← Back to API Browser
kernel32.dll - GetProcAddress
⚠️ High Risk📁 Windows Native Api🏷️ api resolution✅ Verified
#windows-native-api#api-resolution#obfuscation
🔧 API Details
Namespace
kernel32.dll
Language
C/C++ (P/Invoke)
Function
GetProcAddress
📊 Risk Assessment
Severity
High
Prevalence
widespread
Ease of Abuse
easy
Likelihood in Real Attacks
90%
🎯 MITRE ATT&CK Techniques
⚡ Abuse Scenarios
API obfuscation
Technique: T1036.004
Resolve API addresses at runtime to avoid static detection
Code Example:
typedef HANDLE (WINAPI *pCreateRemoteThread)(HANDLE, LPVOID, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
pCreateRemoteThread = (pCreateRemoteThread)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateRemoteThread");Detection Difficulty: Hard
🔍 Detection Strategies
Sysmon
LOW EffectivenessDifficult to detect in isolation; combine with behavioral analysis
EDR
MEDIUM EffectivenessMonitor for excessive GetProcAddress calls from suspicious processes
🛡️ Mitigation Strategies
code
HIGH FeasibilityPrefer static linking for critical APIs
🕵️ Threat Intelligence
👥 APT Groups / Threat Actors
APT28
Lazarus
APT29
🦠 Malware Families
Notpetya
WannaCry (variant)
🔨 Tools
Cobalt Strike
Mimikatz
📋 Metadata
API ID
4ff52a0c-2f93-45d6-87e9-0a5b48426f02
Created
2026-02-02
Author
Claw