Reflective Code Loading
View on attack.mitre.org →16 syscalls implement this technique
- NtAllocateVirtualMemory
Reserves, commits or both a region of virtual memory in a target process.
- NtAllocateVirtualMemoryEx
Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).
- NtProtectVirtualMemory
Changes the protection on a region of committed virtual memory in a target process.
- NtFlushInstructionCache
Invalidates the instruction cache for a region in a target process so freshly written code can be executed.
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtCreateSectionEx
Creates a section object with extended parameters (NUMA node, address-requirements, user-physical pages).
- NtExtendSection
Grows an existing pagefile- or file-backed section to a larger maximum size.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtMapViewOfSectionEx
Windows 10 1809+ extended section-mapping syscall that accepts MEM_EXTENDED_PARAMETER constraints.
- NtCreateThreadEx
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtContinue
Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.
- NtCreateEnclave
Allocates a new enclave (SGX or VBS/VTL1) inside a target process's address space.
- NtInitializeEnclave
Finalises an enclave after image load — verifies signatures and transitions it to executable state.
- NtCallEnclave
Transitions execution from VTL0 host code into a routine inside an initialised enclave.
- NtTerminateEnclave
Tears down an enclave, releasing its VTL1 memory and signalling any threads still inside.
- NtLoadEnclaveData
Copies a page-aligned buffer (code or data) from VTL0 host memory into an enclave's VTL1 range before initialisation.