ntoskrnl.exeT1574T1083T1106

NtOpenSymbolicLinkObject

Opens an existing object-manager symbolic link by name, returning a handle for later query or deletion.

Prototype

NTSTATUS NtOpenSymbolicLinkObject(
  PHANDLE            LinkHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes
);

Arguments

Name	Type	Dir	Description
LinkHandle	PHANDLE	out	Receives the handle to the opened symbolic link object.
DesiredAccess	ACCESS_MASK	in	SYMBOLIC_LINK_QUERY (0x1) to read target, DELETE to remove it, SYMBOLIC_LINK_ALL_ACCESS for both.
ObjectAttributes	POBJECT_ATTRIBUTES	in	Name and optional RootDirectory identifying the link (e.g. L"\\??\\C:").

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x118	win10-1507
Win10 1607	0x11E	win10-1607
Win10 1703	0x122	win10-1703
Win10 1709	0x124	win10-1709
Win10 1803	0x126	win10-1803
Win10 1809	0x127	win10-1809
Win10 1903	0x128	win10-1903
Win10 1909	0x128	win10-1909
Win10 2004	0x12D	win10-2004
Win10 20H2	0x12D	win10-20h2
Win10 21H1	0x12D	win10-21h1
Win10 21H2	0x12E	win10-21h2
Win10 22H2	0x12E	win10-22h2
Win11 21H2	0x134	win11-21h2
Win11 22H2	0x136	win11-22h2
Win11 23H2	0x136	win11-23h2
Win11 24H2	0x138	win11-24h2
Server 2016	0x11E	winserver-2016
Server 2019	0x127	winserver-2019
Server 2022	0x133	winserver-2022
Server 2025	0x138	winserver-2025

Kernel module

ntoskrnl.exe → NtOpenSymbolicLinkObject

Related APIs

NtCreateSymbolicLinkObjectNtQuerySymbolicLinkObjectQueryDosDeviceWNtMakeTemporaryObject

Syscall stub

4C 8B D1            mov r10, rcx
B8 38 01 00 00      mov eax, 0x138
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

SSN drifts substantially (`0x118` → `0x138`); resolve at runtime when supporting multiple builds. Open a link with `SYMBOLIC_LINK_QUERY` and you can read its target string via `NtQuerySymbolicLinkObject`; open it with `DELETE` and a subsequent `NtClose` of the handle (or `NtMakeTemporaryObject`) removes the link from the namespace, even one that was created with OBJ_PERMANENT. Symbolic links in the object manager are evaluated **at parse time, lazily**, which means opening the link via NtOpenSymbolicLinkObject does *not* itself dereference the target — that only happens when a name lookup walks through it.

Common malware usage

Three offensive patterns. **Path resolution reconnaissance**: open `\\??\\C:`, `\\??\\GLOBALROOT`, `\\??\\PhysicalDrive0` to query the underlying `\\Device\\...` targets — useful for figuring out which volume hosts the system, where shadow copies live, and which DOS letters are real vs. mapped network drives (sandbox-escape recon). **Symlink eviction**: open an unwanted link (e.g. a sibling implant's rendezvous marker, or a security product's own anti-tamper symlink) with `DELETE` and close the handle to remove it. **Hot-reload during exploitation**: classic sandbox-escape race pattern — create a symlink with `OBJ_PERMANENT`, use it, then reopen with DELETE+Close to cover tracks before a defensive scanner enumerates the namespace.

CVE-2019-0808 PoCs (KillerBeez chain)Forshaw symboliclink-testing-tools ContainerEscaper Cobalt Strike

