Headers, DLLs and Functions

Common DLLs

---

DLL	Description
Kernel32.dll	This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.
Advapi32.dll	This DLL provides access to advanced core Windows components such as the Service Manager and Registry.
User32.dll	This DLL contains all the user-interface components, such as buttons, scroll bars, and components for controlling and responding to user actions.
Gdi32.dll	This DLL contains functions for displaying and manipulating graphics.
Ntdll.dll	This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface.
WSock32.dll and Ws2_32.dll	These are networking DLLs. A program that accesses either of these most likely connects to a network or performs network-related tasks.
Wininet.dll	This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP.
Shell32.dll	This DLL can launch other programs.
Advapi32.dll	Provides security calls and functions for manipulating the Windows Registry.
msvcrt.dll	The C standard library for the Visual C++ (MSVC) compiler from version 4.2 to 6.0. It provides programs compiled by these versions of MSVC with most of the standard C library functions. These include string manipulation, memory allocation, C-style input/output calls, and others
rpcrt4.dll	This is a crucial Windows file associated with the Remote Procedure Call (RPC) API, used by applications for network and internet communication

Headers

---

Header	Description
[[Headers, DLLs and Functions#<stdio.h>|stdio.h]]	It is a Header file basic I/O like printf(), etc.
[[Headers, DLLs and Functions#netinet/ip.h|netinet/ip.h]]	Provides definitions for IP (Internet Protocol) related structures and constants, specifically for IPv4 networking
[[Headers, DLLs and Functions#arpa/inet.h| arpa/inet.h]]	Provides functions for manipulating IP addresses, especially for converting between text (string) and binary formats used in network programming.
[[Headers, DLLs and Functions#sys/socket.h|sys/socket.h]]	Provides the definitions and functions for using sockets which are used for network communication.
unistd.h	It is a POSIX (Unix standard) header file that gives you access to low-level OS functions, mainly related to I/O, processes, and file descriptors.
[[Headers, DLLs and Functions#windows.h|windows.h]]	<windows.h> is the main Windows API header file used for developing applications on Windows OS. It includes declarations for all core Windows functionality.
[[Headers, DLLs and Functions#stdlib.h|stdlib.h]]	<stdlib.h> is a standard C header that provides general-purpose utility functions, including memory management, random numbers, conversions, and process control.
[[Headers, DLLs and Functions#string.h|string.h]]	<string.h> is the standard C header that provides functions for handling strings and memory blocks.

stdio.h

• It is a Header file basic I/O like printf(), etc.

Functions

printf

printf is a C standard library function used to print formatted text to the console (stdout).

Signature:

int printf(const char *format, ...);

Parameters:

• format: A format string (e.g., "Value: %d\n")
• ...: Variable arguments to insert into the format string

Returns:

• Number of characters printed, or a negative value on error.

Example:

printf("Hello %s, number = %d\n", "world", 42);

Output: Hello world, number = 42

sys/socket.h

---

• It is a header file that provides the definitions and functions for using sockets which are used for network communication.

Functions

---

socket()

The socket() function is the starting point for network programming in C/C++. It’s how you create a communication endpoint.

Signature :

int socket(int domain, int type, int protocol);

Parameter	Description
domain	Specifies the protocol family (e.g. AF_INET for IPv4, AF_INET6 for IPv6)
type	Specifies the type of socket (e.g. SOCK_STREAM for TCP, SOCK_DGRAM for UDP)
protocol	Usually 0 (default) which means “Let’s the OS choose the appropriate protocol for the type you chose”.

Example:

int sockfd = socket(AF_INET, SOCK_STREAM, 0);

• AF_INET → IPv4
• SOCK_STREAM → TCP
• 0 → Automatically picks TCP for this combo

Return Value:

• Success: returns a file descriptor (non-negative int)
• Failure: returns -1

connect()

• The connect() function is used in socket programming to initiate a connection from a client to a server.
• It says: “Hey server, I want to talk to you at this IP and port.” If the server is listening and accepts your connection, you’re now ready to send and receive data.

Signature

int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

Parameter	Description
sockfd	The socket file descriptor returned by [[Headers, DLLs and Functions#socket()|socket]] function.
addr	Pointer to a sockaddr structure containing the server’s IP and port
addrlen	Size of the sockaddr structure (usually sizeof(struct sockaddr_in) for IPv4)
Return Value:

• 0 on success
• -1 on failure → you should check errno or use perror() for details
  connect() is what a client uses to “call” the server.

