Sliver
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
31 syscalls cited
- NtAllocateVirtualMemory
Reserves, commits or both a region of virtual memory in a target process.
- NtProtectVirtualMemory
Changes the protection on a region of committed virtual memory in a target process.
- NtWriteVirtualMemory
Writes a buffer from the caller into the virtual address space of a target process.
- NtFreeVirtualMemory
Decommits or releases a region of virtual memory in a target process.
- NtQueryVirtualMemory
Retrieves information about pages in a target process's virtual address space.
- NtOpenProcess
Opens a handle to an existing process with a requested access mask.
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtCreateThreadEx
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtQueueApcThreadEx
Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.
- NtCreateUserProcess
Creates a new user-mode process and its initial thread from an executable image.
- NtResumeProcess
Decrements every thread's suspend count in a target process, resuming threads that reach zero.
- NtOpenThread
Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.
- NtSuspendThread
Increments the suspend count of a target thread, halting its execution.
- NtTerminateThread
Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.
- NtGetContextThread
Retrieves the CPU register context (CONTEXT structure) of a suspended thread.
- NtSetContextThread
Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.
- NtOpenProcessTokenEx
Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.
- NtAdjustPrivilegesToken
Enables or disables privileges in a specified access token.
- NtQueryInformationToken
Retrieves a specified class of information about an access token.
- NtDuplicateToken
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtImpersonateThread
Causes the server thread to impersonate the security context of the client thread.
- NtQuerySystemInformation
Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.
- NtCreateEvent
Creates a named or unnamed event synchronization object and returns a handle to it.
- NtOpenEvent
Opens a handle to an existing named event object.
- NtSetEvent
Sets an event object to the signaled state, releasing waiting threads.
- NtResetEvent
Resets an event object to non-signaled and returns its previous signaled state.
- NtClearEvent
Drives an event object to the non-signaled state without returning the previous state.
- NtWaitForMultipleObjects
Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.
- NtSetTimer
Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.
- NtCancelTimer
Cancels a pending NtSetTimer arm and reports whether the timer was still active at cancel time.