ScareCrow
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
6 syscalls cited
- NtOpenThread
Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.
- NtSuspendThread
Increments the suspend count of a target thread, halting its execution.
- NtTerminateThread
Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.
- NtGetContextThread
Retrieves the CPU register context (CONTEXT structure) of a suspended thread.
- NtSetContextThread
Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.
- NtSetInformationProcess
Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.