ntoskrnl.exeT1055.012T1620T1106

NtMapViewOfSectionEx

Windows 10 1809+ extended section-mapping syscall that accepts MEM_EXTENDED_PARAMETER constraints.

Prototype

NTSTATUS NtMapViewOfSectionEx(
  HANDLE                  SectionHandle,
  HANDLE                  ProcessHandle,
  PVOID                  *BaseAddress,
  PLARGE_INTEGER          SectionOffset,
  PSIZE_T                 ViewSize,
  ULONG                   AllocationType,
  ULONG                   Win32Protect,
  PMEM_EXTENDED_PARAMETER ExtendedParameters,
  ULONG                   ParameterCount
);

Arguments

Name	Type	Dir	Description
SectionHandle	HANDLE	in	Handle to the section to map. Must have appropriate SECTION_MAP_* access.
ProcessHandle	HANDLE	in	Target process. NtCurrentProcess() for self; remote handle for cross-process mapping.
BaseAddress	PVOID*	in/out	Pointer to the requested base address. NULL lets the kernel choose. Updated on return.
SectionOffset	PLARGE_INTEGER	in	Optional offset into the section, must be 64-KiB aligned.
ViewSize	PSIZE_T	in/out	Requested view size on input, actual mapped size on output. 0 maps the whole section.
AllocationType	ULONG	in	MEM_RESERVE, MEM_COMMIT, MEM_LARGE_PAGES, MEM_TOP_DOWN, SEC_NO_CHANGE etc.
Win32Protect	ULONG	in	Initial page protection (PAGE_READONLY, PAGE_EXECUTE_READ, PAGE_EXECUTE_WRITECOPY, …).
ExtendedParameters	PMEM_EXTENDED_PARAMETER	in	Optional array of extended params (address-range constraints, CFG opt-out, NUMA hints).
ParameterCount	ULONG	in	Number of entries in ExtendedParameters. 0 if ExtendedParameters is NULL.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1803	0x10D	win10-1803
Win10 1809	0x10E	win10-1809
Win10 1903	0x10F	win10-1903
Win10 1909	0x10F	win10-1909
Win10 2004	0x114	win10-2004
Win10 20H2	0x114	win10-20h2
Win10 21H1	0x114	win10-21h1
Win10 21H2	0x115	win10-21h2
Win10 22H2	0x115	win10-22h2
Win11 21H2	0x11B	win11-21h2
Win11 22H2	0x11C	win11-22h2
Win11 23H2	0x11C	win11-23h2
Win11 24H2	0x11E	win11-24h2
Server 2019	0x10E	winserver-2019
Server 2022	0x11A	winserver-2022
Server 2025	0x11E	winserver-2025

Kernel module

ntoskrnl.exe → NtMapViewOfSectionEx

Related APIs

MapViewOfFile3NtMapViewOfSectionNtCreateSectionNtAllocateVirtualMemoryExVirtualAlloc2NtUnmapViewOfSection

Syscall stub

4C 8B D1            mov r10, rcx
B8 1E 01 00 00      mov eax, 0x11E     ; Win11 24H2 SSN
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Introduced in Windows 10 1809 (Redstone 5) as the section-mapping analogue of `NtAllocateVirtualMemoryEx`. The key addition over `NtMapViewOfSection` is the `ExtendedParameters` array, which currently accepts `MemExtendedParameterAddressRequirements` (LowestStartingAddress / HighestEndingAddress / Alignment), `MemExtendedParameterAttributeFlags` (`MEM_EXTENDED_PARAMETER_EC_CODE`, `MEM_EXTENDED_PARAMETER_IMAGE_NO_HOTPATCH`), and `MemExtendedParameterImageMachine` (Arm64EC). The address-range constraint is what makes it interesting for offensive tooling — you can request that the mapping land above the 32-bit boundary, or away from a specific known scanner heuristic range. Not present on Windows 10 1507–1709.

