System Service Descriptor Table: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 01:07, 15 July 2022 edit 72.83.84.113 (talk) Updating reference to current ZDNET URL ← Previous edit		Latest revision as of 22:44, 29 April 2024 edit undo GreenC bot (talk \| contribs) Bots 3,054,792 edits Move 1 url. Wayback Medic 2.5 per WP:URLREQ#symantec.com
(One intermediate revision by one other user not shown)
Line 11: == Hooking == Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[~~Hooking\|~~hooking]] SSDT calls is often used as a technique in both Windows [[rootkit\|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web\|url=~~http~~https://~~www~~community.~~symantec~~broadcom.com/~~connect~~symantecenterprise/~~articles~~communities/~~windows~~community-~~rootkits~~home/librarydocuments/viewdocument?DocumentKey=a3624787-~~2005~~b8a3-~~part~~42f6-~~one~~b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments\|title= Windows rootkits of 2005, part one\|work=Symantec\|year=2005}}</ref><ref name="ZDNET2010">{{Cite web\|url=https://www.zdnet.com/article/attack-defeats-most-antivirus-software/ \|year=2010\|title=Attack defeats 'most' antivirus software\|work=ZD Net UK}}</ref> In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)\|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>