ntoskrnl.exeT1055.012T1055T1106

NtUnmapViewOfSection

Unmaps a previously mapped section view from a process's virtual address space.

Prototype

NTSTATUS NtUnmapViewOfSection(
  HANDLE ProcessHandle,
  PVOID  BaseAddress
);

Arguments

Name	Type	Dir	Description
ProcessHandle	HANDLE	in	Handle to the process whose view is unmapped. Requires PROCESS_VM_OPERATION.
BaseAddress	PVOID	in	Base address of the mapped view to unmap. Must match the value returned by NtMapViewOfSection.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x2A	win10-1507
Win10 1607	0x2A	win10-1607
Win10 1703	0x2A	win10-1703
Win10 1709	0x2A	win10-1709
Win10 1803	0x2A	win10-1803
Win10 1809	0x2A	win10-1809
Win10 1903	0x2A	win10-1903
Win10 1909	0x2A	win10-1909
Win10 2004	0x2A	win10-2004
Win10 20H2	0x2A	win10-20h2
Win10 21H1	0x2A	win10-21h1
Win10 21H2	0x2A	win10-21h2
Win10 22H2	0x2A	win10-22h2
Win11 21H2	0x2A	win11-21h2
Win11 22H2	0x2A	win11-22h2
Win11 23H2	0x2A	win11-23h2
Win11 24H2	0x2A	win11-24h2
Server 2016	0x2A	winserver-2016
Server 2019	0x2A	winserver-2019
Server 2022	0x2A	winserver-2022
Server 2025	0x2A	winserver-2025

Kernel module

ntoskrnl.exe → NtUnmapViewOfSection

Related APIs

UnmapViewOfFileUnmapViewOfFile2NtMapViewOfSectionNtMapViewOfSectionExNtUnmapViewOfSectionExNtCreateSection

Syscall stub

4C 8B D1            mov r10, rcx
B8 2A 00 00 00      mov eax, 0x2A
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtUnmapViewOfSection holds SSN `0x2A` across every Windows 10 / 11 / Server build observed. The corresponding NtUnmapViewOfSectionEx (added in Win10 1809) is a separate syscall that accepts a Flags parameter. Internally the call dispatches through MmUnmapViewOfSection and walks the target process's VAD tree to find the SECTION_OBJECT_POINTERS entry — which is what makes the hollowing primitive so reliable: unmapping the process's own primary image is supported and does not require any special privilege beyond a handle to that process with PROCESS_VM_OPERATION.

Common malware usage

Cornerstone of process hollowing (T1055.012). The classic recipe: CreateProcess(target, CREATE_SUSPENDED) → NtQueryInformationProcess to grab the PEB image base → NtUnmapViewOfSection of that base → NtAllocateVirtualMemory at the (preferred) original base → write the malicious image's sections → fix up SetThreadContext RIP/RAX/EAX → ResumeThread. Stuxnet, Dridex, Hancitor, FormBook, Agent Tesla, and modern droppers like SmokeLoader and Amadey all ship variants of this. NtUnmapViewOfSection is also used post-injection to wipe an EDR DLL's view from a host process so future LoadLibrary calls hit a fresh copy without the inline hooks.

Stuxnet Dridex FormBook Agent Tesla SmokeLoader Amadey

Detection opportunities

Cross-process NtUnmapViewOfSection where ProcessHandle != self is rare in legitimate software (debugger detach paths and a small set of side-by-side runtime managers are about it). Sysmon Event ID 25 (`ProcessTampering: Image is replaced`) explicitly targets the unmap-then-allocate hollowing pattern. The ETW Threat Intelligence provider emits process image-modification events on Win10 RS5+ that fire on the unmap of the primary executable image. Correlate with a child process whose on-disk image differs from its in-memory image (compare module path with PEB ImageBaseAddress section header).

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtUnmapViewOfSection (SSN 0x2A, all builds)
NtUnmapViewOfSection PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 2Ah          ; SSN
    syscall
    ret
NtUnmapViewOfSection ENDP

cProcess hollowing skeleton

// Classic RunPE / process hollowing skeleton. Error handling omitted.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtUnmapViewOfSection)(HANDLE, PVOID);

void Hollow(LPCWSTR target, PVOID malicious_image, SIZE_T image_size,
            PVOID preferred_base) {
    STARTUPINFOW si = { sizeof si };
    PROCESS_INFORMATION pi;
    CreateProcessW(target, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED,
                   NULL, NULL, &si, &pi);

    // Resolve PEB->ImageBaseAddress of the suspended child.
    PROCESS_BASIC_INFORMATION pbi;
    NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation,
                              &pbi, sizeof pbi, NULL);
    PVOID remote_base;
    ReadProcessMemory(pi.hProcess,
        (BYTE*)pbi.PebBaseAddress + 0x10, // ImageBaseAddress
        &remote_base, sizeof remote_base, NULL);

    // Tear down the legitimate image mapping.
    pNtUnmapViewOfSection NtUnmap = (pNtUnmapViewOfSection)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
    NtUnmap(pi.hProcess, remote_base);

    // Re-allocate at preferred base and copy the malicious image, then
    // patch the new entry point into the suspended thread's CONTEXT.
    // (Section copy + relocations + SetThreadContext + ResumeThread omitted.)
}

rustntapi safe wrapper

// Cargo: ntapi = "0.4", windows-sys = "0.59"
use ntapi::ntmmapi::NtUnmapViewOfSection;
use windows_sys::Win32::Foundation::HANDLE;

pub unsafe fn unmap_image(proc_handle: HANDLE, base: *mut core::ffi::c_void)
    -> Result<(), i32>
{
    let status = NtUnmapViewOfSection(proc_handle, base);
    if status >= 0 { Ok(()) } else { Err(status) }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20