Native API

Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).

Writes a buffer from the caller into the virtual address space of a target process.

Reads bytes from the virtual address space of a target process into a caller-supplied buffer.

Decommits or releases a region of virtual memory in a target process.

Retrieves information about pages in a target process's virtual address space.

Flushes dirty pages of a file-backed view to disk, similar to FlushViewOfFile.

Pins a virtual memory region in the process's working set so its pages cannot be paged out.

Releases a working-set lock previously taken by NtLockVirtualMemory.

Allocates physical memory pages for use with Address Windowing Extensions (AWE).

Maps AWE-allocated physical pages into a previously reserved virtual address window.

Releases physical pages previously allocated via NtAllocateUserPhysicalPages, returning them to the system page pool.

Invalidates the instruction cache for a region in a target process so freshly written code can be executed.

Issues a system-wide memory barrier on every CPU running threads of the current process.

Creates a section object with extended parameters (NUMA node, address-requirements, user-physical pages).

Opens a handle to an existing named section object (shared memory or image mapping).

Grows an existing pagefile- or file-backed section to a larger maximum size.

Retrieves basic or image-specific metadata about a section object.

Windows 10 1809+ extended section-mapping syscall that accepts MEM_EXTENDED_PARAMETER constraints.

Unmaps a previously mapped section view from a process's virtual address space.

Determines whether two mapped views are backed by the same file (file object identity test).

Retrieves the set of pages written to within a MEM_WRITE_WATCH region since the last reset.

Clears the write-tracking state of a MEM_WRITE_WATCH region without retrieving the dirty pages.

Creates a memory partition object that isolates the physical-page working set of a group of processes.

Opens an existing memory partition object by name and returns a handle for management or process attachment.

Queries or modifies an existing memory partition — add memory, transfer pages, set memory-list configuration.

Legacy thread-creation syscall requiring a manually-built INITIAL_TEB; superseded by NtCreateThreadEx.

Queues a user-mode asynchronous procedure call (APC) to a target thread.

Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.

Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.

Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.

Wakes a single thread, identified by its TID, that is parked in NtWaitForAlertByThreadId — the kernel side of WakeByAddressSingle.

Parks the calling thread until NtAlertThreadByThreadId wakes it — the kernel side of WaitOnAddress.

Pre-allocates a kernel reserve object (APC or completion) so future operations cannot fail under memory pressure.

Legacy NT-style process creation from a pre-built section object — predecessor of NtCreateProcessEx and NtCreateUserProcess.

Creates a new user-mode process and its initial thread from an executable image.

Creates a new process from a section handle without running ntdll process initialization — building block of process hollowing.

Terminates a target process and all of its threads with a given exit status.

Suspends every thread in a target process by incrementing each thread's suspend count.

Decrements every thread's suspend count in a target process, resuming threads that reach zero.

Walks the kernel's process list and returns a handle to the next process after a given one.

Tests whether a process is running inside a specific (or any) job object.

Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.

Increments the suspend count of a target thread, halting its execution.

Decrements the suspend count of a thread, resuming execution when the count reaches zero.

Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.

Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.

Retrieves the CPU register context (CONTEXT structure) of a suspended thread.

Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.

Returns a handle to the next thread within a target process by walking the kernel thread list.

Opens the access token associated with a process and returns a handle to it.

Enables or disables privileges in a specified access token.

Retrieves a specified class of information about an access token.

Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.

Creates a restricted (filtered) copy of an existing access token by disabling SIDs, deleting privileges, or adding restricted SIDs.

Assigns the well-known ANONYMOUS LOGON token to the specified thread.

Causes the server thread to impersonate the security context of the client thread.

Decides whether two tokens grant the same access — same user, same groups, same restricted SIDs, same privileges.

Forges an access token from scratch with caller-specified user, groups, privileges, owner, default DACL and source — gated by SeCreateTokenPrivilege.

Derives a LowBox (AppContainer) token from an existing token — sets the package SID and capability list that gate broker IPC access.

Performs a security access check of a security descriptor against an impersonation token, returning the granted access mask.

Performs a security access check against a security descriptor honoring a typed object hierarchy (OBJECT_TYPE_LIST).

Tests whether the privileges named in a PRIVILEGE_SET are enabled in an impersonation token.

Reads the Code Integrity cached signing-level result stored as an NTFS extended attribute on a file.

Compares two SE_SIGNING_LEVEL values using Code Integrity's policy ordering and returns whether the first dominates the second.

Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.

Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.

Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.

Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.

Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.

Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.

Raises a 'hard error' that the kernel routes to CSRSS for UI prompting — or, with SeShutdownPrivilege and FATAL severity, triggers an immediate bugcheck (BSOD).

Queries file information by path without an open handle, introduced in Windows 10 RS5.

Creates a kernel-mode sampling profiler object that buckets the program counter into a histogram.

Returns the current value of the high-resolution performance counter and optionally its frequency.

Returns the zero-based logical-processor index the calling thread is currently executing on.

Writes a user-mode event to an ETW session via a registered trace handle.

