Syscall reference
Browse documented Nt*/Zw* syscalls across Windows versions.
- NtAllocateVirtualMemoryntoskrnl.exeT1055T1055.002
Reserves, commits or both a region of virtual memory in a target process.
- NtProtectVirtualMemoryntoskrnl.exeT1055T1055.002
Changes the protection on a region of committed virtual memory in a target process.
- NtWriteVirtualMemoryntoskrnl.exeT1055T1055.002
Writes a buffer from the caller into the virtual address space of a target process.
- NtReadVirtualMemoryntoskrnl.exeT1003.001T1057
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
- NtOpenProcessntoskrnl.exeT1057T1003.001
Opens a handle to an existing process with a requested access mask.
- NtCreateThreadExntoskrnl.exeT1055T1055.002
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtCreateSectionntoskrnl.exeT1055T1055.012
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSectionntoskrnl.exeT1055T1055.012
Maps a view of a section object into the virtual address space of a target process.
- NtQueueApcThreadntoskrnl.exeT1055.004T1055
Queues a user-mode asynchronous procedure call (APC) to a target thread.
- NtResumeThreadntoskrnl.exeT1055T1055.012
Decrements the suspend count of a thread, resuming execution when the count reaches zero.
- NtOpenProcessTokenntoskrnl.exeT1134T1134.001
Opens the access token associated with a process and returns a handle to it.
- NtOpenProcessTokenExntoskrnl.exeT1134T1134.001
Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.
- NtAdjustPrivilegesTokenntoskrnl.exeT1134T1134.001
Enables or disables privileges in a specified access token.
- NtQueryInformationTokenntoskrnl.exeT1134T1033
Retrieves a specified class of information about an access token.
- NtDuplicateTokenntoskrnl.exeT1134T1134.001
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtImpersonateAnonymousTokenntoskrnl.exeT1134T1134.001
Assigns the well-known ANONYMOUS LOGON token to the specified thread.
- NtImpersonateThreadntoskrnl.exeT1134T1134.001
Causes the server thread to impersonate the security context of the client thread.
- NtSetInformationThreadntoskrnl.exeT1622T1106
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
- NtCreateKeyntoskrnl.exeT1547.001T1546.012
Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.
- NtSetValueKeyntoskrnl.exeT1547.001T1546.012
Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.
- NtCreateFilentoskrnl.exeT1564.001T1547.001
Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.
- NtWriteFilentoskrnl.exeT1486T1561.001
Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.
- NtSetInformationFilentoskrnl.exeT1486T1070.004
Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.
- NtSetSystemInformationntoskrnl.exeT1068T1014
Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.