'Understand Hooked syscalls - Do win32 api always call system ones in ntdll.dll?

I wrote a keylogger that hooks keystrokes. I learned about the AV's detection with hooked syscall and wanted to know if my keyboard hook is side by side with the AV's...so can AV monitor that function?. I have opened the ntdll.dll file but I have not found the functions that I use to do the hook. Does this mean that win32s don't always call system functions?

For example, this are the functions that I used but I don't find them in ntdll.dll.

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr SetWindowsHookEx(int idHook, LowLevelKeyboardProc lpfn, IntPtr hMod, uint dwThreadId);

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool UnhookWindowsHookEx(IntPtr hhk);

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr CallNextHookEx(IntPtr hhk, int nCode, IntPtr wParam, IntPtr lParam);


[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lpModuleName);

c++windows dll operating-system antivirus

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source

'Understand Hooked syscalls - Do win32 api always call system ones in ntdll.dll?

Sources

Related Questions