NtQuerySystemInformation Module Enumeration

Using NtQuerySystemInformation with SystemModuleInformation (class 5) returns the list of loaded kernel modules and their base addresses. Malware uses this to detect specific drivers (VM tools, EDR, sandbox hooks) or to locate ntdll.dll / kernel32.dll for runtime API resolution.

Detection / Fingerprint

• NtQuerySystemInformation(5, buffer, size, &ret_len) where 5 = SystemModuleInformation
• Walk returned SYSTEM_MODULE_INFORMATION array, comparing module names
• Extract field at offset 0x2c (module load count / flags) from matching entry

Implementation Patterns

SilverFox uses this in FUN_140005c00 to locate a specific module by decrypted name and read a DWORD from its info block^[ghidra:FUN_140005c00]. This is likely an EDR/driver targeting or anti-VM gate.

typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
    ULONG  Unknown1;
    ULONG  Unknown2;
    ULONG  Unknown3;
    ULONG  Unknown4;
    PVOID  Base;
    ULONG  Size;
    ULONG  Flags;
    USHORT Index;
    USHORT NameOffset;
    USHORT LoadCount;  // at offset 0x2c from entry start
    USHORT ModuleNameOffset;
    CHAR   Name[256];
} SYSTEM_MODULE_INFORMATION_ENTRY;

Reproduce on Your Own VMs

Call NtQuerySystemInformation(5, ...) and dump module names. Compare against CreateToolhelp32Snapshot + Module32First user-mode enumeration. The kernel view reveals drivers and mapped sections hidden from user-mode tools.

Defensive Countermeasures

• ETW: monitor NtQuerySystemInformation calls with class 5 from non-system processes
• EDR: hook NtQuerySystemInformation at kernel level for class-specific filters
• Hunt: benign user-mode processes rarely query SystemModuleInformation; flag usage in unknown binaries