The System Service Dispatch Table

 < Day Day Up > 

The system service dispatch table is used to look up the function required to handle a given system call. This facility is implemented in the operating system, not by the CPU. There are two ways a program can make a system call: by using interrupt 0x2E, or by using the SYSENTER instruction.

On Windows XP and beyond, programs typically use the SYSENTER instruction, while older platforms use interrupt 0x2E. The two mechanisms are completely different, although they achieve the same result.

Making a system call results in the function KiSystemService being called in the kernel. This function reads the system-call number from the EAX register, and looks up the call in the SSDT. KiSystemService also copies the arguments for the system call from the user-mode stack onto the kernel-mode stack. The arguments are pointed to by the EDX register. Some rootkits will hook into this processing chain to sniff data, alter data arguments, or redirect the system call. This technique is covered in great detail in Chapter 4.

     < Day Day Up > 

    Rootkits(c) Subverting the Windows Kernel
    Rootkits: Subverting the Windows Kernel
    ISBN: 0321294319
    EAN: 2147483647
    Year: 2006
    Pages: 111

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: