Для того чтобы проверить, заполнена ли LoaderData у процесса.

BOOLEAN CheckForKernelLDR(ULONG ProcessId)
{
PEPROCESS pEPROC;
KAPC_STATE ApcState;
NTSTATUS Status;
BOOLEAN bResult = FALSE;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;

do
{
hProcess = OpenProcess((HANDLE)ProcessId, PROCESS_ALL_ACCESS);
if (!hProcess) {
break;
}

Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL);
if (NT_ERROR(Status)) {
ZwClose(hProcess);
break;
}

ZwClose(hProcess);
Status = PsLookupProcessByProcessId((PVOID)ProcessId, &pEPROC);
if (NT_ERROR(Status)) {
break;
}

KeStackAttachProcess((PKPROCESS)pEPROC, &ApcState);
bResult = ((PLDR_MODULE)pbi.PebBaseAddress->LoaderData->InInitializationOrderModuleList.Flink)->LoadCount > 0;
KeUnstackDetachProcess(&ApcState);
ObDereferenceObject(pEPROC);

} while (FALSE);

return bResult;
}