ntoskrnl.exeT1057T1622T1106

NtQueryVirtualMemory

Retrieves information about pages in a target process's virtual address space.

Prototype

NTSTATUS NtQueryVirtualMemory(
  HANDLE                   ProcessHandle,
  PVOID                    BaseAddress,
  MEMORY_INFORMATION_CLASS MemoryInformationClass,
  PVOID                    MemoryInformation,
  SIZE_T                   MemoryInformationLength,
  PSIZE_T                  ReturnLength
);

Arguments

Name	Type	Dir	Description
ProcessHandle	HANDLE	in	Handle to the process whose VA space is queried. Requires PROCESS_QUERY_INFORMATION.
BaseAddress	PVOID	in	Address inside the region to query. Need not be page-aligned.
MemoryInformationClass	MEMORY_INFORMATION_CLASS	in	Class of information to return (MemoryBasicInformation, MemoryMappedFilenameInformation, MemoryRegionInformation, MemoryWorkingSetExInformation, ...).
MemoryInformation	PVOID	out	Caller-allocated buffer that receives the queried structure.
MemoryInformationLength	SIZE_T	in	Size of the output buffer in bytes.
ReturnLength	PSIZE_T	out	Optional. Receives the number of bytes written or required.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x23	win10-1507
Win10 1607	0x23	win10-1607
Win10 1703	0x23	win10-1703
Win10 1709	0x23	win10-1709
Win10 1803	0x23	win10-1803
Win10 1809	0x23	win10-1809
Win10 1903	0x23	win10-1903
Win10 1909	0x23	win10-1909
Win10 2004	0x23	win10-2004
Win10 20H2	0x23	win10-20h2
Win10 21H1	0x23	win10-21h1
Win10 21H2	0x23	win10-21h2
Win10 22H2	0x23	win10-22h2
Win11 21H2	0x23	win11-21h2
Win11 22H2	0x23	win11-22h2
Win11 23H2	0x23	win11-23h2
Win11 24H2	0x23	win11-24h2
Server 2016	0x23	winserver-2016
Server 2019	0x23	winserver-2019
Server 2022	0x23	winserver-2022
Server 2025	0x23	winserver-2025

Kernel module

ntoskrnl.exe → NtQueryVirtualMemory

Related APIs

VirtualQueryVirtualQueryExNtQueryInformationProcessNtReadVirtualMemoryNtProtectVirtualMemory

Syscall stub

4C 8B D1            mov r10, rcx
B8 23 00 00 00      mov eax, 0x23
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtQueryVirtualMemory keeps SSN `0x23` across every Windows 10 / 11 / Server build. It is the kernel side of VirtualQuery / VirtualQueryEx but exposes a much richer information surface: MemoryBasicInformation (state, type, protection), MemoryMappedFilenameInformation (the backing image / data file as an NT path), MemoryRegionInformation (whole VAD subtree info on Win10 1803+), MemoryImageInformation, and MemoryWorkingSetExInformation (per-page valid / locked / shared / shareable bits). Each class maps onto a distinct MmQueryVirtualMemory branch.

Common malware usage

Reconnaissance staple. Enumerate the address space to (a) locate AMSI/ETWTI mapping inside the host process before patching them, (b) find clean PE headers in ntdll/kernel32 for `Perun's Fart`-style fresh-copy unhooking, (c) sweep a remote process for RWX or recently allocated RW regions belonging to a target injection candidate, (d) confirm that a manually mapped image's section was not unmapped by an EDR. MemoryMappedFilenameInformation also lets malware identify EDR DLLs loaded into the host without touching the PEB loader list.

Cobalt Strike BruteRatel Sliver Lazarus tooling BumbleBee

Detection opportunities

High call rates are normal — debuggers, profilers, and even Defender itself walk address spaces continuously. The interesting telemetry is cross-process queries (ProcessHandle != current) from non-instrumentation binaries, especially when followed within milliseconds by NtProtectVirtualMemory or NtWriteVirtualMemory on the same target. ETW Threat Intelligence Provider (`Microsoft-Windows-Threat-Intelligence`) emits ProtectVirtualMemory and AllocVirtualMemory events for cross-process actions; correlating query-then-write is a strong injection heuristic.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtQueryVirtualMemory (SSN 0x23, all builds)
NtQueryVirtualMemory PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 23h          ; SSN
    syscall
    ret
NtQueryVirtualMemory ENDP

cAMSI mapping locator

// Walk the host VA space and locate amsi.dll's image mapping using
// MemoryMappedFilenameInformation -> AmsiScanBuffer can then be patched.
#include <windows.h>

#define MemoryMappedFilenameInformation 2

typedef NTSTATUS (NTAPI *pNtQueryVirtualMemory)(
    HANDLE, PVOID, ULONG, PVOID, SIZE_T, PSIZE_T);

PVOID FindAmsi(void) {
    pNtQueryVirtualMemory NtQueryVirtualMemory =
        (pNtQueryVirtualMemory)GetProcAddress(
            GetModuleHandleA("ntdll.dll"), "NtQueryVirtualMemory");

    BYTE buf[1024];
    SIZE_T ret;
    for (ULONG_PTR addr = 0x10000; addr < 0x7FFFFFFFFFFF; addr += 0x10000) {
        if (NtQueryVirtualMemory((HANDLE)-1, (PVOID)addr,
                MemoryMappedFilenameInformation, buf, sizeof buf, &ret) == 0) {
            UNICODE_STRING *us = (UNICODE_STRING*)buf;
            if (wcsstr(us->Buffer, L"\\amsi.dll"))
                return (PVOID)addr;
        }
    }
    return NULL;
}

rustMEMORY_BASIC_INFORMATION sweep

// Cargo: windows-sys = "0.59" (Win32_System_Memory, Win32_Foundation)
use windows_sys::Win32::System::Memory::*;
use windows_sys::Win32::Foundation::HANDLE;

// Find RWX regions in a remote process — implant validation, EDR audit, or victim recon.
pub unsafe fn find_rwx(proc_handle: HANDLE) -> Vec<usize> {
    let mut out = Vec::new();
    let mut addr: usize = 0;
    let mut mbi: MEMORY_BASIC_INFORMATION = core::mem::zeroed();
    while VirtualQueryEx(proc_handle, addr as _, &mut mbi,
                         core::mem::size_of_val(&mbi)) != 0 {
        if mbi.State == MEM_COMMIT && mbi.Protect == PAGE_EXECUTE_READWRITE {
            out.push(mbi.BaseAddress as usize);
        }
        addr = mbi.BaseAddress as usize + mbi.RegionSize;
    }
    out
}

MITRE ATT&CK mappings

Last verified: 2026-05-20