The Windows kernel relies on a table of pointers to functions in order to perform system operations. This table, referred to by Microsoft as the system service table, or service descriptor table, can be modified to point to user-specified functions. “Hooking” these system functions is the focus of this chapter.
The DDK reference, KeServiceDescriptorTable, will provide any kernel-level process access to the system call table, but modifying the table and using alternate kernel functions is not a simple task. This chapter introduces the functions accessed through the table and gives you the resources to replace these kernel functions with your own.
There are many entries in the system call table, pointing to everything from simple string operations to complex client/server operations, so don’t expect to learn the full scope of the system call table overnight. However, keep in mind that the more you can learn about the functions referenced by this table, the better prepared you will be to implement kernel hooking.