The System Service Dispatch Table

Previous page
Table of content
Next page
 < Day Day Up > 

The system service dispatch table is used to look up the function required to handle a given system call. This facility is implemented in the operating system, not by the CPU. There are two ways a program can make a system call: by using interrupt 0x2E, or by using the SYSENTER instruction.

On Windows XP and beyond, programs typically use the SYSENTER instruction, while older platforms use interrupt 0x2E. The two mechanisms are completely different, although they achieve the same result.

Making a system call results in the function KiSystemService being called in the kernel. This function reads the system-call number from the EAX register, and looks up the call in the SSDT. KiSystemService also copies the arguments for the system call from the user-mode stack onto the kernel-mode stack. The arguments are pointed to by the EDX register. Some rootkits will hook into this processing chain to sniff data, alter data arguments, or redirect the system call. This technique is covered in great detail in Chapter 4.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Rootkits(c) Subverting the Windows Kernel
    Rootkits: Subverting the Windows Kernel
    ISBN: 0321294319
    EAN: 2147483647
    Year: 2006
    Pages: 111
    Authors: Greg Hoglund, Jamie Butler
    BUY ON AMAZON
    The .NET Developers Guide to Directory Services Programming
    Software Configuration Management
    The CISSP and CAP Prep Guide: Platinum Edition
    Snort Cookbook
    101 Microsoft Visual Basic .NET Applications
    Python Programming for the Absolute Beginner, 3rd Edition
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy