The '''System Service Descriptor Table''' ('''SSDT''') is an internal [[dispatch table]] within [[Microsoft Windows]].
Line 10 ⟶ 11:
== Hooking ==
Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permantentpermanent code execution with kernel privileges. For both reasons, [[Hooking|hooking]] SSDT calls is often used as a technique in both Windows [[rootkit|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one|title= Windows rootkits of 2005, part one|work=Symantec|year=2005}}</ref><ref name="ZDNET2010">{{Cite web|url=http://www.zdnet.co.uk/news/security-threats/2010/05/11/attack-defeats-most-antivirus-software-40088896/ |year=2010|title=Attack defeats 'most' antivirus software|work=ZD Net UK}}</ref>
For both reasons, [[Hooking|hooking]] SSDT calls is often used as a technique in both Windows [[rootkit|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one|title= Windows rootkits of 2005, part one|work=Symantec|year=2005}}</ref><ref name="ZDNET2010">{{Cite web|url=http://www.zdnet.co.uk/news/security-threats/2010/05/11/attack-defeats-most-antivirus-software-40088896/ |year=2010|title=Attack defeats 'most' antivirus software|work=ZD Net UK}}</ref>
In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>
