Rootkit
View on attack.mitre.org →10 syscalls implement this technique
- NtQuerySystemInformation
Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.
- NtSetSystemInformation
Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.
- NtQueryDirectoryFile
Enumerates a directory at the IRP layer — used by rootkits to hide files by tampering with the returned list.
- NtDeviceIoControlFile
Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.
- NtAddDriverEntry
Registers a new EFI_DRIVER_ENTRY in the firmware so the UEFI environment loads a driver before the OS.
- NtModifyDriverEntry
Overwrites an existing EFI_DRIVER_ENTRY identified by its ID, rewriting the UEFI Driver#### NVRAM variable in place.
- NtDeleteDriverEntry
Removes a registered EFI_DRIVER_ENTRY by ID, deleting the corresponding UEFI Driver#### NVRAM variable.
- NtEnumerateDriverEntries
Returns a packed list of every registered EFI_DRIVER_ENTRY — the UEFI Driver#### variables dispatched before the boot manager.
- NtLoadDriver
Loads a kernel-mode driver from a registry-described service entry — the BYOVD entry point.
- NtSystemDebugControl
Routes kernel debugger-style requests (kernel R/W, control space, breakpoints, profiler) selected by the SysDbgCommand enum.