NtOpenThread

Prototype

NTSTATUS NtOpenThread(
  PHANDLE            ThreadHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PCLIENT_ID         ClientId
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 39 01 00 00      mov eax, 0x139
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtOpenThread is the obligatory first step for any cross-thread manipulation that does not already have a handle. The CLIENT_ID structure is what makes it powerful: you can specify a thread by TID alone (UniqueProcess = NULL) and the kernel resolves it across the system. The granted access mask is filtered by PsThreadType->ValidAccessMask and any registered ObRegisterCallbacks. Most EDR products register precisely such a callback to strip dangerous rights (THREAD_SUSPEND_RESUME, THREAD_SET_CONTEXT) when the source process is not trusted.

Common malware usage

Mandatory precursor for nearly every thread-level injection technique. The interesting question is *which* access mask is requested — `THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME` (0x2A in classic terms, 0x42 in extended) is the canonical "I am about to hijack you" combination. More OPSEC-aware loaders request only what they need: THREAD_QUERY_LIMITED_INFORMATION first to enumerate, then re-open with the elevated mask only on the chosen victim thread. Variants of Early Bird APC injection open ALERTABLE threads found via NtQuerySystemInformation(SystemProcessInformation).

Detection opportunities

Sysmon Event ID 10 (ProcessAccess) is the corresponding signal for the *process* side; for threads, the equivalent is Microsoft-Windows-Kernel-Audit-API-Calls (Event ID 5) which fires on the underlying ObOpenObjectByPointer. The most discriminating filter is the access mask: legitimate opens almost never request THREAD_SET_CONTEXT (0x10) cross-process. EDRs commonly hook NtOpenThread via ObRegisterCallbacks (kernel) and via inline hook (user); kernel callbacks are unbypassable from user-mode and remain the authoritative source.

Direct syscall examples

CLIENT_ID cid = { .UniqueProcess = (HANDLE)(ULONG_PTR)pid,
                  .UniqueThread  = (HANDLE)(ULONG_PTR)tid };
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);

HANDLE hThread = NULL;
NTSTATUS st = NtOpenThread(
    &hThread,
    THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME,
    &oa,
    &cid);
if (!NT_SUCCESS(st)) return st;

NtOpenThread PROC
    mov  r10, rcx
    mov  eax, 139h          ; Win11 24H2 SSN
    syscall
    ret
NtOpenThread ENDP

// Resolve gate address from ntdll!NtOpenThread, then jump rather than execute syscall inline.
// Defeats inline-hook detection that whitelists ntdll-originating syscalls.
unsafe fn nt_open_thread(handle: *mut isize, access: u32,
                         oa: *mut ObjectAttributes, cid: *mut ClientId) -> i32 {
    let ssn: u32 = 0x139;            // Win11 24H2
    let gate: usize = find_syscall_insn("NtOpenThread");
    let r: i32;
    core::arch::asm!(
        "mov r10, rcx",
        "mov eax, {ssn:e}",
        "jmp {gate}",
        ssn = in(reg) ssn, gate = in(reg) gate,
        in("rcx") handle, in("rdx") access, in("r8") oa, in("r9") cid,
        lateout("rax") r,
    );
    r
}

MITRE ATT&CK mappings

• T1055.003Thread Execution Hijackingmitre ↗
• T1057Process Discoverymitre ↗
• T1106Native APImitre ↗