ntoskrnl.exeT1574.001T1106

NtOpenSection

Opens a handle to an existing named section object (shared memory or image mapping).

Prototype

NTSTATUS NtOpenSection(
  PHANDLE            SectionHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes
);

Arguments

Name	Type	Dir	Description
SectionHandle	PHANDLE	out	Receives the handle to the opened section.
DesiredAccess	ACCESS_MASK	in	Access rights (SECTION_MAP_READ, SECTION_MAP_WRITE, SECTION_MAP_EXECUTE, SECTION_QUERY, …).
ObjectAttributes	POBJECT_ATTRIBUTES	in	Object attributes naming the section (e.g. \BaseNamedObjects\MySection).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x37	win10-1507
Win10 1607	0x37	win10-1607
Win10 1703	0x37	win10-1703
Win10 1709	0x37	win10-1709
Win10 1803	0x37	win10-1803
Win10 1809	0x37	win10-1809
Win10 1903	0x37	win10-1903
Win10 1909	0x37	win10-1909
Win10 2004	0x37	win10-2004
Win10 20H2	0x37	win10-20h2
Win10 21H1	0x37	win10-21h1
Win10 21H2	0x37	win10-21h2
Win10 22H2	0x37	win10-22h2
Win11 21H2	0x37	win11-21h2
Win11 22H2	0x37	win11-22h2
Win11 23H2	0x37	win11-23h2
Win11 24H2	0x37	win11-24h2
Server 2016	0x37	winserver-2016
Server 2019	0x37	winserver-2019
Server 2022	0x37	winserver-2022
Server 2025	0x37	winserver-2025

Kernel module

ntoskrnl.exe → NtOpenSection

Related APIs

OpenFileMappingWNtCreateSectionNtMapViewOfSectionNtMapViewOfSectionExNtUnmapViewOfSectionNtQuerySection

Syscall stub

4C 8B D1            mov r10, rcx
B8 37 00 00 00      mov eax, 0x37      ; stable across all builds
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Returns a handle to a pre-existing section object resolved through the NT object manager namespace — typically `\BaseNamedObjects\<name>` for Win32 callers or `\KnownDlls\<dll>` for OS-loaded image sections. The SSN has been constant at `0x37` from Windows 10 1507 through Windows 11 24H2, making it a reliable candidate for hardcoded direct syscalls. `OpenFileMapping` is the Win32 thin wrapper that builds the name `\Sessions\<id>\BaseNamedObjects\<name>` and calls this syscall.

Common malware usage

Two distinct abuse patterns. (1) **KnownDlls poisoning prerequisite**: implants open `\KnownDlls\<target>.dll` with `SECTION_MAP_WRITE` (typically only possible if the implant runs at high integrity or replaces the section beforehand) and overwrite the executable bytes of a system DLL still mapped image-cow into every process — a classic write-once / infect-all primitive used in the original KnownDlls hijack research. (2) **Privileged-service IPC abuse**: some Windows services expose named sections in `\BaseNamedObjects\` for legitimate IPC; offensive tooling opens those sections to either eavesdrop on the protocol or smuggle data across integrity boundaries. The SSN's perfect stability makes `NtOpenSection` a popular hardcoded direct-syscall in red-team loaders.

KnownDlls hijack PoCs Cobalt Strike (ntdll unhooking variants)Custom red-team loaders (FreshyCalls/SysWhispers chains)Stuxnet (named shared memory IPC)

Detection opportunities

Sysmon Event 7 (ImageLoad) and Event 10 (ProcessAccess) do not directly cover section opens. ETW `Microsoft-Windows-Kernel-General` event ID 6 (ImageLoad) fires on subsequent map. For high-fidelity detection, kernel callbacks on `ObRegisterCallbacks` for `*PsSectionType` can audit handle opens, and EDR vendors increasingly hook `NtOpenSection` to flag opens of `\KnownDlls\*` with write access. From userland, `NtQuerySystemInformation(SystemHandleInformation)` enumerates every section handle currently held — a periodic snapshot will reveal unusual cross-process section handles.

Direct syscall examples

cOpen a named shared section

// Open \BaseNamedObjects\MySharedSection for read access.
UNICODE_STRING name;
RtlInitUnicodeString(&name, L"\\BaseNamedObjects\\MySharedSection");

OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);

HANDLE hSection = NULL;
NTSTATUS s = NtOpenSection(&hSection, SECTION_MAP_READ | SECTION_QUERY, &oa);
if (!NT_SUCCESS(s)) return s;

PVOID view = NULL;
SIZE_T viewSize = 0;
NtMapViewOfSection(hSection, NtCurrentProcess(),
                   &view, 0, 0, NULL, &viewSize,
                   ViewShare, 0, PAGE_READONLY);

asmx64 direct stub (stable SSN 0x37)

; NtOpenSection direct stub — SSN 0x37 on every Win10/Win11 build
NtOpenSection PROC
    mov  r10, rcx
    mov  eax, 37h
    syscall
    ret
NtOpenSection ENDP

rustOpen KnownDlls entry for inspection

// Read-only open of \KnownDlls\kernel32.dll — useful for unhooking ntdll
// by comparing a fresh image against the loaded one.
use ntapi::ntmmapi::NtOpenSection;
use ntapi::ntobapi::OBJ_CASE_INSENSITIVE;
use winapi::shared::ntdef::{HANDLE, OBJECT_ATTRIBUTES, UNICODE_STRING};
use std::{mem, ptr::null_mut};

unsafe fn open_known_dll(name: &str) -> HANDLE {
    let wide: Vec<u16> = format!("\\KnownDlls\\{}", name).encode_utf16().collect();
    let mut us = UNICODE_STRING {
        Length: (wide.len() * 2) as u16,
        MaximumLength: (wide.len() * 2) as u16,
        Buffer: wide.as_ptr() as *mut u16,
    };
    let mut oa: OBJECT_ATTRIBUTES = mem::zeroed();
    oa.Length = mem::size_of::<OBJECT_ATTRIBUTES>() as u32;
    oa.ObjectName = &mut us;
    oa.Attributes = OBJ_CASE_INSENSITIVE;
    let mut h: HANDLE = null_mut();
    let s = NtOpenSection(&mut h, 0x0004 /* SECTION_MAP_READ */, &mut oa);
    assert!(s >= 0);
    h
}

MITRE ATT&CK mappings

Last verified: 2026-05-20