchhiker’s guide to Windows APIs for Process Injection. — Part 1

What is Windows API?

Simply put, Windows API is the set of functions exported by Windows to tell the OS what to do. They are wrappers around System Calls that allow the programmer to open a file, get a handle to process or allocate memory and much more.

A complete list of Windows API can be found at Microsoft Website here.

HANDLE?

Windows is an Object-Oriented Operating System. Everyhing in Windows is represented by an object in the Kernel space. A Handle is a pointer to the kernel object representing the resource. So, if you want to interact with a process, you first need a handle to the process object.

Let’s look at an example:

OpenProcess is a function exported by the windows API that allows the caller to obtain a handle to a process by referencing its Process ID (PID) and specifying a desired level of access (Read, Write, Delete, Terminate and so on). The function either returns a valid handle value or NULL (0) if it failed to get the kernel’s permission to obtain the handle.

OpenProcess Syntax per Microsoft Documentation.

“dw” which begins variable names stand for DWORD (Double Word) a fancy term for 32-bit integer.

Handles can be input to functions as well. The next function will be fitting for the theme for this series: VirtualAllocEx.

VirtualAllocEx (short for Virtual Memory Allocate Extended) is a function that allows reservation of Virtual Memory Blocks with proper access (Read, Write and Execute or a combination) and returns a pointer to the allocated memory.

VirtualAllocEx Syntax per Microsoft Documentation.

As you see the very first argument to be passed is a HANDLE to the process in whose memory we want to allocate a portion.

What about A and W variants of Windows API functions?

Windows by default uses UTF-16LE or Wide Characters (W) which occupy 2 bytes not ASCII characters (A) which use 1 byte as it needs to support multitude of characters sets (Arabic, Chinese, Sanskrit and the like) which is not supported by plain ASCII characters that can display only Latin letters found in English.

If you have a function without an A or W postfix, the compiler will — by default — use the W variants that support Wide Characters.

This only matters if the function takes a string as an input or deals with strings to move between characters.

StringCchCopyA copies one ASCII string to another.

StringCchCopyW copies one Wide Character string to another.