The case for NT functions.
Why bother using function directly from ntdll.dll when lots of them are undocumented and they require extensive preparation and are plainly harder to use?
It is easy. They are less detected by EDRs. Since they are not totally documented and might change without a notice, they are not part of the of official API after all, they are less likely to be used malicious actors and as such less monitored.
I am in, what should we do?
To begin using functions exported by ntdll.dll, we ought to import it or rather have a handle to make use of the functions it exports.
Importing DLLs at runtime.
Windows offers various ways to import DLLs at runtime: GetModuleHandle and LoadLibrary. In this post I will use LoadLibrary, but GetModuleHandle, as they have the same function prototype.