FinFisher
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
9 syscalls cited
- NtSetInformationToken
Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.
- NtSetInformationThread
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
- NtDebugActiveProcess
Attaches an existing DebugObject to a running process — the kernel side of DebugActiveProcess.
- NtQueryObject
Returns metadata about a kernel object handle: basic info, name, type, or the system-wide type table.
- NtSetInformationObject
Sets handle-level attributes (inheritance, protect-from-close) on a kernel object handle.
- NtAddAtom
Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.
- NtFindAtom
Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.
- NtDeleteAtom
Decrements the reference count of a global atom and removes it when the count reaches zero.
- NtQueryInformationAtom
Returns metadata about a single atom or the entire global atom table — name, refcount, pin count, usage counts.