Virtualization/Sandbox Evasion
View on attack.mitre.org →17 syscalls implement this technique
- NtIsProcessInJob
Tests whether a process is running inside a specific (or any) job object.
- NtSetInformationThread
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
- NtQueryPerformanceCounter
Returns the current value of the high-resolution performance counter and optionally its frequency.
- NtGetCurrentProcessorNumber
Returns the zero-based logical-processor index the calling thread is currently executing on.
- NtOpenEvent
Opens a handle to an existing named event object.
- NtWaitForSingleObject
Waits until a dispatcher object becomes signaled or the optional timeout expires.
- NtWaitForMultipleObjects
Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.
- NtCreateMutant
Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.
- NtDelayExecution
Suspends the calling thread for a specified interval, optionally in an alertable state.
- NtQuerySystemTime
Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.
- NtQueryInformationJobObject
Retrieves accounting, limits or UI-restriction information about a job object.
- NtQueryKey
Returns metadata about an open registry key — name, class, subkey/value counts, last-write time.
- NtLockFile
Acquires a byte-range lock on an open file, optionally exclusive and optionally asynchronous.
- NtUnlockFile
Releases a previously-acquired byte-range lock on an open file.
- NtNotifyChangeDirectoryFile
Registers an asynchronous notification request for filesystem changes within an opened directory handle.
- NtFindAtom
Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.
- NtInitiatePowerAction
Requests the power manager to perform a system-wide power action (sleep, hibernate, shutdown, reboot).