NtResumeProcess

Prototype

NTSTATUS NtResumeProcess(
  HANDLE ProcessHandle
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 8A 01 00 00      mov eax, 0x18A
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtResumeProcess mirrors NtSuspendProcess and is similarly undocumented. It iterates the EPROCESS ThreadListHead calling KeResumeThread on each entry; threads whose suspend count drops to zero return to the dispatcher's ready queue. Like its counterpart the SSN drifts almost every release (0x161 → 0x18A across the supported window), and like its counterpart it is the per-process counterpart to ResumeThread without requiring the caller to enumerate threads via Toolhelp / NtGetNextThread.

Common malware usage

Always appears paired with NtSuspendProcess. Its three main roles: (1) closing the **Fork & Run** loop — after injecting and executing post-exploitation logic in a sacrificial process, the implant calls NtResumeProcess on its own helper if it suspended itself between heartbeats, or on the BOF thread once setup is done; (2) finishing **process hollowing** by reviving the previously suspended target after the malicious image is in place and the thread context is patched; (3) thawing the database / EDR processes a ransomware suspended pre-encryption once the encryption pass completes and the operator wants the victim's services to come back up cleanly (a courtesy in double-extortion scenarios meant to make recovery dependent on the operator's good faith).

Detection opportunities

By itself NtResumeProcess is harmless — every debugger and the Windows runtime use it. The actionable telemetry is the *pair*: NtSuspendProcess → write/inject → NtResumeProcess from the same caller on the same target within a short window, especially when the target is a sacrificial-process candidate (rundll32.exe, notepad.exe, RuntimeBroker.exe) freshly spawned by the same caller. ETW `Microsoft-Windows-Kernel-Audit-API-Calls` exposes Resume invocations when the audit policy enables them; combine with Sysmon Event ID 10 (ProcessAccess) showing PROCESS_SUSPEND_RESUME being requested on a non-child process for a high-signal alert.

Direct syscall examples

; Direct syscall stub for NtResumeProcess (SSN 0x18A on 24H2/2025)
; SSN climbs every release — resolve dynamically across builds.
NtResumeProcess PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 18Ah         ; SSN
    syscall
    ret
NtResumeProcess ENDP

// Final step of a process-hollowing routine: after writing the malicious
// image, fixing the suspended thread's RIP and Rcx, we resume everything.
#include <windows.h>

typedef NTSTATUS (NTAPI *pNtResumeProcess)(HANDLE);

void FinishHollow(HANDLE hProcess, HANDLE hThread, CONTEXT *ctx) {
    SetThreadContext(hThread, ctx);

    pNtResumeProcess NtResumeProcess = (pNtResumeProcess)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtResumeProcess");
    NtResumeProcess(hProcess);
}

// Cargo: windows-sys = "0.59"
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::Threading::{OpenProcess, PROCESS_SUSPEND_RESUME};

extern "system" { fn NtResumeProcess(handle: HANDLE) -> i32; }

pub unsafe fn thaw(pids: &[u32]) {
    for &pid in pids {
        let h = OpenProcess(PROCESS_SUSPEND_RESUME, 0, pid);
        if !h.is_null() { NtResumeProcess(h); }
    }
}

MITRE ATT&CK mappings

• T1055.012Process Injection: Process Hollowingmitre ↗
• T1055Process Injectionmitre ↗
• T1106Native APImitre ↗