Structures

---

sockaddr

The sockaddr structure is a generic socket address used by socket functions like connect(), bind(), accept(), etc. It acts as a placeholder that can represent any address type (IPv4, IPv6, etc.).

Structure Signature:

struct sockaddr {
    sa_family_t sa_family;     // Address family (e.g., AF_INET)
    char        sa_data[14];   // Protocol-specific address information
};

• It’s a generic container, so it’s not used directly for setting IP addresses or ports.
• Instead, you use a more specific structure (like sockaddr_in(for IPv4),sockaddr_in6(for IPv6) ), then cast its pointer to sockaddr* when passing it to socket functions.

Example :

struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(8080);
inet_pton(AF_INET, "127.0.0.1", &addr.sin_addr);
 
// Pass to connect(), cast to (struct sockaddr*)
connect(sockfd, (struct sockaddr*)&addr, sizeof(addr));

netinet/ip.h

---

• It is a C header file that provides definitions for IP (Internet Protocol) related structures and constants, specifically for IPv4 networking.

Structures

---

sockaddr_in

• This structure specifies a transport address and port for the IPv4.

Structure Signature:

struct sockaddr_in {
    sa_family_t    sin_family;  // Address family (AF_INET for IPv4)
    in_port_t      sin_port;    // Port number (in network byte order)
    struct in_addr sin_addr;    // IP address (in network byte order)
    // Padding to make struct size same as struct sockaddr
    unsigned char  sin_zero[8];
};
 

Field	Description
sin_family	Always set to AF_INET for IPv4.
sin_port	The port number, which must be in network byte order (use [[Headers, DLLs and Functions#htons()– Host to Network Short|htons()]] to convert in network byte).
sin_addr	A structure of type in_addr that holds the IPv4 address.
sin_zero	Padding field to make sockaddr_in the same size as sockaddr. Not used in practice; just set to zero.

sockaddr_in6

This structure represents a socket address for IPv6.

Signature :

struct sockaddr_in6 {
    sa_family_t     sin6_family;   // Address family (AF_INET6)
    in_port_t       sin6_port;     // Port number (network byte order)
    uint32_t        sin6_flowinfo; // Flow information (usually 0)
    struct in6_addr sin6_addr;     // IPv6 address
    uint32_t        sin6_scope_id; // Scope ID (for link-local addresses)
};

Field	Description
sin6_family	Always set to AF_INET6 for IPv6.
sin6_port	Port number (use [[Headers, DLLs and Functions#htons()– Host to Network Short|htons()]] to convert to network byte order).
sin6_flowinfo	Optional. Used for IPv6 flow labels (usually 0).
sin6_addr	An in6_addr struct that holds the IPv6 address.
sin6_scope_id	Used to specify interface for link-local addresses (e.g., fe80::...). Set to 0 otherwise.

in_addr

The in_addr structure represents a single IPv4 address. It is used within sockaddr_in and other network functions that deal specifically with IP addresses.

Structure Signature:

struct in_addr {
    in_addr_t s_addr; // 32-bit IPv4 address (in network byte order)
};

• s_addr is usually an unsigned long or uint32_t, depending on the platform.
• It holds the IP address in network byte order (big-endian).
• To convert a human-readable IP string (e.g., "192.168.1.1") to this format, you use functions like:
  • inet_aton() (for IPv4)
  • inet_pton() (for IPv4 & IPv6 both)

in6_addr

Used inside sockaddr_in6 to hold the 128-bit IPv6 address.

Signature :

struct in6_addr {
    unsigned char s6_addr[16]; // 128-bit IPv6 address (in network byte order)
};

• s6_addr is an array of 16 bytes = 128 bits (standard IPv6 address size).
• It holds the IP address in network byte order (big-endian).
• Use inet_pton() function to convert from string to binary format.

arpa/inet.h

---

• It is a C header file that provides functions for manipulating IP addresses, especially for converting between text (string) and binary formats used in network programming.

