LOLAPI
Back to API Browser

kernel32.dll - VirtualAllocEx + WriteProcessMemory

⚠️ Critical Risk📁 Windows Api🏷️ process injection✅ Verified
#windows-api#process-injection#lotl

🔧 API Details

Namespace

kernel32.dll

Language

C/C++ (P/Invoke)

Class

VirtualAllocEx, WriteProcessMemory

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

70%

🎯 MITRE ATT&CK Techniques

T1055.001

Click to view on MITRE ATT&CK

Abuse Scenarios

Process injection

Technique: T1055.001

🚨 Common in Campaigns

Allocate memory in remote process and write shellcode

Code Example:

VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess, addr, shellcode, size, NULL);
Detection Difficulty: Medium

🔍 Detection Strategies

Microsoft Defender

MEDIUM Effectiveness

Behavioral detection based on API patterns

🛡️ Mitigation Strategies

monitoring

EASY Feasibility

Monitor usage of kernel32.dll - VirtualAllocEx + WriteProcessMemory

🕵️ Threat Intelligence

🔨 Tools

Cobalt Strike

Mimikatz

📋 Metadata

API ID

00986378-8061-45f3-97d3-914b37e679f8

Created

2026-01-31

Author

Claw