Process Injection

Reserves, commits or both a region of virtual memory in a target process.

Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).

Changes the protection on a region of committed virtual memory in a target process.

Writes a buffer from the caller into the virtual address space of a target process.

Decommits or releases a region of virtual memory in a target process.

Allocates physical memory pages for use with Address Windowing Extensions (AWE).

Maps AWE-allocated physical pages into a previously reserved virtual address window.

Opens a handle to an existing process with a requested access mask.

Creates a section object backed by a file or the system pagefile for shared memory mapping.

Creates a section object with extended parameters (NUMA node, address-requirements, user-physical pages).

Maps a view of a section object into the virtual address space of a target process.

Unmaps a previously mapped section view from a process's virtual address space.

Legacy thread-creation syscall requiring a manually-built INITIAL_TEB; superseded by NtCreateThreadEx.

Creates a new thread in a target process, optionally suspended, with rich attribute list support.

Queues a user-mode asynchronous procedure call (APC) to a target thread.

Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.

Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.

Pre-allocates a kernel reserve object (APC or completion) so future operations cannot fail under memory pressure.

Legacy NT-style process creation from a pre-built section object — predecessor of NtCreateProcessEx and NtCreateUserProcess.

Creates a new user-mode process and its initial thread from an executable image.

Suspends every thread in a target process by incrementing each thread's suspend count.

Decrements every thread's suspend count in a target process, resuming threads that reach zero.

Decrements the suspend count of a thread, resuming execution when the count reaches zero.

Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.

Creates a modern high-resolution timer object supporting manual-reset and no-wake flags in one call.

Creates an I/O completion port — the kernel queue that backs threadpool work delivery, async I/O notification, and (in PoolParty) injected work items.

Posts a completion packet to an I/O completion port — the kernel side of PostQueuedCompletionStatus and the delivery vector for PoolParty's forged work items.

Cancels a previously associated wait-completion packet, removing the dispatcher-object binding.

Binds a wait-completion packet to a dispatcher object so its signal posts an entry to an IOCP.

Creates a kernel worker factory object — the threadpool primitive that PoolParty injection abuses to spawn shellcode without NtCreateThreadEx.

Signals a worker factory to stop creating new threads and reports how many workers are still pending.

Sets a configuration class on a worker factory — including, in some PoolParty variants, the StartRoutine that worker threads will execute.

Queries configuration and runtime state of a worker factory, including the current StartRoutine and worker counts.

Requests the kernel to make at least one worker available in the factory — used by the user-mode threadpool to wake the pool on work submission.

Blocks a threadpool worker until a work item is available on the factory's completion queue — the hot loop hijacked by PoolParty.

Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.

Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.

Decrements the reference count of a global atom and removes it when the count reaches zero.

Returns metadata about a single atom or the entire global atom table — name, refcount, pin count, usage counts.