Functions

---

inet_aton()

• Converts an IPv4 address string (e.g., "192.168.1.1") to binary format and stores it in a struct in_addr.
• Used only for IPv4.
• Returns non-zero on success, 0 on failure.
• Non-standard on Windows (not portable across platforms).

int inet_aton(const char *cp, struct in_addr *inp);

Parameters:

Parameter	Type	Description
cp	const char*	The IPv4 address in string format, e.g. "192.168.1.1"
inp	struct in_addr*	Pointer to a struct in_addr where the binary address will be stored

Example:

#include <arpa/inet.h>
#include <stdio.h>
int main() {
    const char* ip = "192.168.1.1";
    struct in_addr addr;
    
    if (inet_aton(ip, &addr)) {
        printf("IP address converted: 0x%x\n", addr.s_addr);
    } else {
        printf("Invalid IP address\n");
    }
    return 0;
}

inet_pton()

• General-purpose: works for both IPv4 (AF_INET) and IPv6 (AF_INET6).
• Safer and more modern.
• Portable and POSIX-compliant.
• Returns 1 on success, 0 if the address is invalid, -1 on error.

Signature:

int inet_pton(int af, const char *src, void *dst);

Parameters:

Parameter	Type	Description
af	int	Address family: AF_INET (IPv4) or AF_INET6 (IPv6)
src	const char*	IP address string (e.g., "192.168.1.1" or "::1")
dst	void*	Pointer to a buffer to store the binary IP (typically &in_addr or &in6_addr)

Example for IPv4:

#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
int main() {
    const char* ip = "192.168.1.1";
    struct in_addr addr;
    
    if (inet_pton(AF_INET, ip, &addr) == 1) {
        printf("IPv4 address converted successfully.\n");
    } else {
        printf("Invalid IPv4 address.\n");
    }
    return 0;
}

Example for IPv6:

#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
int main() {
    const char* ip = "::1";
    struct in6_addr addr6;
	
    if (inet_pton(AF_INET6, ip, &addr6) == 1) {
        printf("IPv6 address converted successfully.\n");
    } else {
        printf("Invalid IPv6 address.\n");
    }
    return 0;
}

hton

hton = “Host TO Network”

These functions convert values from the host’s byte order (which might be little-endian) to network byte order (which is always big-endian).

Different computers use different endianness:

• Little-endian (e.g., x86/x64 CPUs): least significant byte comes first
• Big-endian: most significant byte comes first

But network protocols (like TCP/IP) always use big-endian format, so if your CPU is little-endian (which most are), you need to convert numbers before sending them.

Common hton and ntoh Functions

Function	Use Case	Input Type	Converts From → To
htons	Port numbers	uint16_t	Host → Network (16-bit)
htonl	IP addresses	uint32_t	Host → Network (32-bit)
ntohs	Received port numbers	uint16_t	Network → Host (16-bit)
ntohl	Received IP addresses	uint32_t	Network → Host (32-bit)

htons()– Host to Network Short

uint16_t htons(uint16_t hostshort);

• Converts a 16-bit integer (e.g., a port number) from host byte order to network byte order.

htonl()– Host to Network Long

uint32_t htonl(uint32_t hostlong);

• Converts a 32-bit integer (e.g., an IPv4 address) from host byte order to network byte order.

ntohs()– Network to Host Short

uint16_t htons(uint16_t hostshort);

• Converts a 16-bit integer (e.g., a port number) from Network byte order to Host byte order.

ntohl()– Network to Host Long

uint32_t htonl(uint32_t hostlong);

• Converts a 32-bit integer (e.g., an IPv4 address) from Network byte order to Host byte order.

unistd.h

---

It is a POSIX (Unix standard) header file that gives you access to low-level OS functions, mainly related to I/O, processes, and file descriptors.

Functions

---

dup2()

dup2() is a system call that duplicates one file descriptor to another.

Signature:

int dup2(int oldfd, int newfd);

Parameter	Description
oldfd	The original file descriptor you want to duplicate (e.g., a socket, file, etc.)
newfd	The file descriptor you want to overwrite or redirect to point to oldfd

• Makes newfd refer to the same open file (or socket) as oldfd.
• If newfd is already open, it will be closed first automatically.
• oldfd and newfd will both now refer to the same underlying resource, but are still separate file descriptors.

Return Value:

• Returns newfd on success
• Returns -1 on error (check errno)

Example:

dup2(sockfd, 0); // stdin
dup2(sockfd, 1); // stdout
dup2(sockfd, 2); // stderr

• 0, 1 & 2 in file descriptor refer to stdin, stdout & stderr respectively.
• So we are copying this file descriptor to sockfd.

execve()

execve() is a system call used to replace the current running process with a new program.

