Havoc
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
8 syscalls cited
- NtContinue
Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.
- NtTraceControl
Multiplexed control IOCTL for the ETW subsystem — start, stop, query, flush sessions and enable/disable providers.
- NtCreateEvent
Creates a named or unnamed event synchronization object and returns a handle to it.
- NtSetEvent
Sets an event object to the signaled state, releasing waiting threads.
- NtWaitForSingleObject
Waits until a dispatcher object becomes signaled or the optional timeout expires.
- NtCreateTimer
Creates a kernel timer object that can be armed later with NtSetTimer.
- NtSetTimer
Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.
- NtAlpcCreatePort
Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.