System Service Dispatch Table

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The System Service Descriptor Table (SSDT) is an internal dispatch table within Microsoft Windows.

Hooking SSDT calls is often used as a technique in both Windows rootkits and antivirus software.[1][2]

In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using race conditions to attack the products' security checks.[2]

Structure of the SSDT[edit]

typedef struct _KSERVICE_DESCRIPTOR_TABLE
{
    PULONG ServiceTableBase; 
    PULONG ServiceCounterTableBase; 
    ULONG NumberOfServices; 
    PUCHAR ParamTableBase; 
}KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;

The pointer to this structure is KeServiceDescriptorTable, exported by ntoskrnl.exe.

References[edit]