make suspicious NtQuerySystemInformation call

rule:
  meta:
    name: make suspicious NtQuerySystemInformation call
    namespace: exploitation/enumeration
    authors:
      - zdw@google.com
    description: look for suspicious NtQuerySystemInformation calls used to enumerate kernel information in LPEs
    scopes:
      static: basic block
      dynamic: call
    references:
      - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/query.htm?tx=61
    examples:
      - cb0ce85efef94a4f7eacb4571ebf71b12ebbf9fb9faba96e853552822668aa22.exe_:0x140001260
  features:
    - and:
      - os: windows
      - api: NtQuerySystemInformation
      - or:
        - number: 0xb = SystemModuleInformation
        - number: 0x10 = SystemHandleInformation
        - number: 0x40 = SystemExtendedHandleInformation
        - number: 0x42 = SystemBigPoolInformation