NtContinue

Prototype

NTSTATUS NtContinue(
  PCONTEXT ContextRecord,
  BOOLEAN  TestAlert
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 43 00 00 00      mov eax, 0x43
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

`NtContinue` is the kernel's exception-return primitive — it is how SEH and `KiUserExceptionDispatcher` resume normal execution after a handler decides to continue. Microsoft documentation explicitly warns user-mode code not to call it directly. On success it does *not* return; the kernel loads the supplied CONTEXT into the trap frame and `iretq`s back to user mode. The SSN has been `0x43` across every shipping Windows 10/11 build.

Common malware usage

Hijacked aggressively by modern sleep-mask kits. Ekko (the canonical reference implementation by C5pider) uses a `NtSetTimer`-driven APC chain that calls `NtContinue` with crafted CONTEXT records to ROP-jump between encryption stubs, the sleep call, and decryption stubs — all without ever writing the next instruction pointer to a stack-saved RIP, so call-stack walkers see only legitimate kernel32/ntdll frames. The technique generalises to any `CONTEXT.Rip = <gadget>` trick: arbitrary code execution out of an indirect syscall, control-flow guard bypass, or recovery from a faked exception. Brute Ratel C4 and several Foliage variants also lean on `NtContinue` for state-machine transitions during sleep.

Detection opportunities

Direct user-mode calls of `NtContinue` are unusual outside the OS exception path. EDR collectors that walk `KiUserExceptionDispatcher → NtContinue` call sites can flag CONTEXT records whose `Rip` lies in private RX or RWX memory rather than in a loaded image. ETW `Microsoft-Windows-Threat-Intelligence` and the call-stack-based protections introduced in Windows 11 / WDAC supplemental policies are designed to catch precisely this pattern. The defining smell is: a non-Microsoft module calling `NtContinue` with `ContextFlags = CONTEXT_FULL` and `Rip` pointing into the same module's data section.

Direct syscall examples

; Direct syscall stub for NtContinue (SSN 0x43, all Win10/11 builds)
NtContinue PROC
    mov  r10, rcx          ; ContextRecord
    mov  eax, 43h          ; SSN
    syscall
    ret
NtContinue ENDP

// Crafted CONTEXT redirects the calling thread to an arbitrary gadget.
// Used by sleep masks to invoke SystemFunction032 / VirtualProtect with
// pre-loaded register arguments, then chain back to NtContinue with the
// next stage's CONTEXT.
#include <windows.h>
#include <winternl.h>

extern "C" NTSTATUS NTAPI NtContinue(PCONTEXT, BOOLEAN);

void JumpTo(PVOID gadget, ULONG64 rcx, ULONG64 rdx, ULONG64 r8) {
    CONTEXT ctx = {0};
    ctx.ContextFlags = CONTEXT_FULL;
    RtlCaptureContext(&ctx);
    ctx.Rcx = rcx;
    ctx.Rdx = rdx;
    ctx.R8  = r8;
    ctx.Rip = (ULONG64)gadget;
    NtContinue(&ctx, FALSE);   // never returns on success
}

// Demonstrates the dangerous primitive: load a fully-controlled CONTEXT and resume.
use std::arch::asm;

#[unsafe(naked)]
pub unsafe extern "system" fn nt_continue(
    _ctx: *const u8,
    _test_alert: u8,
) -> i32 {
    asm!(
        "mov r10, rcx",
        "mov eax, 0x43",
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

• T1027.011Fileless Storagemitre ↗
• T1620Reflective Code Loadingmitre ↗
• T1106Native APImitre ↗