NtOpenProcess

Prototype

NTSTATUS NtOpenProcess(
  PHANDLE            ProcessHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PCLIENT_ID         ClientId
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 26 00 00 00      mov eax, 0x26
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Open-by-PID is the path that nearly all userland code takes — `ObjectName` is typically NULL and `ClientId.UniqueProcess` carries the target PID. SSN `0x26` has been stable across every shipped Win10/11 build. The Win32 `OpenProcess` is a thin wrapper that fills in `OBJECT_ATTRIBUTES` and `CLIENT_ID` before calling this function. Access is gated by the target's SecurityDescriptor and any registered object callbacks; PPL/PP processes (`lsass.exe` with Credential Guard, MsMpEng.exe) reject everything except `PROCESS_QUERY_LIMITED_INFORMATION` regardless of privilege.

Common malware usage

The first step of nearly every cross-process attack: get a handle with the rights needed for whatever follows. `PROCESS_VM_READ` for LSASS dumping, `PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD` for classic injection, `PROCESS_DUP_HANDLE` for token theft. Sophisticated tooling now opens with the minimum required mask (`0x1010` for read-only LSASS access) instead of `PROCESS_ALL_ACCESS` (`0x1FFFFF`) to evade EDR rules that key on the full mask.

Detection opportunities

Sysmon Event ID 10 (`ProcessAccess`) is the canonical telemetry — every `NtOpenProcess` that yields a handle to a different process fires this event with `SourceProcessGUID`, `TargetProcessGUID`, `GrantedAccess`, and a call-stack. Defenders tune Sysmon to filter the noisy short masks and alert on dangerous combinations targeting `lsass.exe`, `MsMpEng.exe`, browsers, etc. Kernel-side, `ObRegisterCallbacks` lets PPL-protecting drivers (and EDRs) strip rights or veto the open before the handle is returned, which is the mechanism behind LSASS Protected Process Light. Direct syscalls do not bypass object callbacks.

Direct syscall examples

; Direct syscall stub for NtOpenProcess (SSN 0x26, stable across all Win10/11)
NtOpenProcess PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 26h          ; SSN
    syscall
    ret
NtOpenProcess ENDP

// Minimal-rights LSASS open used by nanodump and lsassy to evade GrantedAccess rules.
OBJECT_ATTRIBUTES oa;
CLIENT_ID         cid = { (HANDLE)(ULONG_PTR)lsass_pid, NULL };
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);

HANDLE hLsass = NULL;
// PROCESS_QUERY_INFORMATION | PROCESS_VM_READ == 0x1010
NTSTATUS st = NtOpenProcess(&hLsass, 0x1010, &oa, &cid);
if (!NT_SUCCESS(st)) return st;

// Resolve SSN at runtime; useful when ntdll.dll is hooked.
use std::arch::asm;

#[unsafe(naked)]
unsafe extern "system" fn nt_open_process_stub() {
    asm!(
        "mov r10, rcx",
        "mov eax, 0x26",   // stable across all Win10/11 builds
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

• T1057Process Discovery
• T1003.001OS Credential Dumping: LSASS Memory
• T1055Process Injection
• T1134Access Token Manipulation