SSDT-System-Service-Descriptor-Table

From aldeid
Jump to navigation Jump to search

Description

The System Service Descriptor Table also called System Service Dispatch Table (SSDT) is a table that contains information about the service tables used by the operating system for dispatching system calls.

System Service Descriptor Table hooking is commonly used by malicious drivers.

Structure

typedef struct _KSERVICE_DESCRIPTOR_TABLE
{
    PULONG ServiceTableBase; 
    PULONG ServiceCounterTableBase; 
    ULONG NumberOfServices; 
    PUCHAR ParamTableBase; 
}KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;

View the SSDT

The pointer to this structure is KeServiceDescriptorTable, exported by ntoskrnl.exe.

In WinDbg, you can view the SSDT structure as follows (L100 limits the output to 100 DWORDs):

kd> dd dwo(KeServiceDescriptorTable) L100
80501b8c  80599948 805e6db6 805ea5fc 805e6de8
80501b9c  805ea636 805e6e1e 805ea67a 805ea6be
80501bac  8060bdfe 8060cb50 805e21b4 805e1e0c
80501bbc  805cade6 805cad96 8060c424 805ab5ae
[SNIP]
80501dac  805e9c02 805ada08 806052dc 8056c0ce
80501dbc  8060cb50 8060cb50 8053c02e 80606e68
80501dcc  80607ac8 f7c38486 805b3de0 8056f3ca
80501ddc  806053a4 8056c222 8060c2dc 8056fc46
80501dec  805cbee0 8059a6fc 805c2bfc 805c17c8
80501dfc  805e3afa 80607266 8060e060 8056ddda
80501e0c  8061b97e 806193d4 8060d93e 805bb04c
[SNÏP]

As you can see in the above example, an entry of the SSDT has been modified by a rootkit.

To know what function has been hooked, revert your virtual machine to before the rootkit was installed and issue the same command as above to check the missing address:

Extract of the SSDT
Rootkit active
Extract of the SSDT
Rootkit inactive
80501dbc  8060cb50 8060cb50 8053c02e 80606e68
80501dcc  80607ac8 f7c38486 805b3de0 8056f3ca
80501ddc  806053a4 8056c222 8060c2dc 8056fc46
80501dbc  8060cb50 8060cb50 8053c02e 80606e68
80501dcc  80607ac8 8056f074 805b3de0 8056f3ca
80501ddc  806053a4 8056c222 8060c2dc 8056fc46

Now that we know the address of the hooked function, we can check what function has been hooked by the rootkit:

kd> ln 8056f074
(8056f074)   nt!NtQueryDirectoryFile   |  (8056f0da)   nt!NtNotifyChangeDirectoryFile
Exact matches:
    nt!NtQueryDirectoryFile (<no parameter info>)

A rootkit could hook this function to hide files on the infected system.

Comments

Keywords: ssdt system-service-descriptor-table system-service-dispatch-table