NtClose

Prototype

NTSTATUS NtClose(
  HANDLE Handle
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 0F 00 00 00      mov eax, 0xF
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtClose has carried SSN `0xF` unchanged from Windows 10 1507 through Windows 11 24H2 — one of the most stable numbers in the table. It releases the reference on the underlying object via ObCloseHandle and dispatches debug exception STATUS_INVALID_HANDLE (0xC0000008) when called on a bogus handle while a debugger is attached and the process has FLG_ENABLE_CLOSE_EXCEPTIONS set. Although trivial in shape, it is one of the most-called syscalls on a live system, which gives it both a low signal-to-noise ratio for detection and a comfortable hiding place for abuse.

Common malware usage

Two distinct uses: (1) routine hygiene — every loader, injector, and credential dumper has to release the handles it opened or it will leak references and tip off detection tooling tracking handle counts; (2) anti-debugging — invoking NtClose with an invalid handle (e.g. 0xDEADBEEF) under a user-mode debugger triggers STATUS_INVALID_HANDLE that the debugger catches first, letting malware bail out or branch into decoy logic. The check is cheap, requires no API import beyond ntdll, and survives most automated unpackers.

Detection opportunities

NtClose itself is too noisy to alert on. Useful pivots: high-rate sequences of NtClose with non-NTSTATUS-success returns (heuristic for handle-probe anti-debug), unbalanced NtOpen*/NtClose ratios per process (handle leaks from sloppy injectors), and ETW Microsoft-Windows-Kernel-Audit-API-Calls. EDRs commonly hook NtClose in ntdll for reference-counting consistency; direct syscalls bypass the hook but still produce ObCloseHandle traces visible to a minifilter or kernel-mode callback.

Direct syscall examples

; Direct syscall stub for NtClose (SSN 0xF, all builds)
NtClose PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 0Fh          ; SSN
    syscall
    ret
NtClose ENDP

// If a debugger is attached and FLG_ENABLE_CLOSE_EXCEPTIONS is set in the
// process flags, NtClose on a bogus handle raises STATUS_INVALID_HANDLE.
// The debugger swallows the exception first; the malware sees a return code.
#include <windows.h>

typedef NTSTATUS (NTAPI *pNtClose)(HANDLE);

BOOL IsDebuggerPresentViaNtClose(void) {
    pNtClose NtClose = (pNtClose)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtClose");
    __try {
        NtClose((HANDLE)0xDEADBEEF);
    } __except (EXCEPTION_EXECUTE_HANDLER) {
        return FALSE; // exception delivered to us -> no debugger
    }
    return TRUE;      // debugger ate the exception
}

// Cargo: windows-sys = "0.59" (Win32_Foundation, Win32_System_Threading)
use windows_sys::Win32::Foundation::{CloseHandle, HANDLE};

pub struct OwnedHandle(pub HANDLE);

impl Drop for OwnedHandle {
    fn drop(&mut self) {
        if !self.0.is_null() && self.0 as isize != -1 {
            // CloseHandle wraps NtClose; use NtClose directly to bypass
            // ntdll user-mode hooks on EDR-monitored hosts.
            unsafe { CloseHandle(self.0) };
        }
    }
}

MITRE ATT&CK mappings

• T1622Debugger Evasionmitre ↗
• T1106Native APImitre ↗