We are currently experiencing intermittent issues impacting performance. We apologize for the inconvenience.
By Topic

Techniques of user-mode detecting System Service Descriptor Table

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Jiayuan Zhang ; Coll. of Comput. Sci. & Technol., Jilin Univ., Changchun ; Shufen Liu ; Jun Peng ; Aijie Guan

In order to protect system service descriptor table (SSDT) and discover the hook which is hidden in kernel module, we propose two methods which work in user-mode for detecting the hook of SSDT. The methods we propose are different from the method that must work in kernel-mode after loading rootkit drivers. The first method is using devicephysicalmemory to detect the hook in user-mode, and the second one is using the function of NtSystemDebugControl to detect the hook in user-mode. The experimental results show that both methods can detect the hook of SSDT in user-mode. In addition, the user program simplifies the tedious process and avoids the disadvantages of loading drivers.

Published in:

Computer Supported Cooperative Work in Design, 2009. CSCWD 2009. 13th International Conference on

Date of Conference:

22-24 April 2009