Signature:

int execve(const char *pathname, char *const argv[], char *const envp[]);

Parameter	Description
pathname	Full path to the executable file (e.g., /bin/sh)
argv[]	Array of arguments passed to the program (like argv in main())
envp[]	Array of environment variables (can pass environ or NULL)

• Does not return on success (the current process is replaced)
• Returns -1 on failure (and sets errno)

Example:

char *argv[] = {"/bin/sh", NULL};
execve("/bin/sh", argv, NULL);

windows.h

---

<windows.h> is the main Windows API header file used for developing applications on Windows OS. It includes declarations for all core Windows functionality.

Functions

VirtualAlloc

VirtualAlloc is a Windows API function used to allocate memory pages directly from the system’s virtual memory.

Signature:

LPVOID VirtualAlloc(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

Parameter	Description
lpAddress	Preferred memory address (or NULL to let Windows decide)
dwSize	Size (in bytes) of memory to allocate
flAllocationType	Memory allocation type commonly MEM_COMMIT or MEM_RESERVE
flProtect	Memory protection — commonly PAGE_READWRITE, PAGE_EXECUTE_READWRITE, etc.
Common Constants:

Constant	Meaning
MEM_COMMIT	Allocates physical memory
MEM_RESERVE	Reserves a range of virtual addresses
PAGE_READWRITE	Read and write access
PAGE_EXECUTE_READWRITE	Read, write, and execute access (used for shellcode)

Example:

#include <windows.h>
 
int main() {
    void *mem = VirtualAlloc(
        NULL,                   // Let system choose address
        1024,                   // Allocate 1024 bytes
        MEM_COMMIT | MEM_RESERVE, // Commit and reserve pages
        PAGE_EXECUTE_READWRITE    // Allow code execution (for shellcode)
    );
	
    if (mem != NULL) {
        // Use the memory...
    }
	
    return 0;
}

RtlMoveMemory

RtlMoveMemory is a Windows API function used to copy memory blocks in same process.

Signature:

VOID RtlMoveMemory(
  VOID UNALIGNED *Destination,
  const VOID UNALIGNED *Source,
  SIZE_T Length
);

Parameter	Meaning
VOID UNALIGNED *Destination	A pointer to the destination memory buffer where data will be copied.
const VOID UNALIGNED *Source	A pointer to the source memory buffer to copy data from. It’s const, so the function does not modify it.
SIZE_T Length	Number of bytes to copy from source to destination. SIZE_T is typically an unsigned integer type.

Example:

#include <windows.h>
 
int main() {
    char src[] = "Hello, Windows!";
    char dest[20];
 
    RtlMoveMemory(dest, src, sizeof(src));
 
    MessageBoxA(NULL, dest, "Copied Message", MB_OK);
    return 0;
}

VirtualProtect

VirtualProtect is a Windows API function used to change the protection (read, write, execute permissions) of a region of memory that your program owns.

Signature:

BOOL VirtualProtect(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flNewProtect,
  PDWORD lpflOldProtect
);

Parameter	Type	Description
lpAddress	LPVOID	Pointer to the starting address of the memory region
dwSize	SIZE_T	Number of bytes to change protection for
flNewProtect	DWORD	New protection flags (e.g., PAGE_EXECUTE_READWRITE)
lpflOldProtect	PDWORD	Pointer to a variable that receives the previous protection value
Common Protection Flags :

Flag	Meaning
PAGE_READONLY	Read-only
PAGE_READWRITE	Read and write
PAGE_EXECUTE	Execute only
PAGE_EXECUTE_READ	Execute and read
PAGE_EXECUTE_READWRITE	Execute, read, and write (used for shellcode)
PAGE_NOACCESS	Cannot access at all

Example:

#include <windows.h>
#include <stdio.h>
 
int main() {
    unsigned char code[] = { 0x90, 0x90, 0xC3 }; // NOP, NOP, RET (safe test shellcode)
 
    DWORD oldProtect;
    BOOL result = VirtualProtect(
        code,                        // memory address
        sizeof(code),                // size
        PAGE_EXECUTE_READWRITE,      // new protection
        &oldProtect                  // save old protection
    );
 
    if (result) {
        printf("Memory protection changed.\n");
        ((void(*)())code)(); // Call the shellcode
    } else {
        printf("VirtualProtect failed: %lu\n", GetLastError());
    }
 
    return 0;
}

CreateThread

CreateThread is a Windows API function used to create a new thread in your process. It’s one of the most direct ways to launch concurrent execution in Windows.

