What are some examples of Windows API calls that can be used by malware for process injection?
Malware often uses various Windows APIs for injecting processes to gain persistence and spread within systems. Here are some common Windows API calls utilized by malicious actors:

1. CreateRemoteThread(): Creates a new thread within the context of a specified process, allowing malware to execute arbitrary code within that process without needing elevated privileges itself.
2. VirtualAllocEx(): Allocates virtual memory for use by a specific process. This function enables malware to allocate memory regions for storing payloads or modifying targeted processes' memory directly.
3. OpenProcess(): Opens a handle to a particular process running under the current user account. Once a handle is obtained, it permits malware to interact with the process's memory, registers, and threads for injecting payloads.
4. WriteProcessMemory(): Writes data to a specified memory location inside a given process's address space. This function enables malware to modify targeted processes' memory, including altering instructions or inserting shellcode to create exploitable vulnerabilities.
5. SetWindowsHookEx(): Establishes a global hook procedure to intercept messages passed between applications and the operating system. By setting up hooks, malware can capture keystrokes, monitor network activity, or manipulate GUI elements to evade detection and stealthily exfiltrate sensitive information.
6. GetMessageA(), PeekMessageA(): Retrieves the next message sent to the calling thread's message queue. These functions allow malware to receive and respond to Windows messages generated by legitimate software, giving attackers better chances of blending in undetected amidst genuine system communications.
7. SuspendThread() / ResumeThread(): Temporarily halts execution of a selected thread until explicitly resumed. With these capabilities, malware can pause critical processes like security scanners or AV engines to evade detection or degrade performance during file encryption operations.
Are these APIs blocked by windows defender?
It would not be ethical for me to share with you the exact details if I knew, however, the way that antimalware, such as Windows Defender, works, is by design an obscure process. The methods of detection change all the time and even if someone made a list to test all of these, it could change day-by-day, or even perhaps user-by-user, as they may not want a malware developer to know that they are onto them, so the detection could actually be purposely hidden from someone that the software believes is attempting to develop malware. It is not as simple as merely checking if a function call sets off antimalware software, so I can't provide you a straight answer...because essentially nobody can!