NtAssignProcessToJobObject

Prototype

NTSTATUS NtAssignProcessToJobObject(
  HANDLE JobHandle,
  HANDLE ProcessHandle
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 91 00 00 00      mov eax, 0x91
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtAssignProcessToJobObject is the wiring step that turns a freshly created job into something that actually affects a process. Once assigned, the process inherits every limit set on the job (working-set caps, UI restrictions, CPU rate, breakaway policy) and contributes to the job's accounting. Before Windows 8, a process could be in at most one job; nested jobs since Win8 mean the kernel walks a job chain on every check. The classic sandbox pattern is `NtCreateJobObject → NtSetInformationJobObject(limits + UI restrictions) → NtCreateUserProcess(suspended) → NtAssignProcessToJobObject → NtResumeThread`.

Common malware usage

Defensive in the vast majority of cases. The offensive interest is sandbox-aware: if the job allows JOB_OBJECT_LIMIT_BREAKAWAY_OK, a child spawned with CREATE_BREAKAWAY_FROM_JOB escapes the container; many AppContainer and Chromium sandbox bypasses pivot on this fact. A few red-team frameworks call NtAssignProcessToJobObject on their own implant to attach a KILL_ON_JOB_CLOSE policy so closing the implant handle reaps every spawned helper — useful for clean withdrawal. Weak signal in isolation, meaningful only in chain with NtSetInformationJobObject and policy queries.

Detection opportunities

No dedicated Sysmon event. ETW Microsoft-Windows-Kernel-Process records changes to a process's job membership; pairing the assignment with the originating process (who owns JobHandle?) is the actionable signal. EDR-side hooks on NtAssignProcessToJobObject should correlate with the immediately preceding NtCreateJobObject and any NtSetInformationJobObject calls that set BREAKAWAY_OK or KILL_ON_JOB_CLOSE. The high-value detection is a process attaching itself to a fresh job and then immediately spawning children with CREATE_BREAKAWAY_FROM_JOB — that is sandbox-escape shape, not normal sandbox shape.

Direct syscall examples

; Direct syscall stub for NtAssignProcessToJobObject (SSN 0x91 on Win11 24H2 / Server 2025)
NtAssignProcessToJobObject PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 091h         ; SSN for win11-24h2
    syscall
    ret
NtAssignProcessToJobObject ENDP

// Continued from NtCreateJobObject / NtSetInformationJobObject sandbox setup.
// Spawn the target suspended, attach to the job, only then resume.
PROCESS_INFORMATION pi = { 0 };
STARTUPINFOW si = { sizeof(si) };
CreateProcessW(L"C:\\Windows\\System32\\notepad.exe",
               NULL, NULL, NULL, FALSE,
               CREATE_SUSPENDED,
               NULL, NULL, &si, &pi);

NTSTATUS s = NtAssignProcessToJobObject(hJob, pi.hProcess);
if (!NT_SUCCESS(s)) {
    TerminateProcess(pi.hProcess, 1);
    return s;
}

NtResumeThread(pi.hThread, NULL);   // job limits are now in effect for the child

// Cargo: windows-sys = "0.59"  (Win32_System_JobObjects)
use std::arch::asm;

#[unsafe(naked)]
unsafe extern "system" fn nt_assign_process_to_job_object_stub() {
    asm!(
        "mov r10, rcx",
        "mov eax, 0x91",    // Win11 24H2; resolve dynamically for other builds
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

• T1106Native APImitre ↗
• T1564Hide Artifactsmitre ↗