System Service Descriptor Table: Difference between revisions

Content deleted Content added
m remove high-level category ("Rootkits") if in its subcategory ("Windows rootkit techniques")
Updating reference to current ZDNET URL
Line 11:
== Hooking ==
 
Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[Hooking|hooking]] SSDT calls is often used as a technique in both Windows [[rootkit|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one|title= Windows rootkits of 2005, part one|work=Symantec|year=2005}}</ref><ref name="ZDNET2010">{{Cite web|url=httphttps://www.zdnet.co.ukcom/news/security-threats/2010/05/11article/attack-defeats-most-antivirus-software-40088896/ |year=2010|title=Attack defeats 'most' antivirus software|work=ZD Net UK}}</ref>
 
In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>