• DocumentCode
    1580457
  • Title

    A way to restore the System Service Dispatch Table from user-space

  • Author

    Quan, Daiyong ; Luan, Guosen ; Wang, Keliang

  • Author_Institution
    College of Computer and Information Technology China Three Gorges University, Yichang, Hubei Province, 443002, China
  • fYear
    2012
  • Firstpage
    339
  • Lastpage
    341
  • Abstract
    Win32 kernel root kits modify the behavior of the system by hooking the entries within the kernel´s System Service Dispatch Table (SSDT). How to restore the SSDT modified by the malicious has become a very important issue to an administrator who would like to ensure the safe operation of the system. This article reviews the technique of kernel Native API hooking and proposes a way to restore the SSDT directly from user-space via devicephysical memory and do not require a kernel driver to be loaded. Security tools used the similar hooking technique to implement some of their security features should take additional steps to prevent the restoration of the SSDT entries.
  • Keywords
    Native API; Restoring; Root kits; SSDT;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    World Automation Congress (WAC), 2012
  • Conference_Location
    Puerto Vallarta, Mexico
  • ISSN
    2154-4824
  • Print_ISBN
    978-1-4673-4497-5
  • Type

    conf

  • Filename
    6321292
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=1580457