TL;DR: Layered API — Win32 → kernelbase → ntdll → syscall. Knowing the layers explains hooking and direct-syscall tradecraft.
Stub — to be filled in.
What it is
TODO
Preconditions / where it applies
TODO
Technique
TODO
Detection and defence
TODO
References