Signature :

HANDLE CreateThread(
  LPSECURITY_ATTRIBUTES   lpThreadAttributes,
  SIZE_T                  dwStackSize,
  LPTHREAD_START_ROUTINE  lpStartAddress,
  LPVOID                  lpParameter,
  DWORD                   dwCreationFlags,
  LPDWORD                 lpThreadId
);

Parameter	Type	Description
lpThreadAttributes	LPSECURITY_ATTRIBUTES	Can be NULL (default security)
dwStackSize	SIZE_T	Initial stack size in bytes (use 0 for default)
lpStartAddress	LPTHREAD_START_ROUTINE	Function pointer to the thread’s entry function
lpParameter	LPVOID	Pointer to data passed to the thread function
dwCreationFlags	DWORD	0 to run immediately, or CREATE_SUSPENDED
lpThreadId	LPDWORD	Pointer to receive the thread ID (can be NULL)
Return Value :

• On success: Returns a HANDLE to the new thread.
• On failure: Returns NULL. Call GetLastError() for details.

Example :

#include <windows.h>
#include <stdio.h>
 
DWORD WINAPI MyThreadFunction(LPVOID lpParam) {
    printf("Hello from thread! Param: %s\n", (char *)lpParam);
    return 0;
}
 
int main() {
    HANDLE hThread;
    DWORD threadId;
 
    hThread = CreateThread(
        NULL,              // Default security
        0,                 // Default stack size
        MyThreadFunction,  // Function to run
        "Thread Param",    // Parameter to pass
        0,                 // Run immediately
        &threadId          // Thread ID
    );
 
    if (hThread == NULL) {
        printf("CreateThread failed! Error: %lu\n", GetLastError());
        return 1;
    }
 
    // Wait for thread to finish
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
 
    return 0;
}

WaitForSingleObject

WaitForSingleObject is a Windows API function that pauses the calling thread until the specified object is signaled or a timeout occurs.

Signature :

DWORD WaitForSingleObject(
  HANDLE hHandle,
  DWORD  dwMilliseconds
);

Parameter	Type	Description
hHandle	HANDLE	A handle to a thread, process, mutex, event, etc.
dwMilliseconds	DWORD	Time to wait (in milliseconds) or special constants like INFINITE
Common Constants:

• INFINITE → Wait forever until the object is signaled.
• 0 → Do not wait; return immediately (polling).

Return Values :

Return Code	Meaning
WAIT_OBJECT_0	The object is signaled — success
WAIT_TIMEOUT	The timeout interval elapsed
WAIT_FAILED	The function failed

Example :

HANDLE hThread = CreateThread(...);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);

This waits for the thread to finish before continuing, ensuring synchronization.

OpenProcess

OpenProcess is a Windows API function that opens a handle to a running process using its process ID (PID) for further operations like reading memory or injecting code.

Signature:

HANDLE OpenProcess(
  DWORD dwDesiredAccess,
  BOOL  bInheritHandle,
  DWORD dwProcessId
);

Parameters:

Parameter	Description
dwDesiredAccess	What access you want (e.g., PROCESS_ALL_ACCESS)
bInheritHandle	TRUE if child processes should inherit the handle
dwProcessId	The ID of the target process (usually from argv, GetCurrentProcessId, etc.)
Return Value:

• On success: Returns a HANDLE to the process.
• On failure: Returns NULL (use GetLastError() to debug).

Common constants for dwDesiredAccess parameter.

Access Right	Description
PROCESS_VM_READ	Read memory in the target process
PROCESS_VM_WRITE	Write to memory in the target process
PROCESS_VM_OPERATION	Perform memory operations (e.g., allocate)
PROCESS_CREATE_THREAD	Create a thread in the target process
PROCESS_QUERY_INFORMATION	Query info like priority, handle count
PROCESS_QUERY_LIMITED_INFORMATION	Safer, limited query access
PROCESS_TERMINATE	Terminate the process
PROCESS_SUSPEND_RESUME	Suspend/resume the process (Win 7+)
PROCESS_ALL_ACCESS	Requests all possible permissions on the target process

Example:

HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

VirtualAllocEx

VirtualAllocEx is a Windows API function used to allocate memory in the address space of another process.

