Inter-Process Communication
View on attack.mitre.org →22 syscalls implement this technique
- NtCreateNamedPipeFile
Creates the server end of a named pipe in the \Device\NamedPipe device namespace.
- NtCreateMailslotFile
Creates the server side of a mailslot — a legacy, one-way, datagram-style IPC primitive accessed via \Device\Mailslot.
- NtAlpcCreatePort
Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.
- NtAlpcConnectPort
Establishes a client ALPC connection to a named server port and exchanges an initial message.
- NtAlpcAcceptConnectPort
Server-side ALPC accept — completes a pending client connection request and returns a per-client communication port.
- NtAlpcSendWaitReceivePort
Sends an ALPC message on a port and optionally waits for a reply or the next inbound message.
- NtAlpcOpenSenderProcess
Server-side helper that opens a HANDLE to the process that sent a given ALPC message.
- NtAlpcOpenSenderThread
Server-side helper that opens a HANDLE to the thread that sent a given ALPC message.
- NtAlpcDisconnectPort
Closes the client-side of an ALPC connection cleanly, signalling the server before the handle is freed.
- NtAlpcDeleteSecurityContext
Frees an ALPC SECURITY_QOS context previously created with NtAlpcCreateSecurityContext.
- NtAlpcRevokeSecurityContext
Invalidates a cached ALPC SECURITY_QOS context without freeing its handle slot.
- NtCreatePort
Creates a named server-side LPC port object — the legacy pre-ALPC IPC listener primitive.
- NtConnectPort
Client-side connect to a legacy LPC server port, the pre-ALPC equivalent of NtAlpcConnectPort.
- NtAcceptConnectPort
Server-side acceptance of a legacy LPC connection request, optionally mapping a shared view.
- NtRequestPort
Sends a fire-and-forget LPC message on a connected port — no reply expected.
- NtRequestWaitReplyPort
Sends a synchronous LPC request and blocks until the server replies — the legacy RPC primitive.
- NtReplyPort
Sends a reply on a server-side LPC port to a previously received request, without waiting.
- NtReplyWaitReceivePort
Server-side LPC primitive: atomically reply to the previous request and block for the next one.
- NtCreateDirectoryObject
Creates a new directory object in the Windows object manager namespace.
- NtAddAtom
Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.
- NtFindAtom
Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.
- NtQueryInformationAtom
Returns metadata about a single atom or the entire global atom table — name, refcount, pin count, usage counts.