Process Creation
NtCreateUserProcess
Creates a new user-mode process.Receives a handle to the new process
Receives a handle to the initial thread
Desired access for the process
Desired access for the thread
Process parameters including image path and command line
Process creation information
- Image path
- Command line
- Architecture (x86/x64)
- Suspended state
- Process ID (after creation)
- Thread ID (after creation)
- Operation success status
- File paths are redirected to virtual filesystem
- Cross-architecture execution is blocked
- Child processes are automatically whitelisted
- Injected with Dr.Semu for monitoring
NtCreateProcess
Creates a new process (legacy API).Receives a handle to the new process
Desired access for the process
Handle to the parent process
Optional handle to section object
NtCreateProcessEx
Extended version of NtCreateProcess.Receives a handle to the new process
Desired access for the process
Handle to the parent process
Process creation flags
Process Access
NtOpenProcess
Opens an existing process.Receives a handle to the process
Desired access rights
Object attributes
Process and thread IDs
- Desired access
- Process ID
- Thread ID
- Process handle (after successful operation)
- Operation success status
- Only whitelisted processes can be opened
- Attempts to open fake explorer are redirected to real explorer
- Access to other processes is denied with STATUS_ACCESS_DENIED
NtSuspendProcess
Suspends all threads in a process.Handle to the process to suspend
- Process handle
- Process image path
- Operation success status
Thread Operations
NtOpenThread
Opens an existing thread.Receives a handle to the thread
Desired access rights
Object attributes (ObjectName must be NULL)
Process and thread IDs
- Process ID
- Thread ID
- Thread handle (after successful operation)
- Only threads from whitelisted processes can be opened
- Access attempts to other threads are denied
NtDelayExecution
Delays execution of the current thread.Whether the delay is alertable
Delay duration in 100-nanosecond intervals
- Delay interval
NtSetContextThread
Sets the context of a thread.Handle to the thread
Thread context to set
NtContinue
Continues execution after an exception.Context to continue with
Whether to test for alerts
Memory Operations
NtWriteVirtualMemory
Writes data to the virtual memory of a process.Handle to the target process
Base address to write to
Buffer containing data to write
Number of bytes to write
Receives number of bytes actually written
- Process ID
- Target process image path
- Operation success status
- Only whitelisted processes can be written to
- Attempts to write to fake explorer are redirected
- Other attempts are denied with STATUS_ACCESS_DENIED
NtProtectVirtualMemory
Changes memory protection for a region of virtual memory.Handle to the process
Pointer to base address of the region
Pointer to size of the region
New protection flags (PAGE_EXECUTE, PAGE_READWRITE, etc.)
Receives the old protection flags
- Process handle
- Base address
- New protection flags
- Operation success status
NtQueryVirtualMemory
Retrieves information about virtual memory.Handle to the process
Base address to query
Type of information to retrieve
Process Information
NtQueryInformationProcess
Retrieves information about a process.Handle to the process
Type of information to retrieve
Buffer to receive the information
Size of the buffer
Receives the size of data returned
- Process handle
- Process name
- Information class (e.g., ProcessBasicInformation, ProcessImageFileName)
- Fake explorer paths are hidden and replaced with real explorer path
- Parent process ID is masked for fake explorer processes
- Supports various information classes:
- ProcessBasicInformation
- ProcessImageFileName
- ProcessImageFileNameWin32
- ProcessWow64Information
- ProcessMitigationPolicy
- ProcessDebugPort
- And more
NtSetInformationProcess
Sets information for a process.Handle to the process
Type of information to set
Buffer containing the information
Size of the buffer