User API → NTDLL → Syscall → Kernel routine
Visual reference of how a Win32 call ends up as a syscall instruction and which kernel routine handles it. Red markers highlight where EDRs hook and where kernel telemetry fires.
Normal path
Application → kernel32 → ntdll → syscall instruction → KiSystemCall64 → routine. EDRs intercept inside ntdll.
Direct-syscall path
Application copies a stub into RWX memory and issues the syscall directly. Bypasses the ntdll hook — but kernel callbacks and ETW Threat Intelligence still observe the call.
SVG · embeddable · link directly to /graph