Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep

Descriptor Tables

The x86 architecture has a number of different descriptor tables that are used by the processor to handle things like memory management (GDT), interrupt dispatching (IDT), and so on. In addition to processor-level descriptor tables, the Windows operating system itself also includes a number of distinct software-level descriptor tables, such as the SSDT. The majority of these descriptor tables are heavily relied upon by the operating system and therefore represent a tantalizing target for use in backdoors. Like the function hooking technique described in 2.1.1, all of the techniques presented in this subsection have been known about for a significant amount of time. The authors have attempted, when possible, to identify the origins of each technique.