Process Discovery
View on attack.mitre.org →10 syscalls implement this technique
- NtReadVirtualMemory
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
- NtQueryVirtualMemory
Retrieves information about pages in a target process's virtual address space.
- NtOpenProcess
Opens a handle to an existing process with a requested access mask.
- NtGetNextProcess
Walks the kernel's process list and returns a handle to the next process after a given one.
- NtOpenThread
Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.
- NtGetNextThread
Returns a handle to the next thread within a target process by walking the kernel thread list.
- NtQueryInformationProcess
Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.
- NtQueryInformationThread
Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.
- NtQuerySystemInformation
Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.
- NtAlpcQueryInformation
Queries metadata about an ALPC port — owning process, message stats, server SID, port attributes.