Lazarus tooling
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
9 syscalls cited
- NtReadVirtualMemory
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
- NtQueryVirtualMemory
Retrieves information about pages in a target process's virtual address space.
- NtOpenProcess
Opens a handle to an existing process with a requested access mask.
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtQueueApcThread
Queues a user-mode asynchronous procedure call (APC) to a target thread.
- NtQueueApcThreadEx
Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.
- NtCreateUserProcess
Creates a new user-mode process and its initial thread from an executable image.
- NtResumeThread
Decrements the suspend count of a thread, resuming execution when the count reaches zero.