How can I implement win32 functions of my own without using win32 or native api ?

I want to do this because while researching on AVs and viruses I read about some viruses that emulate win32 api, that is, they implement win32 like functions on their own to evade AVs. Unfortunately, the book did'nt mention the names of any such virus. Please answer to above question or give me the name of any viruses that do the same.

Thanks.
Posted on 2008-03-25 23:48:14 by shakuni
some are easily implimented (like lstrlen and so on), others are much harder (like hmm VirtualAlloc for example)
i seriously doubt a virus emulated all win32 api's.. others 'emulate' by calling the ntdll variant of the api instead
of the kernel32 one etc..
Posted on 2008-03-26 07:22:25 by evlncrn8
You don't get much lower than NTDLL or, alternatively (and even more problematic), syscalls.
Posted on 2008-03-26 19:35:18 by f0dder
Well, more likely they are hooking the APIs and intercepting any threats to the virus before calling the actual API function. This is more impersonation than implementation.
Posted on 2008-04-20 15:41:49 by donkey
U can modify or add SSDT(system service dispatch table), all system call address is here, this is real system service.
Posted on 2009-01-13 07:20:10 by mnzn2530
ssdt is ring 0 if i recall right, requiring you to write a driver...
Posted on 2009-01-13 09:16:29 by evlncrn8
you might get the entry of a function and modify:
(the first line of an api function)
push ebp
mov ebp,esp
to:
jmp/call yourfunction

!! you must jump back when your function is over....
Posted on 2009-08-07 10:50:04 by asmdna