Title :
Techniques of user-mode detecting System Service Descriptor Table
Author :
Zhang, Jiayuan ; Shufen Liu ; Jun Peng ; Guan, Aijie
Author_Institution :
Coll. of Comput. Sci. & Technol., Jilin Univ., Changchun
Abstract :
In order to protect system service descriptor table (SSDT) and discover the hook which is hidden in kernel module, we propose two methods which work in user-mode for detecting the hook of SSDT. The methods we propose are different from the method that must work in kernel-mode after loading rootkit drivers. The first method is using devicephysicalmemory to detect the hook in user-mode, and the second one is using the function of NtSystemDebugControl to detect the hook in user-mode. The experimental results show that both methods can detect the hook of SSDT in user-mode. In addition, the user program simplifies the tedious process and avoids the disadvantages of loading drivers.
Keywords :
device drivers; operating system kernels; security of data; NtSystemDebugControl function; hook detection; kernel module; rootkit drivers; system service descriptor table protection; user-mode detection; Collaborative work; Computer networks; Computer science; Educational institutions; Invasive software; Kernel; Operating systems; Protection; Software safety; Switches; System Service Descriptor Table; hook; user-mode;
Conference_Titel :
Computer Supported Cooperative Work in Design, 2009. CSCWD 2009. 13th International Conference on
Conference_Location :
Santiago
Print_ISBN :
978-1-4244-3534-0
Electronic_ISBN :
978-1-4244-3535-7
DOI :
10.1109/CSCWD.2009.4968041
