NtSetContextThread

Prototype

NTSTATUS NtSetContextThread(
  HANDLE    ThreadHandle,
  PCONTEXT  ThreadContext
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 9A 01 00 00      mov eax, 0x19A
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The high-impact half of the context pair. The kernel validates the CONTEXT — CS must be a legal user-mode selector, EFlags has reserved bits masked, and on CET-enabled systems (Windows 10 20H2+ with HW shadow stack) SSP/Ssp adjustments are sanitized by KeVerifyContextRecord. The CONTEXT struct is *architecture-specific*: 1232 bytes on x64, 716 bytes on x86, and ~880 bytes on ARM64 — and Wow64SetThreadContext exists to bridge x86-on-x64 by writing the 32-bit CONTEXT into the corresponding WOW64 area. On CET-enforced builds, writes to Rip that point at non-CFG/IBT-tagged code can fail with STATUS_SET_CONTEXT_DENIED.

Common malware usage

The canonical shellcode-injection primitive (T1055.003 Thread Execution Hijacking). The full sequence: NtAllocateVirtualMemory(RWX) → NtWriteVirtualMemory(shellcode) → NtOpenThread → NtSuspendThread → NtGetContextThread → set ctx.Rip = shellcode → NtSetContextThread → NtResumeThread. Variants: (a) Early Bird — queue an APC then set context to fire it on first alertable wait. (b) Hardware breakpoint hooking — write DR0..DR3 with addresses of target functions and DR7 with control bits, then handle the resulting #DB exceptions in a Veh handler to implement userland hooks invisible to inline-hook scanners. (c) CET bypass attempts that abuse XSTATE / CET shadow-stack pointer fields.

Detection opportunities

NtSetContextThread on a remote thread is one of the highest-signal events in Windows. Microsoft-Windows-Threat-Intelligence ETW exposes EtwTiLogSetContextThread with source/target PIDs and the new Rip — alert on any cross-process call where the new Rip points to private (non-image-backed) memory. EDRs commonly hook in user-mode via ntdll!NtSetContextThread inline patches; direct syscalls bypass that, but TI-ETW remains. CET / shadow-stack on supported CPUs makes the classic Rip-rewrite less reliable and surfaces failed attempts as KERNEL_SECURITY_CHECK_FAILURE-class bugchecks if the attacker mis-configures the new context.

Direct syscall examples

// Assumes shellcode already written to remoteShellcode in target process.
CONTEXT ctx = { .ContextFlags = CONTEXT_FULL };
NtSuspendThread(hThread, NULL);
NtGetContextThread(hThread, &ctx);
ctx.Rip = (DWORD64)remoteShellcode;     // redirect on resume
NtSetContextThread(hThread, &ctx);
NtResumeThread(hThread, NULL);

// Install a userland hook on a target function via DR0 + #DB VEH handler.
CONTEXT ctx = { .ContextFlags = CONTEXT_DEBUG_REGISTERS };
NtGetContextThread(hTargetThread, &ctx);
ctx.Dr0 = (DWORD64)pTargetFn;
ctx.Dr7 = (1ULL << 0)  /* L0 */ |
          (0ULL << 16) /* RW0=00 execute */ |
          (0ULL << 18) /* LEN0=00 1-byte */;
NtSetContextThread(hTargetThread, &ctx);
// AddVectoredExceptionHandler then catches EXCEPTION_SINGLE_STEP at pTargetFn.

use std::arch::asm;

#[unsafe(naked)]
unsafe extern "system" fn nt_set_context_thread_stub() {
    asm!(
        "mov r10, rcx",
        "mov eax, 0x19A",        // Win11 24H2 SSN
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

• T1055.003Thread Execution Hijackingmitre ↗
• T1055.004Asynchronous Procedure Callmitre ↗
• T1106Native APImitre ↗