Content deleted Content added
m remove high-level category ("Rootkits") if in its subcategory ("Windows rootkit techniques") |
Updating reference to current ZDNET URL |
||
Line 11:
== Hooking ==
Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[Hooking|hooking]] SSDT calls is often used as a technique in both Windows [[rootkit|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one|title= Windows rootkits of 2005, part one|work=Symantec|year=2005}}</ref><ref name="ZDNET2010">{{Cite web|url=
In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>
|