GuLoader
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
9 syscalls cited
- NtIsProcessInJob
Tests whether a process is running inside a specific (or any) job object.
- NtQueryInformationThread
Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.
- NtSetInformationThread
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
- NtQueryPerformanceCounter
Returns the current value of the high-resolution performance counter and optionally its frequency.
- NtCreateDebugObject
Creates a kernel DebugObject — the per-debugger port that receives debug events from attached processes.
- NtDebugActiveProcess
Attaches an existing DebugObject to a running process — the kernel side of DebugActiveProcess.
- NtDelayExecution
Suspends the calling thread for a specified interval, optionally in an alertable state.
- NtQuerySystemTime
Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.
- NtQueryInformationJobObject
Retrieves accounting, limits or UI-restriction information about a job object.