Hijack Execution Flow
View on attack.mitre.org →9 syscalls implement this technique
- NtSetInformationVirtualMemory
Applies an information class to a list of virtual-memory ranges: prefetch, page priority, or CFG call-target opt-in.
- NtCreateEnclave
Allocates a new enclave (SGX or VBS/VTL1) inside a target process's address space.
- NtInitializeEnclave
Finalises an enclave after image load — verifies signatures and transitions it to executable state.
- NtCallEnclave
Transitions execution from VTL0 host code into a routine inside an initialised enclave.
- NtLoadEnclaveData
Copies a page-aligned buffer (code or data) from VTL0 host memory into an enclave's VTL1 range before initialisation.
- NtLoadKeyEx
Modern hive-load syscall — backs RegLoadKeyW, RegLoadAppKeyW and the AppContainer registry virtualization layer.
- NtCreateSymbolicLinkObject
Creates an object-manager symbolic link from a name to an arbitrary NT target string.
- NtOpenSymbolicLinkObject
Opens an existing object-manager symbolic link by name, returning a handle for later query or deletion.
- NtSetCachedSigningLevel
Writes a Code Integrity cached signing-level result into an NTFS extended attribute on the target file.