NtQuerySystemInformation

Prototype

NTSTATUS NtQuerySystemInformation(
  SYSTEM_INFORMATION_CLASS SystemInformationClass,
  PVOID                    SystemInformation,
  ULONG                    SystemInformationLength,
  PULONG                   ReturnLength
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 36 00 00 00      mov eax, 0x36
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Another rare frozen-SSN heavyweight: 0x36 from Windows 10 1507 through Windows 11 24H2. The class enumeration is enormous (200+ values in recent kernels) and is the basis for nearly every Win32 'enumerate system state' API: EnumProcesses (class 5), GetSystemInfo (class 0), GetNativeSystemInfo, EnumDeviceDrivers (class 11), and the not-officially-exposed NtQuerySystemInformation(SystemHandleInformation=16). Class 16 is the legacy 16-bit handle layout; class 64 (SystemExtendedHandleInformation) is the modern wide variant — modern tools should use the latter. The canonical calling pattern is a sizing loop: call with NULL/0 to get the required size in ReturnLength, allocate, call again, repeat if the system grew under your feet (STATUS_INFO_LENGTH_MISMATCH on race).

Common malware usage

Three high-impact OPSEC and reconnaissance uses. (1) SystemProcessInformation (5) returns a single contiguous list of every process and *all of its threads* — used to find injection targets without touching the loud CreateToolhelp32Snapshot path; also the discovery primitive behind 'find lsass.exe TID with ALERTABLE wait' for Early Bird APC. (2) SystemHandleInformation / SystemExtendedHandleInformation (16/64) enumerates every handle in every process — used by stealth credential-dumping tools (HandleKatz, NanoDump variants) to find an existing PROCESS_VM_READ handle to lsass.exe held by some other process and *duplicate it* via NtDuplicateObject, completely sidestepping NtOpenProcess on lsass. (3) SystemModuleInformation (11) enumerates loaded kernel modules with their base addresses — defeats KASLR for any non-LowIL caller, used by BYOVD attacks to compute the in-memory offsets of target driver functions, and by rootkit detectors. SystemCodeIntegrityInformation (103) lets a payload detect whether HVCI / DSE is enforced before attempting to load an unsigned driver. SystemBootEnvironmentInformation (90) reveals whether the boot path is BIOS or UEFI Secure Boot and is sampled by bootkits to gate their persistence strategy.

Detection opportunities

Volume from class 5 (SystemProcessInformation) is enormous in normal use — it's how Task Manager, Process Explorer, every monitoring agent, and the runtime itself enumerate. The discriminator is class number plus calling-process trust: classes 16/64 (handle enum) and 11 (module enum) from any non-system, non-Microsoft-signed process is suspicious. Microsoft-Windows-Threat-Intelligence ETW does NOT expose this syscall granularly; you must instrument via ntdll-side ETW (Microsoft-Windows-Win32k-Threat-Intelligence) or a kernel callback. The strongest signal is post-call behaviour: a process that calls NtQuerySystemInformation(64) and within milliseconds calls NtDuplicateObject with a source handle whose PID is lsass.exe is almost certainly credential-dumping.

Direct syscall examples

// Classic two-step: ask for size, allocate, ask for data.
ULONG len = 0x10000;
PVOID buf = NULL;
NTSTATUS st;
for (;;) {
    buf = HeapAlloc(GetProcessHeap(), 0, len);
    st = NtQuerySystemInformation(SystemExtendedHandleInformation /*64*/,
                                  buf, len, &len);
    if (st != STATUS_INFO_LENGTH_MISMATCH) break;
    HeapFree(GetProcessHeap(), 0, buf);
    len *= 2;
}
// buf now holds SYSTEM_HANDLE_INFORMATION_EX with NumberOfHandles + entries
// Iterate and find an entry with UniqueProcessId == lsass_pid and
// GrantedAccess == PROCESS_VM_READ | PROCESS_QUERY_INFORMATION -> dup it.

// Discloses every loaded kernel module's base address from medium-IL or higher.
// Used by BYOVD attacks to compute target driver function offsets.
RTL_PROCESS_MODULES *mods = HeapAlloc(GetProcessHeap(), 0, 0x10000);
ULONG ret = 0;
NtQuerySystemInformation(SystemModuleInformation /*11*/,
                         mods, 0x10000, &ret);
for (ULONG i = 0; i < mods->NumberOfModules; i++) {
    if (strstr((char*)mods->Modules[i].FullPathName, "ntoskrnl.exe")) {
        // mods->Modules[i].ImageBase = current ntoskrnl base — KASLR defeated.
    }
}

// Returns SYSTEM_CODEINTEGRITY_INFORMATION { Length, CodeIntegrityOptions }.
// Check options for CODEINTEGRITY_OPTION_ENABLED | HVCI_ENABLED before
// even attempting an unsigned-driver load.
use windows_sys::Wdk::System::SystemInformation::*;

#[repr(C)] struct CodeIntegrityInfo { length: u32, options: u32 }
let mut ci = CodeIntegrityInfo { length: 8, options: 0 };
let mut ret = 0u32;
unsafe {
    nt_query_system_information(103 /*SystemCodeIntegrityInformation*/,
        &mut ci as *mut _ as *mut _, 8, &mut ret);
}
let hvci_on = ci.options & 0x400 != 0;

MITRE ATT&CK mappings

• T1057Process Discoverymitre ↗
• T1014Rootkitmitre ↗
• T1003.001OS Credential Dumping: LSASS Memorymitre ↗
• T1106Native APImitre ↗