NtFsControlFile

Prototype

NTSTATUS NtFsControlFile(
  HANDLE           FileHandle,
  HANDLE           Event,
  PIO_APC_ROUTINE  ApcRoutine,
  PVOID            ApcContext,
  PIO_STATUS_BLOCK IoStatusBlock,
  ULONG            FsControlCode,
  PVOID            InputBuffer,
  ULONG            InputBufferLength,
  PVOID            OutputBuffer,
  ULONG            OutputBufferLength
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 39 00 00 00      mov eax, 0x39
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Same 10-argument shape as NtDeviceIoControlFile; the kernel even shares dispatch code (`IopXxxControlFile` with a `FsControl` flag). The difference matters semantically: an FSCTL is sent to a *filesystem driver* (NTFS, ReFS, FAT, CDFS) or a network redirector (RDBSS, mrxsmb) rather than a generic device, and many FSCTLs require **SeManageVolumePrivilege** or **SeRestorePrivilege**. SSN `0x39` is stable Win7 → Win11 24H2. The catalog of FSCTL codes is large (≈ 250); the offensive-relevant subset is small but high-impact: reparse-point set/get, sparse-file marking, USN journal read, and volume-bitmap retrieval for raw NTFS dumping.

Common malware usage

Three offensive families. (1) **Reparse-point / junction abuse (T1564.004 + T1574.x)**: `FSCTL_SET_REPARSE_POINT` writes a NTFS reparse tag on a directory, turning it into a junction or mount point. UAC-bypass and EoP exploits use this to make a writeable folder resolve to a SYSTEM-only one (RedirectionGuard mitigated this only in Win11), and ransomware uses it to redirect log-file paths into volumes it has wiped. (2) **Alternate Data Streams (ADS) discovery (T1564.004)**: `FSCTL_QUERY_FILE_LAYOUT` and `FSCTL_GET_NTFS_FILE_RECORD` expose every $DATA stream on a file, letting droppers stash payloads (PowerShell scripts, scheduled task XMLs, secondary EXEs) into streams that `dir` does not display by default. (3) **Raw-NTFS extraction**: `FSCTL_GET_VOLUME_BITMAP` + `FSCTL_GET_RETRIEVAL_POINTERS` (cluster runs of `$MFT`) is the recipe behind `RawCopy`, `EXTRACT-DiT`, and most NTDS.dit dumpers — they read cluster runs directly from `\\.\PhysicalDriveN`, completely bypassing the locked file open.

Detection opportunities

Microsoft-Windows-Ntfs ETW (`{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}`) and the related Storage subsystem providers emit events for reparse-point sets and FSCTL traffic. Sysmon Event ID 11 fires on the file-create side of a reparse plant. Minifilter pre-callbacks on `IRP_MJ_FILE_SYSTEM_CONTROL` (FSCTL is its minor) see every code with the input buffer — EDRs typically register here. High-value hunts: `FSCTL_SET_REPARSE_POINT` from non-installer processes, `FSCTL_GET_VOLUME_BITMAP` from user-mode binaries other than `chkdsk`/`defrag`/AV, and any process opening `\\.\PhysicalDriveN` followed by sequential `FSCTL_GET_RETRIEVAL_POINTERS`. PowerShell `Get-Item -Force` plus `:Zone.Identifier` enumeration surfaces obvious ADS plants; `Sysinternals streams.exe` is the manual tool. Microsoft's symbolic-link protections (`fsutil behavior set SymlinkEvaluation`) blunt some of the reparse abuse classes.

Direct syscall examples

// REPARSE_DATA_BUFFER for IO_REPARSE_TAG_MOUNT_POINT, redirecting
// C:\Users\victim\Downloads\evil  ->  \??\C:\Windows\System32.
#define IO_REPARSE_TAG_MOUNT_POINT 0xA0000003
#define FSCTL_SET_REPARSE_POINT    0x900A4

typedef struct _REPARSE_MOUNT_POINT {
    ULONG  ReparseTag;          // 0xA0000003
    USHORT ReparseDataLength;
    USHORT Reserved;
    USHORT SubstituteNameOffset;
    USHORT SubstituteNameLength;
    USHORT PrintNameOffset;
    USHORT PrintNameLength;
    WCHAR  PathBuffer[1];
} REPARSE_MOUNT_POINT, *PREPARSE_MOUNT_POINT;

// hDir = handle to empty directory opened with GENERIC_WRITE | DELETE
IO_STATUS_BLOCK iosb = {0};
NTSTATUS s = NtFsControlFile(
    hDir, NULL, NULL, NULL, &iosb,
    FSCTL_SET_REPARSE_POINT,
    rd, REPARSE_DATA_BUFFER_HEADER_SIZE + rd->ReparseDataLength,
    NULL, 0);

; Identical 4-instr stub form; ten parameters from the caller, six on stack.
NtFsControlFile PROC
    mov  r10, rcx
    mov  eax, 39h
    syscall
    ret
NtFsControlFile ENDP

// Cargo: ntapi = "0.4", winapi = { version = "0.3", features = ["ntdef"] }
use ntapi::ntioapi::{NtFsControlFile, IO_STATUS_BLOCK};
use winapi::shared::ntdef::HANDLE;

const FSCTL_GET_REPARSE_POINT: u32 = 0x900A8;

pub unsafe fn read_reparse(h_dir: HANDLE) -> Option<Vec<u8>> {
    let mut buf = vec![0u8; 0x4000];
    let mut iosb: IO_STATUS_BLOCK = core::mem::zeroed();
    let s = NtFsControlFile(
        h_dir, core::ptr::null_mut(),
        None, core::ptr::null_mut(),
        &mut iosb,
        FSCTL_GET_REPARSE_POINT,
        core::ptr::null_mut(), 0,
        buf.as_mut_ptr() as *mut _, buf.len() as u32,
    );
    if s == 0 {
        let n = *iosb.u.Status_mut() as usize;
        buf.truncate(n);
        Some(buf)
    } else { None }
}

MITRE ATT&CK mappings

• T1564.004Hide Artifacts: NTFS File Attributesmitre ↗
• T1574.005Hijack Execution Flow: Executable Installer File Permissions Weaknessmitre ↗
• T1003.003OS Credential Dumping: NTDSmitre ↗
• T1106Native APImitre ↗