Signature:

LPVOID VirtualAllocEx(
  HANDLE hProcess,
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

Parameter	Type	Description
hProcess	HANDLE	Handle to the target process (must have PROCESS_VM_OPERATION access)
lpAddress	LPVOID	Desired starting address (usually NULL for automatic selection)
dwSize	SIZE_T	Size of memory to allocate (in bytes)
flAllocationType	DWORD	Type of memory allocation (e.g., MEM_COMMIT, MEM_RESERVE)
flProtect	DWORD	Memory protection (e.g., PAGE_EXECUTE_READWRITE)
Return:

• On success: Returns a pointer (LPVOID) to the base address of allocated memory in the target process.
• On failure: Returns NULL. Use GetLastError() for more info.

Example:

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
LPVOID remoteMem = VirtualAllocEx(
    hProcess, 
    NULL, 
    4096, 
    MEM_COMMIT | MEM_RESERVE, 
    PAGE_EXECUTE_READWRITE
);

This allocates 1 memory page (4096 bytes) with read/write/execute permissions in another process’s memory.

WriteProcessMemory

WriteProcessMemory is a Windows API function that writes data into the memory of another process.

Signature:

BOOL WriteProcessMemory(
  HANDLE  hProcess,
  LPVOID  lpBaseAddress,
  LPCVOID lpBuffer,
  SIZE_T  nSize,
  SIZE_T  *lpNumberOfBytesWritten
);

Parameter	Type	Description
hProcess	HANDLE	Handle to the target process (must have PROCESS_VM_WRITE and PROCESS_VM_OPERATION access)
lpBaseAddress	LPVOID	Address in the target process where data will be written (from VirtualAllocEx)
lpBuffer	LPCVOID	Pointer to the buffer containing the data to write
nSize	SIZE_T	Number of bytes to write
lpNumberOfBytesWritten	SIZE_T*	Pointer to receive the actual number of bytes written (can be NULL)
Return

• Returns TRUE on success.
• Returns FALSE on failure — call GetLastError() for details.

Example:

char shellcode[] = "...";  // your shellcode
LPVOID remoteAddr = VirtualAllocEx(hProcess, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
WriteProcessMemory(
    hProcess,
    remoteAddr,
    shellcode,
    sizeof(shellcode),
    NULL
);

This writes your shellcode into another process’s memory.

CreateRemoteThread

CreateRemoteThread is a powerful Windows API function that lets you create a new thread inside another process.

Signature:

HANDLE CreateRemoteThread(
  HANDLE                 hProcess,
  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  SIZE_T                 dwStackSize,
  LPTHREAD_START_ROUTINE lpStartAddress,
  LPVOID                 lpParameter,
  DWORD                  dwCreationFlags,
  LPDWORD                lpThreadId
);

Parameter	Type	Description
hProcess	HANDLE	Handle to the target process (must have PROCESS_CREATE_THREAD and PROCESS_VM_OPERATION access)
lpThreadAttributes	LPSECURITY_ATTRIBUTES	Usually NULL (default security)
dwStackSize	SIZE_T	Stack size for the thread (0 = default)
lpStartAddress	LPTHREAD_START_ROUTINE	Address of the function to execute (e.g. start of shellcode or LoadLibraryA)
lpParameter	LPVOID	Optional parameter passed to the thread
dwCreationFlags	DWORD	0 to run immediately, or CREATE_SUSPENDED
lpThreadId	LPDWORD	Pointer to receive the thread ID (can be NULL)
Return:

• Returns a HANDLE to the created thread if successful.
• Returns NULL if it fails — use GetLastError() to diagnose.

Example: - DLL Injection:

HANDLE hProcess = OpenProcess(...);
LPVOID remoteMem = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, remoteMem, dllPath, len, NULL);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 
    (LPTHREAD_START_ROUTINE)LoadLibraryA, remoteMem, 0, NULL);

This injects a DLL by remotely calling LoadLibraryA(dllPath) inside the target process.

CloseHandle

CloseHandle is a Windows API function used to release system resources associated with handles (like processes, threads, files, etc.).

Signature:

BOOL CloseHandle(HANDLE hObject);

Parameter	Type	Description
hObject	HANDLE	A valid handle to a system object (e.g., process, thread, file, event)
Return:

• Returns TRUE on success.
• Returns FALSE on failure — use GetLastError() for more info.