Detection opportunities

Lower volume than NtCreateSymbolicLinkObject and primarily appears in legitimate code as the path-resolution machinery inside RtlGetFullPathName_U_Ex and friends. The hunt-worthy signal is **open-by-name of non-standard links with DELETE access from a user-mode process** — almost no legitimate workflow opens a symbolic link object for deletion. Kernel-mode ObRegisterCallbacks on `IoSymbolicLinkObjectType` is the authoritative pivot. ETW Microsoft-Windows-Kernel-Audit-API-Calls also exposes it. Correlate with a preceding NtCreateSymbolicLinkObject from the same process — open-then-delete-then-recreate is the symlink-swap race used in sandbox escapes.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtOpenSymbolicLinkObject (SSN 0x138, Win11 24H2)
NtOpenSymbolicLinkObject PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 138h         ; SSN (BUILD-SPECIFIC, resolve dynamically)
    syscall
    ret
NtOpenSymbolicLinkObject ENDP

cResolve DOS drive letter to underlying device

// Open \??\C: and dump its target string — typically \Device\HarddiskVolume3.
// Useful sandbox-escape recon and for distinguishing real volumes from
// mapped network drives whose target is \Device\Mup\...
#include <windows.h>
#include <winternl.h>

#define SYMBOLIC_LINK_QUERY 0x0001
#define OBJ_CASE_INSENSITIVE 0x00000040

typedef NTSTATUS (NTAPI *pNtOpenSymbolicLinkObject)(
    PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
typedef NTSTATUS (NTAPI *pNtQuerySymbolicLinkObject)(
    HANDLE, PUNICODE_STRING, PULONG);

BOOL ResolveDosDrive(WCHAR letter, PWSTR out, ULONG outChars) {
    pNtOpenSymbolicLinkObject NtOpenSymbolicLinkObject =
        (pNtOpenSymbolicLinkObject)GetProcAddress(
            GetModuleHandleA("ntdll.dll"), "NtOpenSymbolicLinkObject");
    pNtQuerySymbolicLinkObject NtQuerySymbolicLinkObject =
        (pNtQuerySymbolicLinkObject)GetProcAddress(
            GetModuleHandleA("ntdll.dll"), "NtQuerySymbolicLinkObject");

    WCHAR path[16]; swprintf_s(path, 16, L"\\??\\%lc", letter);
    UNICODE_STRING us; RtlInitUnicodeString(&us, path);
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa, &us, OBJ_CASE_INSENSITIVE, NULL, NULL);

    HANDLE h = NULL;
    if (!NT_SUCCESS(NtOpenSymbolicLinkObject(&h, SYMBOLIC_LINK_QUERY, &oa)))
        return FALSE;

    UNICODE_STRING target;
    target.Buffer = out;
    target.Length = 0;
    target.MaximumLength = (USHORT)(outChars * sizeof(WCHAR));
    NTSTATUS s = NtQuerySymbolicLinkObject(h, &target, NULL);
    CloseHandle(h);
    return NT_SUCCESS(s);
}

rustEvict a planted symlink

// Cargo: ntapi = "0.4", widestring = "1", windows-sys = "0.59"
// Open a symbolic link with DELETE and close it to remove the link from
// the object namespace. Used to swap a sandbox-escape symlink mid-race or
// to clean up an unwanted competing implant's rendezvous marker.
use ntapi::ntobapi::NtOpenSymbolicLinkObject;
use ntapi::ntrtl::RtlInitUnicodeString;
use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, UNICODE_STRING};
use widestring::U16CString;
use windows_sys::Win32::Foundation::CloseHandle;

const DELETE: u32 = 0x0001_0000;
const OBJ_CASE_INSENSITIVE: u32 = 0x40;

pub unsafe fn evict_symlink(nt_path: &str) -> bool {
    let w = U16CString::from_str(nt_path).unwrap();
    let mut us: UNICODE_STRING = std::mem::zeroed();
    RtlInitUnicodeString(&mut us, w.as_ptr());
    let mut oa: OBJECT_ATTRIBUTES = std::mem::zeroed();
    oa.Length = std::mem::size_of::<OBJECT_ATTRIBUTES>() as u32;
    oa.ObjectName = &mut us;
    oa.Attributes = OBJ_CASE_INSENSITIVE;
    let mut h: isize = 0;
    if NtOpenSymbolicLinkObject(&mut h as *mut _ as _, DELETE, &mut oa) < 0 {
        return false;
    }
    CloseHandle(h as _);
    true
}

MITRE ATT&CK mappings

Last verified: 2026-05-20