The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a user space application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe.
In modern Windows kernels, two SSDTs are used: One for generic routines (KeServiceDescriptorTable) and a second (KeServiceDescriptorTableShadow) for graphical routines. A parameter passed by the calling userspace application determines which SSDT shall be used.
Hookingedit
Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, hooking SSDT calls is often used as a technique in both Windows kernel mode rootkits and antivirus software.[1][2]
In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using race conditions to attack the products' security checks.[2]
system, service, descriptor, table, this, article, provides, insufficient, context, those, unfamiliar, with, subject, please, help, improve, article, providing, more, context, reader, august, 2021, learn, when, remove, this, message, ssdt, internal, dispatch, . This article provides insufficient context for those unfamiliar with the subject Please help improve the article by providing more context for the reader August 2021 Learn how and when to remove this message The System Service Descriptor Table SSDT is an internal dispatch table within Microsoft Windows Contents 1 Function 2 Hooking 3 See also 4 ReferencesFunction editThe SSDT maps syscalls to kernel function addresses When a syscall is issued by a user space application it contains the service index as parameter to indicate which syscall is called The SSDT is then used to resolve the address of the corresponding function within ntoskrnl exe In modern Windows kernels two SSDTs are used One for generic routines KeServiceDescriptorTable and a second KeServiceDescriptorTableShadow for graphical routines A parameter passed by the calling userspace application determines which SSDT shall be used Hooking editModification of the SSDT allows to redirect syscalls to routines outside the kernel These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges For both reasons hooking SSDT calls is often used as a technique in both Windows kernel mode rootkits and antivirus software 1 2 In 2010 many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using race conditions to attack the products security checks 2 See also editWindows API Native API RootkitReferences edit Windows rootkits of 2005 part one Symantec 2005 a b Attack defeats most antivirus software ZD Net UK 2010 nbsp This Microsoft Windows article is a stub You can help Wikipedia by expanding it vte Retrieved from https en wikipedia org w index php title System Service Descriptor Table amp oldid 1221434157, wikipedia, wiki, book, books, library,