Multiplexed control IOCTL for the ETW subsystem — start, stop, query, flush sessions and enable/disable providers.

Creates a kernel DebugObject — the per-debugger port that receives debug events from attached processes.

Attaches an existing DebugObject to a running process — the kernel side of DebugActiveProcess.

Detaches a DebugObject from a process — the kernel side of DebugActiveProcessStop.

Waits for the next debug event delivered to a debug object, returning a DBGUI_WAIT_STATE_CHANGE.

Resumes a debuggee thread after a debug event with a given NTSTATUS continue code.

Creates a named or unnamed event synchronization object and returns a handle to it.

Opens a handle to an existing named event object.

Sets an event object to the signaled state, releasing waiting threads.

Resets an event object to non-signaled and returns its previous signaled state.

Signals an event, releases currently-waiting threads, then immediately resets it to non-signaled.

Drives an event object to the non-signaled state without returning the previous state.

Waits until a dispatcher object becomes signaled or the optional timeout expires.

Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.

Atomically signals one dispatcher object and waits on another in a single, race-free transition.

Creates a keyed event object — a lightweight kernel sync primitive that pairs waits and wakes by virtual-address key.

Blocks the calling thread on a keyed event until another thread releases the same (event, key) pair.

Wakes exactly one thread waiting on the same (keyed-event, key) pair, blocking if no waiter is present yet.

Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.

Creates a kernel timer object that can be armed later with NtSetTimer.

Cancels a pending NtSetTimer arm and reports whether the timer was still active at cancel time.

Creates a modern high-resolution timer object supporting manual-reset and no-wake flags in one call.

Arms a Timer2 object with a due time, optional period and a T2_SET_PARAMETERS block describing callback and flags.

Cancels a previously armed Timer2 object and reports whether it was still pending.

Suspends the calling thread for a specified interval, optionally in an alertable state.

Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.

Creates the server end of a named pipe in the \Device\NamedPipe device namespace.

Creates the server side of a mailslot — a legacy, one-way, datagram-style IPC primitive accessed via \Device\Mailslot.

Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.

Establishes a client ALPC connection to a named server port and exchanges an initial message.

Server-side ALPC accept — completes a pending client connection request and returns a per-client communication port.

Sends an ALPC message on a port and optionally waits for a reply or the next inbound message.

Queries metadata about an ALPC port — owning process, message stats, server SID, port attributes.

ALPC server's primary impersonation primitive — assumes the security context of the client that sent a message.

Server-side helper that opens a HANDLE to the process that sent a given ALPC message.

Server-side helper that opens a HANDLE to the thread that sent a given ALPC message.

Closes the client-side of an ALPC connection cleanly, signalling the server before the handle is freed.

Frees an ALPC SECURITY_QOS context previously created with NtAlpcCreateSecurityContext.

Invalidates a cached ALPC SECURITY_QOS context without freeing its handle slot.

Creates a named server-side LPC port object — the legacy pre-ALPC IPC listener primitive.

Client-side connect to a legacy LPC server port, the pre-ALPC equivalent of NtAlpcConnectPort.

Server-side acceptance of a legacy LPC connection request, optionally mapping a shared view.

Sends a fire-and-forget LPC message on a connected port — no reply expected.

Sends a synchronous LPC request and blocks until the server replies — the legacy RPC primitive.

Sends a reply on a server-side LPC port to a previously received request, without waiting.

Server-side LPC primitive: atomically reply to the previous request and block for the next one.

Creates a job object — the kernel container used to apply limits, accounting and termination policy to a set of processes.

Attaches a process to a job object so that the job's limits, accounting and termination policy apply to it.

Sets a policy or limit on a job object via one of the JOBOBJECTINFOCLASS information classes.

Retrieves accounting, limits or UI-restriction information about a job object.

Terminates every process currently assigned to a job object atomically.

Creates an I/O completion port — the kernel queue that backs threadpool work delivery, async I/O notification, and (in PoolParty) injected work items.

Posts a completion packet to an I/O completion port — the kernel side of PostQueuedCompletionStatus and the delivery vector for PoolParty's forged work items.

Dequeues a single completion packet from an I/O completion port, blocking until one is available or the timeout expires.

Dequeues up to a caller-specified number of completion packets from an I/O completion port in a single syscall.

Cancels every outstanding I/O request issued by the calling thread on a file handle.

Cancels a specific outstanding I/O request on a file, regardless of which thread issued it.

Cancels a synchronous I/O call that is currently blocking another thread.

Cancels a previously associated wait-completion packet, removing the dispatcher-object binding.

Binds a wait-completion packet to a dispatcher object so its signal posts an entry to an IOCP.

Creates a kernel worker factory object — the threadpool primitive that PoolParty injection abuses to spawn shellcode without NtCreateThreadEx.

Signals a worker factory to stop creating new threads and reports how many workers are still pending.

Sets a configuration class on a worker factory — including, in some PoolParty variants, the StartRoutine that worker threads will execute.

