A comprehensive reference repository of C++ code examples for Windows APIs, organized by function name, prefix, and execution context.
Educational / Research Purpose — designed for security researchers, Windows internals students, CTF participants, and developers who need concise, working API usage examples.
| Source | Description |
|---|---|
| j00ru/windows-syscalls | Windows NT/ZW system call tables across OS versions |
| malapi.io | Win32 APIs catalogued by usage category |
| Microsoft Windows API Index | Official API reference |
| Windows API Gist (ssell) | Curated API list |
| Winsock Reference | Winsock 2 API reference |
WindowsAPILabs/
├── include/
│ ├── common.h — shared types, macros, error helpers
│ ├── nt_defs.h — NT structures/typedefs (NTAPI, PEB, TEB, etc.)
│ └── kernel_defs.h — kernel structures (DRIVER_OBJECT, IRP, etc.)
│
├── UserMode/ — Win32 API examples (user space)
│ ├── Process/ — CreateProcess, OpenProcess, etc.
│ ├── Memory/ — VirtualAlloc, MapViewOfFile, etc.
│ ├── File/ — CreateFile, ReadFile, FindFirstFile, etc.
│ ├── Registry/ — RegOpenKeyEx, RegSetValueEx, etc.
│ ├── Network/ — WinSock, WinHTTP, WinInet
│ ├── Security/ — Token manipulation, ACLs, privileges
│ ├── Hooks/ — SetWindowsHookEx, DLL injection
│ ├── IPC/ — Pipes, mailslots, shared memory
│ ├── DynamicLoading/ — LoadLibrary, GetProcAddress
│ ├── Synchronization/ — Mutex, Event, Semaphore, CriticalSection
│ ├── Crypto/ — CryptAPI (CAPI), BCryptAPI (CNG)
│ ├── Services/ — SCM, service creation/management
│ └── COM/ — CoCreateInstance, IUnknown
│
├── NT_APIs/ — Native NT-prefix APIs (ntdll.dll, user mode)
│ ├── Process/ — NtCreateProcess, NtOpenProcess, etc.
│ ├── Thread/ — NtCreateThread, NtSuspendThread, etc.
│ ├── Memory/ — NtAllocateVirtualMemory, NtProtectVirtualMemory, etc.
│ ├── File/ — NtCreateFile, NtReadFile, NtWriteFile, etc.
│ ├── Registry/ — NtCreateKey, NtQueryValueKey, etc.
│ ├── Section/ — NtCreateSection, NtMapViewOfSection, etc.
│ ├── System/ — NtQuerySystemInformation, NtSetSystemInformation
│ ├── Token/ — NtOpenProcessToken, NtAdjustPrivilegesToken
│ └── Driver/ — NtLoadDriver, NtUnloadDriver
│
├── ZW_APIs/ — ZW-prefix APIs (same syscall number as NT)
│ ├── File/ — ZwCreateFile, ZwReadFile, ZwWriteFile
│ ├── Registry/ — ZwCreateKey, ZwSetValueKey
│ ├── Memory/ — ZwAllocateVirtualMemory, ZwProtectVirtualMemory
│ ├── System/ — ZwQuerySystemInformation
│ └── Process/ — ZwCreateProcess, ZwTerminateProcess
│
└── KernelMode/ — Kernel driver examples (WDM / WDF)
├── Driver/ — DriverEntry, IoCreateDevice, IoDeleteDevice
├── Memory/ — ExAllocatePoolWithTag, MmGetSystemRoutineAddress
├── Process/ — PsLookupProcessByProcessId, PsSetCreateProcessNotifyRoutine
├── Synchronization/ — KeWaitForSingleObject, ExInitializeFastMutex
├── Dispatch/ — IRP dispatch routines (IRP_MJ_*)
├── Callbacks/ — PsSetCreateProcessNotifyRoutine, ObRegisterCallbacks
├── Registry/ — CmRegisterCallback
└── Network/ — NDIS filter / WFP callout basics
| Prefix | Context | Behavior |
|---|---|---|
Nt* |
User mode → kernel | Goes through argument validation + previous mode check |
Nt* |
Kernel mode | Skips parameter validation (same as Zw* from kernel) |
Zw* |
User mode → kernel | Identical to Nt* from user mode (same syscall stub) |
Zw* |
Kernel mode | Sets PreviousMode = KernelMode, skips probing |
Rule of thumb: Prefer
Zw*from kernel drivers to pass kernel pointers safely. UseNt*from user-mode code.
cd UserMode
cl /W4 /EHsc /I ..\include Process\CreateProcess\CreateProcess.cppOr with CMake:
cmake -B build -G "Visual Studio 17 2022"
cmake --build buildRequires Windows Driver Kit (WDK) matching your Visual Studio version.
cd KernelMode\Driver
msbuild BasicDriver.vcxproj /p:Configuration=Debug /p:Platform=x64| Category | Examples |
|---|---|
| Process Injection | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, NtCreateThreadEx |
| Defense Evasion | VirtualProtect, NtProtectVirtualMemory, IsDebuggerPresent, NtSetInformationThread |
| Anti-Analysis | CheckRemoteDebuggerPresent, GetTickCount, NtQueryInformationProcess (debug port) |
| Memory | VirtualAlloc, HeapAlloc, NtAllocateVirtualMemory, ExAllocatePoolWithTag |
| Network | WSASocket, connect, InternetOpenUrl, WinHttpSendRequest |
| File | CreateFile, NtCreateFile, ZwCreateFile |
| Registry | RegOpenKeyEx, NtCreateKey, ZwSetValueKey |
| Persistence | RegSetValueEx (run keys), CreateService, schtasks via COM |
| Privilege Escalation | AdjustTokenPrivileges, NtAdjustPrivilegesToken |
| Credential Access | LsaOpenPolicy, MiniDumpWriteDump, SamOpenDomain |
All examples are for educational and defensive security research purposes only. Understanding how APIs work is essential for:
- Writing robust Windows software
- Developing antivirus / EDR detection logic
- Security research and CTF challenges
- Windows kernel / driver development
Always test in a controlled, isolated environment (VM).