Skip to Main Content
In order to protect system service descriptor table (SSDT) and discover the hook which is hidden in kernel module, we propose two methods which work in user-mode for detecting the hook of SSDT. The methods we propose are different from the method that must work in kernel-mode after loading rootkit drivers. The first method is using devicephysicalmemory to detect the hook in user-mode, and the second one is using the function of NtSystemDebugControl to detect the hook in user-mode. The experimental results show that both methods can detect the hook of SSDT in user-mode. In addition, the user program simplifies the tedious process and avoids the disadvantages of loading drivers.