Obfuscated Files or Information: Fileless Storage
View on attack.mitre.org →16 syscalls implement this technique
- NtLockVirtualMemory
Pins a virtual memory region in the process's working set so its pages cannot be paged out.
- NtUnlockVirtualMemory
Releases a working-set lock previously taken by NtLockVirtualMemory.
- NtGetWriteWatch
Retrieves the set of pages written to within a MEM_WRITE_WATCH region since the last reset.
- NtResetWriteWatch
Clears the write-tracking state of a MEM_WRITE_WATCH region without retrieving the dirty pages.
- NtContinue
Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.
- NtCreateEvent
Creates a named or unnamed event synchronization object and returns a handle to it.
- NtSetEvent
Sets an event object to the signaled state, releasing waiting threads.
- NtSignalAndWaitForSingleObject
Atomically signals one dispatcher object and waits on another in a single, race-free transition.
- NtCreateTimer
Creates a kernel timer object that can be armed later with NtSetTimer.
- NtSetTimer
Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.
- NtCreateTimer2
Creates a modern high-resolution timer object supporting manual-reset and no-wake flags in one call.
- NtSetTimer2
Arms a Timer2 object with a due time, optional period and a T2_SET_PARAMETERS block describing callback and flags.
- NtCancelTimer2
Cancels a previously armed Timer2 object and reports whether it was still pending.
- NtDelayExecution
Suspends the calling thread for a specified interval, optionally in an alertable state.
- NtRemoveIoCompletion
Dequeues a single completion packet from an I/O completion port, blocking until one is available or the timeout expires.
- NtWaitForWorkViaWorkerFactory
Blocks a threadpool worker until a work item is available on the factory's completion queue — the hot loop hijacked by PoolParty.