Syscall reference

Reserves, commits or both a region of virtual memory in a target process.

Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).

Changes the protection on a region of committed virtual memory in a target process.

Writes a buffer from the caller into the virtual address space of a target process.

Reads bytes from the virtual address space of a target process into a caller-supplied buffer.

Decommits or releases a region of virtual memory in a target process.

Retrieves information about pages in a target process's virtual address space.

Opens a handle to an existing process with a requested access mask.

Creates a section object backed by a file or the system pagefile for shared memory mapping.

Maps a view of a section object into the virtual address space of a target process.

Unmaps a previously mapped section view from a process's virtual address space.

Legacy thread-creation syscall requiring a manually-built INITIAL_TEB; superseded by NtCreateThreadEx.

Creates a new thread in a target process, optionally suspended, with rich attribute list support.

Queues a user-mode asynchronous procedure call (APC) to a target thread.

Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.

Creates a new user-mode process and its initial thread from an executable image.

Creates a new process from a section handle without running ntdll process initialization — building block of process hollowing.

Terminates a target process and all of its threads with a given exit status.

Suspends every thread in a target process by incrementing each thread's suspend count.

Decrements every thread's suspend count in a target process, resuming threads that reach zero.

Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.

Increments the suspend count of a target thread, halting its execution.

Decrements the suspend count of a thread, resuming execution when the count reaches zero.

Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.

Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.

Retrieves the CPU register context (CONTEXT structure) of a suspended thread.

Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.

Opens the access token associated with a process and returns a handle to it.

Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.

Enables or disables privileges in a specified access token.

Retrieves a specified class of information about an access token.

Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.

Creates a restricted (filtered) copy of an existing access token by disabling SIDs, deleting privileges, or adding restricted SIDs.

Assigns the well-known ANONYMOUS LOGON token to the specified thread.

Causes the server thread to impersonate the security context of the client thread.

Performs a security access check of a security descriptor against an impersonation token, returning the granted access mask.

Tests whether the privileges named in a PRIVILEGE_SET are enabled in an impersonation token.

Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.

Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.

Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.

Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.

Raises a 'hard error' that the kernel routes to CSRSS for UI prompting — or, with SeShutdownPrivilege and FATAL severity, triggers an immediate bugcheck (BSOD).

Creates a named or unnamed event synchronization object and returns a handle to it.

Opens a handle to an existing named event object.

Sets an event object to the signaled state, releasing waiting threads.

Waits until a dispatcher object becomes signaled or the optional timeout expires.

Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.

Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.

Creates a kernel timer object that can be armed later with NtSetTimer.

Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.

Suspends the calling thread for a specified interval, optionally in an alertable state.

Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.

Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.

Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.

Creates the server end of a named pipe in the \Device\NamedPipe device namespace.

Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.

Establishes a client ALPC connection to a named server port and exchanges an initial message.

Sends an ALPC message on a port and optionally waits for a reply or the next inbound message.

Creates a job object — the kernel container used to apply limits, accounting and termination policy to a set of processes.

Attaches a process to a job object so that the job's limits, accounting and termination policy apply to it.

Sets a policy or limit on a job object via one of the JOBOBJECTINFOCLASS information classes.

Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.

Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.

Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.

Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.

Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.

Reads a value from a registry key — the targeted credential and config harvest primitive.

Enumerates subkeys of a registry key — used to walk AutoRun, IFEO and Services for persistence discovery.

Closes a kernel object handle (file, key, event, process, thread, section, etc.).

Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.

Reads bytes from a file, device, named pipe or mapped section into a user buffer — the kernel primitive behind ReadFile.

Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.

Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.

Enumerates a directory at the IRP layer — used by rootkits to hide files by tampering with the returned list.

Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.

Sends FSCTL codes to a filesystem — used to plant reparse points, access ADS, and abuse junction traversal.

Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.

Loads a kernel-mode driver from a registry-described service entry — the BYOVD entry point.

Routes kernel debugger-style requests (kernel R/W, control space, breakpoints, profiler) selected by the SysDbgCommand enum.