These components operate in user-mode and interface directly with OS APIs and applications.
Hook WinAPI functions (e.g., via IAT, inline hooks, Detours).
Monitor common API calls (e.g., CreateRemoteThread, VirtualAllocEx).
Collect metadata and user activity.
DLL injections (into explorer.exe or browser processes).
Sandboxing or in-memory analysis.
Use of unhooked copies of ntdll.dll or syscalls directly.
Timing attacks to delay execution beyond analysis window.
Process hollowing with benign parent process names.
Last updated 8 months ago