Revision as of 01:07, 15 July 2022 edit 72.83.84.113 (talk) Updating reference to current ZDNET URL ← Previous edit		Revision as of 19:55, 4 April 2023 edit undo Rkieferbaum (talk \| contribs) Autopatrolled, Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers 29,861 edits m v2.05 - Fix errors for CW project (Link equal to linktext) Tag: WPCleaner Next edit →
Line 11: == Hooking == Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[~~Hooking\|~~hooking]] SSDT calls is often used as a technique in both Windows [[rootkit\|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web\|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one\|title= Windows rootkits of 2005, part one\|work=Symantec\|year=2005}}</ref><ref name="ZDNET2010">{{Cite web\|url=https://www.zdnet.com/article/attack-defeats-most-antivirus-software/ \|year=2010\|title=Attack defeats 'most' antivirus software\|work=ZD Net UK}}</ref> In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)\|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/>

System Service Descriptor Table: Difference between revisions