System Service Descriptor Table: Difference between revisions

Content deleted Content added
TheVi (talk | contribs)
Added SSDT function description, general article expansion
GreenC bot (talk | contribs)
 
(4 intermediate revisions by 4 users not shown)
Line 1:
{{context|date=August 2021}}
The '''System Service Descriptor Table''' ('''SSDT''') is an internal [[dispatch table]] within [[Microsoft Windows]].
 
Line 10 ⟶ 11:
== Hooking ==
 
Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permantentpermanent code execution with kernel privileges. For both reasons, [[hooking]] SSDT calls is often used as a technique in both Windows [[rootkit|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a3624787-b8a3-42f6-b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|title= Windows rootkits of 2005, part one|work=Symantec|year=2005}}</ref><ref name="ZDNET2010">{{Cite web|url=https://www.zdnet.com/article/attack-defeats-most-antivirus-software/ |year=2010|title=Attack defeats 'most' antivirus software|work=ZD Net UK}}</ref>
For both reasons, [[Hooking|hooking]] SSDT calls is often used as a technique in both Windows [[rootkit|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one|title= Windows rootkits of 2005, part one|work=Symantec|year=2005}}</ref><ref name="ZDNET2010">{{Cite web|url=http://www.zdnet.co.uk/news/security-threats/2010/05/11/attack-defeats-most-antivirus-software-40088896/ |year=2010|title=Attack defeats 'most' antivirus software|work=ZD Net UK}}</ref>
 
In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>
Line 28:
[[Category:Windows technology]]
[[Category:Computer security]]
[[Category:Rootkits]]
[[Category:Windows NT kernel]]
[[Category:Windows rootkit techniques]]