System Service Descriptor Table: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 10:12, 13 July 2012 edit FrescoBot (talk \| contribs) Bots 1,152,845 edits m Bot: fixing section wikilinks ← Previous edit		Latest revision as of 22:44, 29 April 2024 edit undo GreenC bot (talk \| contribs) Bots 3,054,792 edits Move 1 url. Wayback Medic 2.5 per WP:URLREQ#symantec.com
(17 intermediate revisions by 12 users not shown)
Line 1: {{context\|date=August 2021}} ~~#REDIRECT [[Rootkit#Kernel mode]]~~ The '''System Service Descriptor Table''' ('''SSDT''') is an internal [[dispatch table]] within [[Microsoft Windows]]. == Function == ~~{{R from alternate name}}~~ The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a [[user space]] application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe. In modern Windows kernels, two SSDTs are used: One for generic routines (''KeServiceDescriptorTable'') and a second (''KeServiceDescriptorTableShadow'') for graphical routines. A parameter passed by the calling userspace application determines which SSDT shall be used. == Hooking == Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[hooking]] SSDT calls is often used as a technique in both Windows [[rootkit\|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web\|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a3624787-b8a3-42f6-b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments\|title= Windows rootkits of 2005, part one\|work=Symantec\|year=2005}}</ref><ref name="ZDNET2010">{{Cite web\|url=https://www.zdnet.com/article/attack-defeats-most-antivirus-software/ \|year=2010\|title=Attack defeats 'most' antivirus software\|work=ZD Net UK}}</ref> In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)\|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/> == See also == * [[Windows API]] * [[Native API]] * [[Rootkit]] == References == {{Reflist}} {{Windows-stub}} [[Category:Windows technology]] [[Category:Computer security]] [[Category:Windows NT kernel]] [[Category:Windows rootkit techniques]]