Brute Ratel C4

Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.

Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.

Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.

Multiplexed control IOCTL for the ETW subsystem — start, stop, query, flush sessions and enable/disable providers.

Creates a named or unnamed event synchronization object and returns a handle to it.

Opens a handle to an existing named event object.

Sets an event object to the signaled state, releasing waiting threads.

Resets an event object to non-signaled and returns its previous signaled state.

Drives an event object to the non-signaled state without returning the previous state.

Waits until a dispatcher object becomes signaled or the optional timeout expires.

Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.

Creates a kernel timer object that can be armed later with NtSetTimer.

Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.

Cancels a pending NtSetTimer arm and reports whether the timer was still active at cancel time.

Suspends the calling thread for a specified interval, optionally in an alertable state.

Creates the server end of a named pipe in the \Device\NamedPipe device namespace.

Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.

Establishes a client ALPC connection to a named server port and exchanges an initial message.

Sends an ALPC message on a port and optionally waits for a reply or the next inbound message.

Opens a handle to an existing file or device — the lighter no-create counterpart of NtCreateFile.

Creates a new directory object in the Windows object manager namespace.

Creates an object-manager symbolic link from a name to an arbitrary NT target string.