Common malware usage

Used by modern reflective and module-stomping loaders that want fine-grained control over the mapping address. **Phantom DLL Hollowing** (Forrest Orr, 2020) maps a clean-on-disk Microsoft-signed DLL with `SEC_IMAGE` via `NtCreateSection` + `NtMapViewOfSectionEx`, then overwrites the `.text` pages while the kernel still believes the mapping is image-backed and signed — defeating EDR module-hash checks. The `MemExtendedParameterAddressRequirements` parameter is also used by offensive code to mimic the high-address mapping behaviour of `LoadLibraryEx`, blending in with legitimate module bases. SSN unavailable on Windows 10 1507–1709, so loaders that target those builds must fall back to plain `NtMapViewOfSection`.

Phantom DLL Hollowing PoC (Forrest Orr)Cobalt Strike (Module Stomping / BoF loaders)Brute Ratel (manual map variants)ScareCrow loader Donut shellcode generator (PIC stagers)

Detection opportunities

Almost all use of `NtMapViewOfSectionEx` for executable mappings is anomalous outside of a small set of system loaders (`ntdll!LdrpMapViewOfSection`, `wow64cpu`). EDR products that hook this routine in ntdll catch most non-system callers; direct-syscall users bypass that but still trigger ETW `Microsoft-Windows-Kernel-Process` ImageLoad events when the mapped section is an image — and *missing* an ImageLoad event for an executable mapping is itself an IOC (manual-map evasion). Hunt for image-section maps where the backing file does not subsequently appear in the loaded-modules list (`PEB_LDR_DATA`).

Direct syscall examples

cHigh-address mapping with MemExtendedParameterAddressRequirements

// Force the mapping to land above 0x0000_0001_0000_0000 to dodge
// scanner heuristics that focus on low VAs.
MEM_EXTENDED_PARAMETER ep[1] = {0};
MEM_ADDRESS_REQUIREMENTS req = {0};
req.LowestStartingAddress  = (PVOID)0x0000000100000000ULL;
req.HighestEndingAddress   = (PVOID)0x00007FFFFFFFFFFFULL;
req.Alignment              = 0; // default 64 KiB

ep[0].Type    = MemExtendedParameterAddressRequirements;
ep[0].Pointer = &req;

PVOID base = NULL; SIZE_T viewSize = 0;
NTSTATUS s = NtMapViewOfSectionEx(
    hSection, NtCurrentProcess(),
    &base, NULL, &viewSize,
    0, PAGE_EXECUTE_READ,
    ep, 1);

asmx64 direct stub (Win11 24H2)

; NtMapViewOfSectionEx direct stub — SSN 0x11E on Win11 24H2.
; Note: ParameterCount is the 9th argument; spilled onto the stack per
; the Win64 calling convention (shadow + 5th slot).
NtMapViewOfSectionEx PROC
    mov  r10, rcx
    mov  eax, 11Eh
    syscall
    ret
NtMapViewOfSectionEx ENDP

rustPhantom DLL Hollowing skeleton

// Phantom DLL Hollowing (Forrest Orr, 2020) — abbreviated.
// 1) Open kernelbase.dll as a SEC_IMAGE section.
// 2) Map it with NtMapViewOfSectionEx into our process.
// 3) Overwrite the .text bytes with shellcode while the kernel still
//    believes the region is signed image-backed memory.
use ntapi::ntmmapi::NtMapViewOfSectionEx;
use winapi::shared::ntdef::{HANDLE, PVOID};
use std::{mem, ptr::null_mut};

unsafe fn map_image(section: HANDLE) -> PVOID {
    let mut base: PVOID = null_mut();
    let mut view: usize = 0;
    let s = NtMapViewOfSectionEx(
        section,
        -1isize as HANDLE, // NtCurrentProcess()
        &mut base,
        null_mut(),
        &mut view,
        0,
        0x20, // PAGE_EXECUTE_READ
        null_mut(),
        0,
    );
    assert!(s >= 0);
    base
}

MITRE ATT&CK mappings

Last verified: 2026-05-20