Obfuscated Files or Information
View on attack.mitre.org →13 syscalls implement this technique
- NtFlushVirtualMemory
Flushes dirty pages of a file-backed view to disk, similar to FlushViewOfFile.
- NtLockVirtualMemory
Pins a virtual memory region in the process's working set so its pages cannot be paged out.
- NtUnlockVirtualMemory
Releases a working-set lock previously taken by NtLockVirtualMemory.
- NtMapUserPhysicalPages
Maps AWE-allocated physical pages into a previously reserved virtual address window.
- NtAlertThreadByThreadId
Wakes a single thread, identified by its TID, that is parked in NtWaitForAlertByThreadId — the kernel side of WakeByAddressSingle.
- NtWaitForAlertByThreadId
Parks the calling thread until NtAlertThreadByThreadId wakes it — the kernel side of WaitOnAddress.
- NtClearEvent
Drives an event object to the non-signaled state without returning the previous state.
- NtSignalAndWaitForSingleObject
Atomically signals one dispatcher object and waits on another in a single, race-free transition.
- NtWaitForKeyedEvent
Blocks the calling thread on a keyed event until another thread releases the same (event, key) pair.
- NtReleaseKeyedEvent
Wakes exactly one thread waiting on the same (keyed-event, key) pair, blocking if no waiter is present yet.
- NtCancelTimer
Cancels a pending NtSetTimer arm and reports whether the timer was still active at cancel time.
- NtCreateTransaction
Creates a new KTM (Kernel Transaction Manager) transaction object used to wrap NTFS operations atomically.
- NtRollbackTransaction
Rolls back a KTM transaction, discarding every change made under it.