When to Use CloseHandle:

Handle Type	Use Case Example
HANDLE to a process	After OpenProcess() or CreateProcess()
HANDLE to a thread	After CreateThread() or CreateRemoteThread()
HANDLE to a file	After CreateFile()

Example:

HANDLE hThread = CreateRemoteThread(...);
 
// Wait for thread to finish
WaitForSingleObject(hThread, INFINITE);
 
// Clean up
CloseHandle(hThread);

CreateToolhelp32Snapshot

CreateToolhelp32Snapshot is a function in the Windows API used to take a snapshot of system resources, such as:

• All running processes
• Threads in a process
• Modules (DLLs) loaded in a process
• Heaps in a process

Implemented in Kernel32.dll.

Signature:

HANDLE CreateToolhelp32Snapshot(
  DWORD dwFlags,
  DWORD th32ProcessID
);

Parameters:

Parameter	Description
dwFlags	What to include in the snapshot. E.g., TH32CS_SNAPPROCESS, TH32CS_SNAPTHREAD, etc.
th32ProcessID	Used when capturing threads, modules, or heaps in a specific process. Set to 0 when capturing system-wide process list.

Common Flags:

Flag	Description
TH32CS_SNAPPROCESS	All running processes
TH32CS_SNAPTHREAD	All threads in the system
TH32CS_SNAPMODULE	Modules (DLLs/EXEs) of a specific process
TH32CS_SNAPHEAPLIST	Heap info of a process
TH32CS_SNAPALL	Combination of the above
Returns:

• Valid HANDLE if successful.
• INVALID_HANDLE_VALUE ((HANDLE)(LONG_PTR)-1) on failure — check with GetLastError().

Example: List Running Processes

#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
 
int main() {
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot == INVALID_HANDLE_VALUE) {
        std::cout << "Snapshot failed. Error: " << GetLastError() << "\n";
        return 1;
    }
 
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(PROCESSENTRY32);
 
    if (Process32First(hSnapshot, &pe)) {
        do {
            std::wcout << L"Process: " << pe.szExeFile << L" | PID: " << pe.th32ProcessID << L"\n";
        } while (Process32Next(hSnapshot, &pe));
    } else {
        std::cout << "Failed to retrieve process info.\n";
    }
 
    CloseHandle(hSnapshot);
    return 0;
}

stdlib.h

---

<stdlib.h> is a standard C header that provides general-purpose utility functions, including memory management, random numbers, conversions, and process control.

Functions

atoi

atoi (ASCII to Integer) is a C standard library function that converts a string to an int.

Signature :

int atoi(const char *str);

Parameters:

• str: A C-style string (null-terminated) representing a number (e.g., "42")

Returns:

• The converted int value of the string.
• If the string is invalid or doesn’t start with a number, it returns 0 (no error indication!).

Example:

int num = atoi("123");  // num = 123

string.h

---

<string.h> is the standard C header that provides functions for handling strings and memory blocks.

tlhelp32.h

---

<tlhelp32.h> is a Windows header file that provides declarations for Tool Help Library functions, used to take snapshots of the system’s process, thread, module, and heap states.

• Link against Kernel32.lib.

