When most people think of Windows kernel rootkits, they think of DKOM (Direct Kernel Object Manipulation) or SSDT hooking. But what if I told you that one of the most elegant persistence and execution primitives doesn't hook the System Service Dispatch Table (SSDT) at all—it replaces the loader ?
; SDT Loader stub example (conceptual) mov rax, [rsp+8] ; retrieve syscall number cmp eax, CUSTOM_SYSCALL_NUMBER jne original_handler jmp my_payload_function original_handler: jmp [original_ssdt_entry] But modern variants don't even need a compare. Instead, they and route it to a dispatcher that parses a hidden command protocol. Why Not Hook the SSDT? Good question. Hooking is noisy. PatchGuard (Kernel Patch Protection) on x64 systems will happily bugcheck the system if it detects a modified SSDT entry. So how does an SDT loader survive? sdt loader
Because in the end, the kernel trusts the table. And the table trusts the pointer. And the pointer… can be anyone. Want to experiment? Check out SyscallTables on GitHub and the NtUndocumented header – but only in a VM, and only after disabling PatchGuard. You have been warned. When most people think of Windows kernel rootkits,
Enter the : a technique that repurposes the kernel’s own system call dispatch mechanism to execute arbitrary payloads with minimal traces. The SSDT Refresher The SSDT (often called KiServiceTable in x86 NT内核) is the heart of user-to-kernel transition. When NtReadFile is called from user mode, syscall (or int 2e on legacy) lands in KiSystemServiceRepeat , which indexes into the SSDT to find the target kernel function. Instead, they and route it to a dispatcher
As PatchGuard gets smarter, attackers move sideways into dynamic tables, unused slots, and race conditions. Defenders must move beyond hash-based driver blacklisting and toward runtime behavioral analysis of syscall dispatch.
It doesn't fight PatchGuard. It evades it.