Cobalt Strike

Reserves, commits or both a region of virtual memory in a target process.

Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).

Changes the protection on a region of committed virtual memory in a target process.

Writes a buffer from the caller into the virtual address space of a target process.

Reads bytes from the virtual address space of a target process into a caller-supplied buffer.

Decommits or releases a region of virtual memory in a target process.

Retrieves information about pages in a target process's virtual address space.

Opens a handle to an existing process with a requested access mask.

Creates a section object backed by a file or the system pagefile for shared memory mapping.

Maps a view of a section object into the virtual address space of a target process.

Creates a new thread in a target process, optionally suspended, with rich attribute list support.

Queues a user-mode asynchronous procedure call (APC) to a target thread.

Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.

Creates a new user-mode process and its initial thread from an executable image.

Terminates a target process and all of its threads with a given exit status.

Suspends every thread in a target process by incrementing each thread's suspend count.

Decrements every thread's suspend count in a target process, resuming threads that reach zero.

Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.

Increments the suspend count of a target thread, halting its execution.

Decrements the suspend count of a thread, resuming execution when the count reaches zero.

Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.

Retrieves the CPU register context (CONTEXT structure) of a suspended thread.

Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.

Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.

Enables or disables privileges in a specified access token.

Retrieves a specified class of information about an access token.

Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.

Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.

Causes the server thread to impersonate the security context of the client thread.

Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.

Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.

Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.

Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.

Multiplexed control IOCTL for the ETW subsystem — start, stop, query, flush sessions and enable/disable providers.

Opens a handle to an existing named event object.

Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.

Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.

Closes a kernel object handle (file, key, event, process, thread, section, etc.).

Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.

Returns metadata about a kernel object handle: basic info, name, type, or the system-wide type table.

Sets handle-level attributes (inheritance, protect-from-close) on a kernel object handle.

Opens an existing object-manager symbolic link by name, returning a handle for later query or deletion.