Revision as of 19:55, 4 April 2023 edit Rkieferbaum (talk \| contribs) Autopatrolled, Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers 29,861 edits m v2.05 - Fix errors for CW project (Link equal to linktext) Tag: WPCleaner ← Previous edit		Latest revision as of 22:44, 29 April 2024 edit undo GreenC bot (talk \| contribs) Bots 3,054,792 edits Move 1 url. Wayback Medic 2.5 per WP:URLREQ#symantec.com
Line 11: == Hooking == Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[hooking]] SSDT calls is often used as a technique in both Windows [[rootkit\|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web\|url=~~http~~https://~~www~~community.~~symantec~~broadcom.com/~~connect~~symantecenterprise/~~articles~~communities/~~windows~~community-~~rootkits~~home/librarydocuments/viewdocument?DocumentKey=a3624787-b8a3-42f6-b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-~~2005~~44d6-~~part~~b0f4-~~one~~4e4a7f5f5e68&tab=librarydocuments\|title= Windows rootkits of 2005, part one\|work=Symantec\|year=2005}}</ref><ref name="ZDNET2010">{{Cite web\|url=https://www.zdnet.com/article/attack-defeats-most-antivirus-software/ \|year=2010\|title=Attack defeats 'most' antivirus software\|work=ZD Net UK}}</ref> In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)\|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>

System Service Descriptor Table: Difference between revisions