Queries configuration and runtime state of a worker factory, including the current StartRoutine and worker counts.

Signals to the kernel that a threadpool worker is ready to receive work — part of the internal ntdll!TppWorkerThread handshake.

Requests the kernel to make at least one worker available in the factory — used by the user-mode threadpool to wake the pool on work submission.

Blocks a threadpool worker until a work item is available on the factory's completion queue — the hot loop hijacked by PoolParty.

Creates a new KTM (Kernel Transaction Manager) transaction object used to wrap NTFS operations atomically.

Opens an existing KTM transaction object by name or unit-of-work GUID.

Commits a KTM transaction, atomically persisting every change made under it to disk.

Rolls back a KTM transaction, discarding every change made under it.

Allocates a new enclave (SGX or VBS/VTL1) inside a target process's address space.

Finalises an enclave after image load — verifies signatures and transitions it to executable state.

Transitions execution from VTL0 host code into a routine inside an initialised enclave.

Tears down an enclave, releasing its VTL1 memory and signalling any threads still inside.

Copies a page-aligned buffer (code or data) from VTL0 host memory into an enclave's VTL1 range before initialisation.

Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.

Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.

Reads a value from a registry key — the targeted credential and config harvest primitive.

Atomically reads several registry values from a single key in one syscall.

Renames an existing registry key in place — no Win32 wrapper, callable only via the NT API.

Mounts a registry hive file under a target key — the syscall behind offline SAM/SYSTEM loading.

Loads a registry hive into the configuration tree with a 2-flag wrapper around NtLoadKey.

Modern hive-load syscall — backs RegLoadKeyW, RegLoadAppKeyW and the AppContainer registry virtualization layer.

Overwrites a registry key's contents from a hive file — replaces subtrees in bulk.

Writes a live registry key (with subtree) to a hive file — the kernel side of SAM/SECURITY theft.

Forces all pending changes to a registry key to be written to its backing hive on disk.

Forces defragmentation / compaction of a loaded registry hive backing file.

Registers an asynchronous notification for changes to a registry key and (optionally) its subtree.

Registers a single notification request that fires when any of several registry keys changes.

Temporarily blocks all registry write operations system-wide, used by VSS for consistent snapshots.

Releases a previous registry freeze so writes resume; counterpart of NtFreezeRegistry.

Closes a kernel object handle (file, key, event, process, thread, section, etc.).

Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.

Opens a handle to an existing file or device — the lighter no-create counterpart of NtCreateFile.

Reads bytes from a file, device, named pipe or mapped section into a user buffer — the kernel primitive behind ReadFile.

Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.

Deletes a file by path without first opening a handle — a rare anti-forensics primitive.

Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.

Reads metadata about an open file — timestamps, size, EAs, streams, reparse points and more.

Enumerates a directory at the IRP layer — used by rootkits to hide files by tampering with the returned list.

Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.

Sends FSCTL codes to a filesystem — used to plant reparse points, access ADS, and abuse junction traversal.

Acquires a byte-range lock on an open file, optionally exclusive and optionally asynchronous.

Releases a previously-acquired byte-range lock on an open file.

Registers an asynchronous notification request for filesystem changes within an opened directory handle.

Extended directory-change notification that lets the caller pick the FILE_NOTIFY_INFORMATION class returned in the buffer.

Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.

Modifies writable volume properties — primarily the volume label — for the volume backing a file handle.

Writes NTFS extended attributes (EAs) attached to a file handle.

Reads NTFS extended attributes (EAs) from a file handle, optionally filtered or paged.

Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.

Returns metadata about a kernel object handle: basic info, name, type, or the system-wide type table.

Sets handle-level attributes (inheritance, protect-from-close) on a kernel object handle.

Returns STATUS_SUCCESS when two handles refer to the same underlying kernel object.

Sets the OBJ_PERMANENT attribute on a named kernel object so it survives after the last handle closes.

Clears the OBJ_PERMANENT attribute so the kernel object is freed once its last handle closes.

Creates a new directory object in the Windows object manager namespace.

Opens an existing directory object in the Windows object manager namespace.

Enumerates the entries (name + type) inside an object-manager directory.

Creates an object-manager symbolic link from a name to an arbitrary NT target string.

Opens an existing object-manager symbolic link by name, returning a handle for later query or deletion.

Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.

Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.

Decrements the reference count of a global atom and removes it when the count reaches zero.

Returns metadata about a single atom or the entire global atom table — name, refcount, pin count, usage counts.

Retrieves a self-relative SECURITY_DESCRIPTOR from any kernel object exposed via a handle.

Writes a Code Integrity cached signing-level result into an NTFS extended attribute on the target file.

Routes kernel debugger-style requests (kernel R/W, control space, breakpoints, profiler) selected by the SysDbgCommand enum.

Transitions the system into the requested sleep, hibernate or working power state.

Kernel-mode shutdown trigger — powers off, reboots or shuts down the system in one syscall.

Creates or extends a Windows pagefile at the requested NT path; requires SeCreatePagefilePrivilege.