NtUnlockVirtualMemory

Prototype

NTSTATUS NtUnlockVirtualMemory(
  HANDLE  ProcessHandle,
  PVOID  *BaseAddress,
  PSIZE_T RegionSize,
  ULONG   MapType
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 DE 01 00 00      mov eax, 0x1DE
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The strict counterpart to NtLockVirtualMemory. The SSN drifts on every major release (`0x1C5` Win10 1903, `0x1CB` 2004, `0x1DE` Win11 24H2 / Server 2025). Calling it on a non-locked region returns `STATUS_NOT_LOCKED` (0xC000002A) which is benign; calling it with a mismatched `MapType` returns `STATUS_INVALID_PARAMETER`. The kernel implementation lowers the process's working-set minimum back down, but does not actively page the region — it merely permits the trim. Practically every legitimate use is paired one-to-one with a prior NtLockVirtualMemory.

Common malware usage

The wake-side of the sleep-mask pattern documented under NtLockVirtualMemory. Ekko, Foliage, and the Cobalt Strike `Sleep_Mask` family use a `Lock → Encrypt → Sleep → Decrypt → Unlock` cycle every beacon callback interval; the matching `Unlock` releases the working-set quota so subsequent allocations don't get crowded out. Some packers also unlock the OEP region after a watchdog timeout to reduce their visible working-set footprint. By itself, NtUnlockVirtualMemory is essentially never the locus of malicious behavior — its presence is most useful as a *pairing* signal next to a same-thread NtLockVirtualMemory on the same range earlier in the call trace.

Detection opportunities

Detect the *pair*, not the single call. The classic high-signal sequence within one thread: `NtAllocateVirtualMemory(RWX)` → `NtLockVirtualMemory(MAP_PROCESS)` → `NtDelayExecution(long)` → `NtUnlockVirtualMemory` → execute. Hook the user-mode VirtualUnlock thunk and correlate with the prior VirtualLock site and the allocation's protection bits. Memory scanners that snapshot working-set membership across time can sometimes spot the lock-then-unlock pulse — though many EDRs do not retain that history. As with NtLockVirtualMemory, there is no first-class ETW event; behavior chaining is the path.

Direct syscall examples

; Direct syscall stub for NtUnlockVirtualMemory
NtUnlockVirtualMemory PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 1DEh         ; SSN (Win11 24H2 / Server 2025)
    syscall
    ret
NtUnlockVirtualMemory ENDP

// Symmetric counterpart to the SleepWithLockedRegion example: after the
// caller wakes and decrypts in place, unlock so the working-set quota is
// returned and subsequent allocations aren't crowded.
#include <windows.h>

typedef NTSTATUS (NTAPI *pNtUnlockVirtualMemory)(HANDLE, PVOID*, PSIZE_T, ULONG);
#define MAP_PROCESS 1

NTSTATUS UnlockRegion(PVOID base, SIZE_T size) {
    pNtUnlockVirtualMemory NtUnlockVirtualMemory = (pNtUnlockVirtualMemory)
        GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnlockVirtualMemory");
    PVOID  b = base;
    SIZE_T s = size;
    return NtUnlockVirtualMemory((HANDLE)-1, &b, &s, MAP_PROCESS);
}

// Cargo: windows-sys = "0.59" (Win32_System_Memory)
use windows_sys::Win32::System::Memory::{VirtualLock, VirtualUnlock};

pub struct Pinned { ptr: *mut u8, len: usize }

impl Pinned {
    pub fn new(p: *mut u8, len: usize) -> std::io::Result<Self> {
        if unsafe { VirtualLock(p as _, len) } == 0 {
            return Err(std::io::Error::last_os_error());
        }
        Ok(Self { ptr: p, len })
    }
}

impl Drop for Pinned {
    fn drop(&mut self) {
        // VirtualUnlock — underneath, NtUnlockVirtualMemory(MAP_PROCESS).
        unsafe { VirtualUnlock(self.ptr as _, self.len); }
    }
}

MITRE ATT&CK mappings

• T1027.011Obfuscated Files or Information: Fileless Storagemitre ↗
• T1027Obfuscated Files or Informationmitre ↗
• T1106Native APImitre ↗