NtQuerySystemTime

Prototype

NTSTATUS NtQuerySystemTime(
  PLARGE_INTEGER SystemTime
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 5A 00 00 00      mov eax, 0x5A
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Most modern code reads `KUSER_SHARED_DATA.SystemTime` (`0x7FFE0014`) directly without a syscall — `GetSystemTimeAsFileTime` does exactly that in user mode. `NtQuerySystemTime` still exists for callers that need an authoritative kernel-issued value (e.g. cryptographic time stamping, debuggers, or tests that must round-trip the dispatcher). The SSN has been `0x5A` across every shipping Windows 10/11 build.

Common malware usage

The classic use is sandbox-acceleration detection: pair `NtQuerySystemTime` with `NtDelayExecution` to verify wall-clock progress matches the requested sleep. Many automated sandboxes hook or skip `Sleep` to finish analysis faster — but they rarely fake `KeQuerySystemTime`, so the time delta reveals the discrepancy. Malware that wants an extra-defensive check will read both `KUSER_SHARED_DATA.SystemTime` *and* call `NtQuerySystemTime`; a mismatch implies a tampered shared page. It is also used as a benign-looking entropy source for seeding RNGs in stagers.

Detection opportunities

Hard to alert on in isolation — it is one of the most-called Native APIs in normal software. The interesting pattern is the *sequence*: short `NtDelayExecution` followed immediately by `NtQuerySystemTime`, repeated in a loop, from a process with no UI. ETW User-Mode `Microsoft-Windows-Kernel-Process` traces combined with stack-walking can surface this. Reading `KUSER_SHARED_DATA.SystemTime` from user-mode is invisible to syscall-tracing tools entirely, which is why most evasive malware prefers that path when it only needs an approximate clock.

Direct syscall examples

; Direct syscall stub for NtQuerySystemTime (SSN 0x5A, all Win10/11 builds)
NtQuerySystemTime PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 5Ah          ; SSN
    syscall
    ret
NtQuerySystemTime ENDP

// If KUSER_SHARED_DATA.SystemTime and NtQuerySystemTime disagree by
// more than a few seconds, the analysis environment has tampered
// with the shared page or with the syscall path.
#include <windows.h>
#include <winternl.h>

extern "C" NTSTATUS NTAPI NtQuerySystemTime(PLARGE_INTEGER);

BOOL SharedPageTamperedWith(void) {
    LARGE_INTEGER shared, kernel;
    // KUSER_SHARED_DATA.SystemTime is a tick-incrementing 8-byte field
    shared.QuadPart = *(volatile LONGLONG*)0x7FFE0014;
    NtQuerySystemTime(&kernel);
    LONGLONG deltaSec = (kernel.QuadPart - shared.QuadPart) / 10000000LL;
    return deltaSec > 5 || deltaSec < -5;
}

// Pair NtQuerySystemTime with NtDelayExecution to detect sandbox-accelerated sleeps.
use std::arch::asm;

#[unsafe(naked)]
unsafe extern "system" fn nt_query_system_time(_out: *mut i64) -> i32 {
    asm!("mov r10, rcx", "mov eax, 0x5A", "syscall", "ret", options(noreturn));
}
#[unsafe(naked)]
unsafe extern "system" fn nt_delay_execution(_a: u8, _i: *const i64) -> i32 {
    asm!("mov r10, rcx", "mov eax, 0x34", "syscall", "ret", options(noreturn));
}

pub fn sleep_was_skipped(seconds: i64) -> bool {
    let (mut t0, mut t1): (i64, i64) = (0, 0);
    let interval = -seconds * 10_000_000;
    unsafe {
        nt_query_system_time(&mut t0);
        nt_delay_execution(0, &interval);
        nt_query_system_time(&mut t1);
    }
    ((t1 - t0) / 10_000_000) < seconds - 1
}

MITRE ATT&CK mappings

• T1497Virtualization/Sandbox Evasionmitre ↗
• T1497.003Time Based Evasionmitre ↗
• T1106Native APImitre ↗