NtCancelWaitCompletionPacket

Prototype

NTSTATUS NtCancelWaitCompletionPacket(
  HANDLE  WaitCompletionPacketHandle,
  BOOLEAN RemoveSignaledPacket
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 97 00 00 00      mov eax, 0x97      ; Win11 24H2 SSN
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Pairs with `NtAssociateWaitCompletionPacket`. The threadpool wait subsystem internally creates a `WAIT_COMPLETION_PACKET` (a kernel object that binds together a dispatcher object — event, semaphore, mutant, timer — and an IOCP into which a completion entry will be posted when the dispatcher signals). `NtCancelWaitCompletionPacket` unbinds the packet so it can be reassociated with a different dispatcher (the typical reason ntdll calls it: a `TpSetWait` reuses an existing packet on the threadpool's wait object). The `RemoveSignaledPacket` flag handles the race where the packet fired between the caller's last completion-poll and the cancellation — TRUE eats the orphan completion entry so it doesn't pop out of `GetQueuedCompletionStatus` unexpectedly.

Common malware usage

Almost always paired with `NtAssociateWaitCompletionPacket` in offensive use. In **PoolParty's "Worker Factory via Wait Completion" variant** the cleanup step uses `NtCancelWaitCompletionPacket` to detach the forged packet after the threadpool worker has been induced to dispatch into shellcode — leaving the wait infrastructure cleanly reset so the target process doesn't crash on the next legitimate `TpSetWait`. Standalone use is rare offensively: cancellation alone confers no capability. It does, however, sometimes appear as a forensic artifact in memory captures of injected processes — an `EPROCESS` whose handle table contains a `WaitCompletionPacket` object the process never created itself is a strong indicator that injection occurred.

Detection opportunities

Low standalone signal — ntdll's `TpWaitForWait`/`TpSetWait` paths emit these calls constantly in any non-trivial program. The detection value lies in *cross-process* patterns: a handle of type `WaitCompletionPacket` showing up in another process's handle table (Sysmon Event 10 / kernel handle table dumps via `!handle` in WinDbg) is anomalous because these objects are normally process-local. EDRs that watch threadpool data structures (`_TP_TIMER`, `_TP_WAIT`) for foreign callback addresses will surface the broader PoolParty pattern.

Direct syscall examples

// Reuse an existing wait packet on a different event.
NtCancelWaitCompletionPacket(hPacket, TRUE /* eat orphan completion */);
NtAssociateWaitCompletionPacket(
    hPacket,
    hIoCompletion,
    hNewEvent,                      // new dispatcher
    (PVOID)keyContext, (PVOID)apc,
    STATUS_SUCCESS, 0, NULL);

; NtCancelWaitCompletionPacket direct syscall (Win11 24H2 SSN 0x97)
NtCancelWaitCompletionPacket PROC
    mov  r10, rcx
    mov  eax, 97h
    syscall
    ret
NtCancelWaitCompletionPacket ENDP

MITRE ATT&CK mappings

• T1055Process Injectionmitre ↗
• T1106Native APImitre ↗