Impair Defenses: Disable or Modify Tools

Retrieves information about pages in a target process's virtual address space.

Retrieves basic or image-specific metadata about a section object.

Determines whether two mapped views are backed by the same file (file object identity test).

Creates a new user-mode process and its initial thread from an executable image.

Terminates a target process and all of its threads with a given exit status.

Suspends every thread in a target process by incrementing each thread's suspend count.

Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.

Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.

Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.

Terminates every process currently assigned to a job object atomically.

Cancels every outstanding I/O request issued by the calling thread on a file handle.

Cancels a specific outstanding I/O request on a file, regardless of which thread issued it.

Cancels a synchronous I/O call that is currently blocking another thread.

Temporarily blocks all registry write operations system-wide, used by VSS for consistent snapshots.

Releases a previous registry freeze so writes resume; counterpart of NtFreezeRegistry.

Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.

Loads a kernel-mode driver from a registry-described service entry — the BYOVD entry point.

Unloads a previously loaded kernel-mode driver — the BYOVD cleanup primitive.