> Windows Syscalls

User API → NTDLL → Syscall → Kernel routine

Visual reference of how a Win32 call ends up as a syscall instruction and which kernel routine handles it. Red markers highlight where EDRs hook and where kernel telemetry fires.

USER MODEKERNELApplicationVirtualAllocEx(...)kernel32.dllNtAllocateVirtualMemory(...)ntdll.dllmov r10, rcxmov eax, <SSN>syscallCustom syscall stubmov eax, <SSN>syscalldirect syscall (bypass ntdll)EDR hook pointInline / IAT hooks on Nt* exportsuser → kernel transitionKiSystemCall64KiServiceTable[SSN]NtAllocateVirtualMemory(ntoskrnl.exe)MmAllocateVirtualMemory(Mm subsystem)ETW Threat IntelligenceAllocationVm, ProtectVm, MapView eventsKernel callbacksPsSetCreate*NotifyRoutineEx, ObRegisterCallbacksDirect stubs skip the user-mode hook but kernel telemetry still fires.

Normal path

Application → kernel32 → ntdll → syscall instruction → KiSystemCall64 → routine. EDRs intercept inside ntdll.

Direct-syscall path

Application copies a stub into RWX memory and issues the syscall directly. Bypasses the ntdll hook — but kernel callbacks and ETW Threat Intelligence still observe the call.

SVG · embeddable · link directly to /graph