This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
2009 13th International Conference on Computer Supported Cooperative Work in Design
Techniques of user-mode detecting System Service Descriptor Table
Santiago, Chile
April 22-April 24
ISBN: 978-1-4244-3534-0
Jiayuan Zhang, College of Computer Science and Technology, Jilin University, Changchun 130021, China
Shufen Liu, College of Computer Science and Technology, Jilin University, Changchun 130021, China
Jun Peng, College of Computer Science and Technology, Jilin University, Changchun 130021, China
Aijie Guan, College of Computer Science and Technology, Jilin University, Changchun 130021, China
In order to protect System Service Descriptor Table (SSDT) and discover the hook which is hidden in kernel module, we propose two methods which work in user-mode for detecting the hook of SSDT. The methods we propose are different from the method that must work in kernel-mode after loading rootkit drivers. The first method is using \device\physicalmemory to detect the hook in user-mode, and the second one is using the function of NtSystemDebugControl to detect the hook in user-mode. The experimental results show that both methods can detect the hook of SSDT in user-mode. In addition, the user program simplifies the tedious process and avoids the disadvantages of loading drivers.
Citation:
Jiayuan Zhang, Shufen Liu, Jun Peng, Aijie Guan, "Techniques of user-mode detecting System Service Descriptor Table," cscwd, pp.96-101, 2009 13th International Conference on Computer Supported Cooperative Work in Design, 2009
Usage of this product signifies your acceptance of the Terms of Use.