HOME

TheInfoList



Click Here for Items Related To - System Service Dispatch Table
OR:
System Service Dispatch Table on:   [Wikipedia]   [Google]   [Amazon]

The System Service Descriptor Table (SSDT) is an internal
dispatch table In computer science, a dispatch table is a table of pointers or memory addresses to functions or methods. Use of such a table is a common technique when implementing late binding in object-oriented programming. Perl implementation The followin ...
within Microsoft Windows.


Function

The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a
user space A modern computer operating system usually segregates virtual memory into user space and kernel space. Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour. Kerne ...
application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe. In modern Windows kernels, two SSDTs are used: One for generic routines (''KeServiceDescriptorTable'') and a second (''KeServiceDescriptorTableShadow'') for graphical routines. A parameter passed by the calling userspace application determines which SSDT shall be used.


Hooking

Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons,
hooking In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed ...
SSDT calls is often used as a technique in both Windows kernel mode rootkits and
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...
. In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using
race condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of t ...
s to attack the products' security checks.


See also

*
Windows API The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. The name Windows API collectively refers to several different platform implementations ...
*
Native API The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. There ...
*
Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...


References

{{Windows-stub Windows technology Computer security Windows NT kernel Windows rootkit techniques