ntoskrnl.exeT1003.001T1057T1106

NtReadVirtualMemory

Reads bytes from the virtual address space of a target process into a caller-supplied buffer.

Prototype

NTSTATUS NtReadVirtualMemory(
  HANDLE  ProcessHandle,
  PVOID   BaseAddress,
  PVOID   Buffer,
  SIZE_T  NumberOfBytesToRead,
  PSIZE_T NumberOfBytesRead
);

Arguments

Name	Type	Dir	Description
ProcessHandle	HANDLE	in	Handle to the target process with PROCESS_VM_READ access right.
BaseAddress	PVOID	in	Source virtual address in the target process to read from.
Buffer	PVOID	out	Destination buffer in the caller's address space that receives the bytes.
NumberOfBytesToRead	SIZE_T	in	Number of bytes to read from BaseAddress.
NumberOfBytesRead	PSIZE_T	out	Optional. Receives the number of bytes actually read. May be NULL.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x3F	win10-1507
Win10 1607	0x3F	win10-1607
Win10 1703	0x3F	win10-1703
Win10 1709	0x3F	win10-1709
Win10 1803	0x3F	win10-1803
Win10 1809	0x3F	win10-1809
Win10 1903	0x3F	win10-1903
Win10 1909	0x3F	win10-1909
Win10 2004	0x3F	win10-2004
Win10 20H2	0x3F	win10-20h2
Win10 21H1	0x3F	win10-21h1
Win10 21H2	0x3F	win10-21h2
Win10 22H2	0x3F	win10-22h2
Win11 21H2	0x3F	win11-21h2
Win11 22H2	0x3F	win11-22h2
Win11 23H2	0x3F	win11-23h2
Win11 24H2	0x3F	win11-24h2
Server 2016	0x3F	winserver-2016
Server 2019	0x3F	winserver-2019
Server 2022	0x3F	winserver-2022
Server 2025	0x3F	winserver-2025

Kernel module

ntoskrnl.exe → NtReadVirtualMemory

Related APIs

ReadProcessMemoryNtWriteVirtualMemoryNtQueryVirtualMemoryMiniDumpWriteDumpZwReadVirtualMemory

Syscall stub

4C 8B D1            mov r10, rcx
B8 3F 00 00 00      mov eax, 0x3F
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Counterpart to `NtWriteVirtualMemory`, also backed by `MmCopyVirtualMemory` but with the source/destination process roles reversed. SSN `0x3F` has been stable across all shipped Win10/11 builds. Partial reads (one of the source pages unmapped or `PAGE_NOACCESS`) return `STATUS_PARTIAL_COPY` and update `NumberOfBytesRead`. The kernel honours `PROCESS_VM_READ` but it will not bypass page protection — guard pages will fault and propagate as `STATUS_GUARD_PAGE_VIOLATION`.

Common malware usage

Primary read primitive behind LSASS credential theft. Mimikatz, pypykatz, lsassy, nanodump and the Cobalt Strike `mimikatz` BOF all read LSASS process memory either by calling `ReadProcessMemory` (which wraps this syscall) or by issuing the syscall directly to evade ntdll hooks. Also used by infostealers (RedLine, Vidar, Stealc) to scrape secrets from browser processes, and by EDR-evasion tooling to diff in-memory ntdll against the on-disk copy to find inline hooks for unhooking.

MimikatzCobalt StrikeRedLine StealerVidarLazarus toolingQakbot

Detection opportunities

The defining telemetry is Sysmon Event ID 10 (`ProcessAccess`) with `GrantedAccess` containing `PROCESS_VM_READ` (0x0010), especially when the target is `lsass.exe` — the well-known `0x1010`/`0x1410`/`0x1438` masks. Windows Defender's `AttackSurfaceReduction` rule `9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2` blocks LSASS credential dumping by intercepting opens with VM_READ. Direct syscalls do not bypass the kernel-side `PsSetCreateProcessNotifyRoutineEx`/object-callback (`ObRegisterCallbacks`) telemetry that EDRs register on process opens — so the read itself may be invisible, but the prior `NtOpenProcess` is rarely so.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtReadVirtualMemory (SSN 0x3F, stable across all Win10/11)
NtReadVirtualMemory PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 3Fh          ; SSN
    syscall
    ret
NtReadVirtualMemory ENDP

cntdll diff for unhooking

// Read the .text of ntdll from a clean disk copy and compare to the in-memory ntdll
// to locate inline hooks installed by EDRs. The remote read uses NtCurrentProcess()
// because the comparison is against our own image.
SIZE_T read = 0;
NTSTATUS st = NtReadVirtualMemory(NtCurrentProcess(),
                                  (PVOID)inmem_text_rva,
                                  current_text_copy,
                                  text_size, &read);
if (NT_SUCCESS(st)) diff_and_restore(disk_text_copy, current_text_copy, text_size);

cLSASS minidump read loop

// Open LSASS with PROCESS_VM_READ + PROCESS_QUERY_INFORMATION, then stream pages
// out via NtReadVirtualMemory into an in-memory MiniDump structure (nanodump style).
for (PVOID p = region_base; p < region_end; p = (PBYTE)p + 0x1000) {
    SIZE_T got = 0;
    if (NT_SUCCESS(NtReadVirtualMemory(hLsass, p, page_buf, 0x1000, &got))) {
        write_minidump_page(p, page_buf, got);
    }
}

MITRE ATT&CK mappings

T1003.001OS Credential Dumping: LSASS Memory
T1057Process Discovery
T1106Native API

Last verified: 2026-05-20