System Service Dispatch Table
   HOME

TheInfoList



Click Here for Items Related To - System Service Dispatch Table
OR:
System Service Dispatch Table on:   [Wikipedia]   [Google]   [Amazon]

The System Service Descriptor Table (SSDT) is an internal
dispatch table In computer science, a dispatch table is a table of pointers or memory addresses to functions or methods. Use of such a table is a common technique when implementing late binding in object-oriented programming. In different programming langu ...
within
Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
.


Function

The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a
user space A modern computer operating system usually uses virtual memory to provide separate address spaces or regions of a single address space, called user space and kernel space. This separation primarily provides memory protection and hardware prote ...
application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe. In modern Windows kernels, two SSDTs are used: One for generic routines (''KeServiceDescriptorTable'') and a second (''KeServiceDescriptorTableShadow'') for graphical routines. A parameter passed by the calling userspace application determines which SSDT shall be used.


Hooking

Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons,
hooking In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed ...
SSDT calls is often used as a technique in both Windows kernel mode rootkits and
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...
. In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using
race condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events, leading to unexpected or inconsistent ...
s to attack the products' security checks.


See also

*
Windows API The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running. Programs can acces ...
*
Native API The Native API is a lightweight application programming interface (API) used by Windows NT's kernel and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavail ...
*
Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exist ...


References

{{Windows-stub Windows technology Computer security Windows NT kernel Windows rootkit techniques