NtCancelTimer

Prototype

NTSTATUS NtCancelTimer(
  HANDLE    TimerHandle,
  PBOOLEAN  CurrentState
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 61 00 00 00      mov eax, 0x61
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtCancelTimer disarms a timer previously armed by NtSetTimer. The `CurrentState` out-param reports whether the cancel was racy with expiry: TRUE means the timer was still in the dispatcher's pending list (cancel won), FALSE means the timer fired before the syscall (and any APC routine has already been queued or run). SSN `0x61` is frozen across every Windows 10/11 build. The kernel routine `KeCancelTimer` underlies it.

Common malware usage

Paired with NtSetTimer in *sleep-mask* and *delayed-execution* implant designs. Typical lifecycle: NtCreateTimer + NtSetTimer (period + APC) → implant work → NtCancelTimer + NtClose during teardown to remove the periodic APC fire that would otherwise keep dispatching into freed shellcode. Some implants also use NtCancelTimer to *adaptively* reschedule sleep intervals — cancel the current arm and call NtSetTimer with a new DueTime in response to a C2 command. Not a primary in-and-of-itself offensive primitive; the signal is the *pairing* with NtSetTimer / NtQueueApcThread.

Detection opportunities

Like the other event/timer primitives, NtCancelTimer is high-volume legitimate traffic. The detection signal is the *pair*: NtSetTimer with a non-NULL `TimerApcRoutine` pointing into an RWX or unbacked region, followed by an NtCancelTimer from the same handle during process exit or teardown. ETW provider `Microsoft-Windows-Kernel-EventTracing` and the legacy `KernelTimer` flag of `Microsoft-Windows-Kernel-Process` provide some context.

Direct syscall examples

; Direct syscall stub for NtCancelTimer (SSN 0x61, stable Win10 1507+)
NtCancelTimer PROC
    mov  r10, rcx          ; TimerHandle
    mov  eax, 61h          ; SSN
    syscall
    ret
NtCancelTimer ENDP

// Implant shutdown: disarm the periodic APC timer that ticks our sleep mask.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtCancelTimer)(HANDLE, PBOOLEAN);

void TeardownSleepMask(HANDLE hTimer) {
    BOOLEAN wasPending = FALSE;
    pNtCancelTimer fn = (pNtCancelTimer)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtCancelTimer");
    fn(hTimer, &wasPending);
    // wasPending == FALSE => the APC has already queued; flush APCs with a brief alertable wait.
    NtClose(hTimer);
}

// Cargo: ntapi = "0.4"
use ntapi::ntexapi::{NtCancelTimer, NtSetTimer};
use winapi::shared::ntdef::{BOOLEAN, HANDLE, LARGE_INTEGER};

unsafe fn reschedule(timer: HANDLE, new_due_100ns: i64) {
    let mut was_pending: BOOLEAN = 0;
    NtCancelTimer(timer, &mut was_pending);

    let mut due: LARGE_INTEGER = std::mem::zeroed();
    *due.QuadPart_mut() = -new_due_100ns; // negative = relative
    let mut prev: BOOLEAN = 0;
    NtSetTimer(timer, &mut due, None, std::ptr::null_mut(), 0, 0, &mut prev);
}

MITRE ATT&CK mappings

• T1106Native APImitre ↗
• T1027Obfuscated Files or Informationmitre ↗