SSDT-System-Service-Descriptor-Table
Description
The System Service Descriptor Table also called System Service Dispatch Table (SSDT) is a table that contains information about the service tables used by the operating system for dispatching system calls.
System Service Descriptor Table hooking is commonly used by malicious drivers.
Structure
typedef struct _KSERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
}KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;
View the SSDT
The pointer to this structure is KeServiceDescriptorTable, exported by ntoskrnl.exe.
In WinDbg, you can view the SSDT structure as follows (L100 limits the output to 100 DWORDs):
kd> dd dwo(KeServiceDescriptorTable) L100 80501b8c 80599948 805e6db6 805ea5fc 805e6de8 80501b9c 805ea636 805e6e1e 805ea67a 805ea6be 80501bac 8060bdfe 8060cb50 805e21b4 805e1e0c 80501bbc 805cade6 805cad96 8060c424 805ab5ae [SNIP] 80501dac 805e9c02 805ada08 806052dc 8056c0ce 80501dbc 8060cb50 8060cb50 8053c02e 80606e68 80501dcc 80607ac8 f7c38486 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 80501dec 805cbee0 8059a6fc 805c2bfc 805c17c8 80501dfc 805e3afa 80607266 8060e060 8056ddda 80501e0c 8061b97e 806193d4 8060d93e 805bb04c [SNÏP]
As you can see in the above example, an entry of the SSDT has been modified by a rootkit.
To know what function has been hooked, revert your virtual machine to before the rootkit was installed and issue the same command as above to check the missing address:
Extract of the SSDT Rootkit active |
Extract of the SSDT Rootkit inactive |
---|---|
80501dbc 8060cb50 8060cb50 8053c02e 80606e68 80501dcc 80607ac8 f7c38486 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 |
80501dbc 8060cb50 8060cb50 8053c02e 80606e68 80501dcc 80607ac8 8056f074 805b3de0 8056f3ca 80501ddc 806053a4 8056c222 8060c2dc 8056fc46 |
Now that we know the address of the hooked function, we can check what function has been hooked by the rootkit:
kd> ln 8056f074 (8056f074) nt!NtQueryDirectoryFile | (8056f0da) nt!NtNotifyChangeDirectoryFile Exact matches: nt!NtQueryDirectoryFile (<no parameter info>)
A rootkit could hook this function to hide files on the infected system.
Comments
Keywords: ssdt system-service-descriptor-table system-service-dispatch-table