VMProtect-packed loaders

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

5 syscalls cited

NtQueryInformationThread
Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.
NtSetInformationThread
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
NtCreateDebugObject
Creates a kernel DebugObject — the per-debugger port that receives debug events from attached processes.
NtDebugActiveProcess
Attaches an existing DebugObject to a running process — the kernel side of DebugActiveProcess.
NtRemoveProcessDebug
Detaches a DebugObject from a process — the kernel side of DebugActiveProcessStop.