Functions

Common Functions

---

Function	Access by	Description
FindFirstFile and FindNextFile	Kernel32.dll	Used to search through directories.
RegisterClassEx, SetWindowText, and ShowWindow	User32.dll	This are GUI manipulation functions.
SetWindowsHookEx	User32.dll	SetWindowsHookEx is commonly used in spyware and is the most popular way that keyloggers receive keyboard inputs.
RegisterHotKey	User32.dll	It registers a hotkey (such as CTRL-SHIFT-P) so that whenever the user presses that hotkey combination, the application is notified.
DLLMain		Special reserved name. Windows expects this function inside a DLL. Refer, DLL Injection Into The Process
[[Headers, DLLs and Functions#sizeof()|sizeof()]]		It calculates the total size (in bytes).
[[Headers, DLLs and Functions#main()|main()]]		The special function where the program starts running.
[[Headers, DLLs and Functions#OpenProcess|OpenProcess()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	A Windows API function → It opens an existing process and gives you a handle to it.
[[Headers, DLLs and Functions#VirtualAlloc|VirtualAlloc]] and [[Headers, DLLs and Functions#VirtualAllocEx|VirtualAllocEx]]	[[Headers, DLLs and Functions#windows.h|windows.h]] , kernel32.lib, kernel32.dll	- [[Headers, DLLs and Functions#VirtualAlloc|VirtualAlloc]] Allocates memory inside the process that’s running the code (yourself). - [[Headers, DLLs and Functions#VirtualAllocEx|VirtualAllocEx]] allocates memory inside another process.
[[Headers, DLLs and Functions#CreateThread|CreateThread()]] and [[Headers, DLLs and Functions#CreateRemoteThread|CreateRemoteThread()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	- [[Headers, DLLs and Functions#CreateThread|CreateThread()]] creates a thread in your own process. - [[Headers, DLLs and Functions#CreateRemoteThread|CreateRemoteThread()]] creates a thread in a different(remote) process.
CreateToolhelp32Snapshot	thelp32.h	Captures a snapshot of the system’s processes, threads, modules, or heaps at a particular point in time.
Process32Firstand Process32Next	thelp32.h	Used to iterate through the list of processes in the snapshot.
Thread32Firstand Thread32Next	thelp32.h	Used to enumerate threads in a snapshot.
Module32First and Module32Next	thelp32.h	Used to enumerate the modules (DLLs or EXEs) loaded by a process.
GetModuleHandle		Used to get the handle of loaded module(DLL) inside the current process.
GetProcAddress		Used to find the memory address of function
[[Headers, DLLs and Functions#socket()|socket()]]	[[Headers, DLLs and Functions#sys/socket.h|sys/socket.h]]	It is the starting point for network programming in C/C++. It’s how you create a communication endpoint.
[[Headers, DLLs and Functions#connect()|connect()]]	[[Headers, DLLs and Functions#sys/socket.h|sys/socket.h]]	The connect() function is used in socket programming to initiate a connection from a client to a server.
[[Headers, DLLs and Functions#inet_aton()|inet_aton()]]	[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]	Converts an IPv4 address string (e.g., "192.168.1.1") to binary format and stores it in a struct in_addr
[[Headers, DLLs and Functions#inet_pton()|inet_pton()]]	[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]	Converts both IPv4 or IPv6 address string to binary format and stores it in a in_addr or in6_addr structure respectively.
[[Headers, DLLs and Functions#htonl()– Host to Network Long|htons()]]	[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]	Converts a 16-bit integer (e.g., a port number) from host byte order to network byte order.
[[Headers, DLLs and Functions#htonl()– Host to Network Long|htonl()]]	[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]	Converts a 32-bit integer (e.g., an IPv4 address) from host byte order to network byte order.
[[Headers, DLLs and Functions#ntohs()– Network to Host Short|ntohs()]]	[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]	Converts a 16-bit integer (e.g., a port number) from Network byte order to Host byte order.
[[Headers, DLLs and Functions#ntohl()– Network to Host Long|ntohl()]]	[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]	Converts a 32-bit integer (e.g., an IPv4 address) from Network byte order to Host byte order.
[[Headers, DLLs and Functions#dup2()|dup2()]]	[[Headers, DLLs and Functions#unistd.h|uniistd.h]]	Duplicates one file descriptor to another.
[[Headers, DLLs and Functions#execve()|execve()]]	[[Headers, DLLs and Functions#unistd.h|uniistd.h]]	Used to replace the current running process with a new program.
[[Headers, DLLs and Functions#RtlMoveMemory|RtlMoveMemory()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	Used to copy memory blocks in same process.
[[Headers, DLLs and Functions#WriteProcessMemory|WriteMemoryProcess()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	Used to copy memory blocks in remote process using PID.
[[Headers, DLLs and Functions#VirtualProtect|VirtualProtect()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	Used to change the protection (read, write, execute permissions) of a region of memory that your program owns.
[[Headers, DLLs and Functions#WaitForSingleObject|WaitForSingleObject()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	Function that pauses the calling thread until the specified object is signaled or a timeout occurs.
[[Headers, DLLs and Functions#CloseHandle|CloseHandle()]]	[[Headers, DLLs and Functions#windows.h|windows.h]]	Used to release system resources associated with handles (like processes, threads, files, etc.)
[[Headers, DLLs and Functions#atoi|atoi()]]	[[Headers, DLLs and Functions#stdlib.h|stdlib.h]]	Converts a string to an int.

Functions which doesn’t required Header.

main()

In C, main() is the entry point of any program.

When you run a compiled C program, the operating system calls the main() function always first. It’s where your program starts executing.

sizeof()

sizeof is a compile-time operator in C/C++ that returns the size (in bytes) of a data type or variable.

Signature:

sizeof(type)
sizeof(variable)

Returns:

• The number of bytes required to store the data type or variable.
• The result is of type size_t (an unsigned integer).

Note

• sizeof is evaluated at compile time, not runtime.
• For dynamically allocated memory (malloc), sizeof is not useful on the pointer.