System Service Descriptor Table
The System Service Descriptor Table (SSDT) is an internal dispatch table within Microsoft Windows.
Hooking SSDT calls is often used as a technique in both Windows rootkits and antivirus software.[1][2]
In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using race conditions to attack the products' security checks.[2]
Structure of the SSDT
typedef struct _KSERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
}KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;
The pointer to this structure is KeServiceDescriptorTable, exported by ntoskrnl.exe.
lkd> dds KiServiceTable l 191
82ab8d9c 82cb4c28 nt!NtAcceptConnectPort
82ab8da0 82afb40d nt!NtAccessCheck
82ab8da4 82c44b68 nt!NtAccessCheckAndAuditAlarm
82ab8da8 82a5f88a nt!NtAccessCheckByType
82ab8dac 82cb64ff nt!NtAccessCheckByTypeAndAuditAlarm
82ab8db0 82b383fa nt!NtAccessCheckByTypeResultList
82ab8db4 82d26b05 nt!NtAccessCheckByTypeResultListAndAuditAlarm
82ab8db8 82d26b4e nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
82ab8dbc 82c393bd nt!NtAddAtom
82ab8dc0 82d40368 nt!NtAddBootEntry
82ab8dc4 82d415c1 nt!NtAddDriverEntry
82ab8dc8 82c2fb95 nt!NtAdjustGroupsToken
82ab8dcc 82cc0b35 nt!NtAdjustPrivilegesToken
82ab8dd0 82d19963 nt!NtAlertResumeThread
82ab8dd4 82c6ca56 nt!NtAlertThread
82ab8dd8 82c3c6cc nt!NtAllocateLocallyUniqueId
82ab8ddc 82bd2928 nt!NtAllocateReserveObject
82ab8de0 82d0b898 nt!NtAllocateUserPhysicalPages
82ab8de4 82c2314e nt!NtAllocateUuids
82ab8de8 82c65a62 nt!NtAllocateVirtualMemory
82ab8dec 82cb1df1 nt!NtAlpcAcceptConnectPort
82ab8df0 82c13238 nt!NtAlpcCancelMessage
82ab8df4 82cb11fe nt!NtAlpcConnectPort
82ab8df8 82c30c0c nt!NtAlpcCreatePort
82ab8dfc 82cc25bc nt!NtAlpcCreatePortSection
82ab8e00 82c3328f nt!NtAlpcCreateResourceReserve
82ab8e04 82cc239c nt!NtAlpcCreateSectionView
82ab8e08 82cbaafc nt!NtAlpcCreateSecurityContext
82ab8e0c 82c450f0 nt!NtAlpcDeletePortSection
82ab8e10 82d06657 nt!NtAlpcDeleteResourceReserve
82ab8e14 82cb7ec9 nt!NtAlpcDeleteSectionView
82ab8e18 82cc27ee nt!NtAlpcDeleteSecurityContext
82ab8e1c 82c9b1fc nt!NtAlpcDisconnectPort
82ab8e20 82cb5f2e nt!NtAlpcImpersonateClientOfPort
82ab8e24 82c47d15 nt!NtAlpcOpenSenderProcess
82ab8e28 82c3bcf3 nt!NtAlpcOpenSenderThread
82ab8e2c 82c2db70 nt!NtAlpcQueryInformation
82ab8e30 82c9ba83 nt!NtAlpcQueryInformationMessage
82ab8e34 82d0677f nt!NtAlpcRevokeSecurityContext
82ab8e38 82c8df0a nt!NtAlpcSendWaitReceivePort
82ab8e3c 82c3b702 nt!NtAlpcSetInformation
82ab8e40 82c4d21b nt!NtApphelpCacheControl
82ab8e44 82c090e3 nt!NtAreMappedFilesTheSame
82ab8e48 82c3aed1 nt!NtAssignProcessToJobObject
82ab8e4c 82ab98bc nt!NtCallbackReturn
82ab8e50 82c045c3 nt!NtCancelIoFile
82ab8e54 82c38ce7 nt!NtCancelIoFileEx
82ab8e58 82cf2fb0 nt!NtCancelSynchronousIoFile
82ab8e5c 82a65d56 nt!NtCancelTimer
82ab8e60 82c67b5f nt!NtClearEvent
82ab8e64 82c8037a nt!NtClose
82ab8e68 82cb642e nt!NtCloseObjectAuditAlarm
82ab8e6c 82d2e412 nt!NtCommitComplete
82ab8e70 82d2e132 nt!NtCommitEnlistment
82ab8e74 82c0f9b9 nt!NtCommitTransaction
82ab8e78 82cd8013 nt!NtCompactKeys
82ab8e7c 82c36c9d nt!NtCompareTokens
82ab8e80 82c3bce9 nt!NtCompleteConnectPort
82ab8e84 82cd827f nt!NtCompressKey
82ab8e88 82cb3d09 nt!NtConnectPort
82ab8e8c 82a7bd0c nt!NtContinue
82ab8e90 82ce8c79 nt!NtCreateDebugObject
82ab8e94 82c3e505 nt!NtCreateDirectoryObject
82ab8e98 82be0a55 nt!NtCreateEnlistment
82ab8e9c 82c7c671 nt!NtCreateEvent
82ab8ea0 82d46068 nt!NtCreateEventPair
82ab8ea4 82c8b1e4 nt!NtCreateFile
82ab8ea8 82c96667 nt!NtCreateIoCompletion
82ab8eac 82c2d977 nt!NtCreateJobObject
82ab8eb0 82d1b6de nt!NtCreateJobSet
82ab8eb4 82c3ce2a nt!NtCreateKey
82ab8eb8 82c4bd1e nt!NtCreateKeyedEvent
82ab8ebc 82c0da36 nt!NtCreateKeyTransacted
82ab8ec0 82c4132f nt!NtCreateMailslotFile
82ab8ec4 82c4c196 nt!NtCreateMutant
82ab8ec8 82cbc4f9 nt!NtCreateNamedPipeFile
82ab8ecc 82bc8406 nt!NtCreatePagingFile
82ab8ed0 82c2d75f nt!NtCreatePort
82ab8ed4 82c0f57f nt!NtCreatePrivateNamespace
82ab8ed8 82d17df9 nt!NtCreateProcess
82ab8edc 82d17e44 nt!NtCreateProcessEx
82ab8ee0 82d46afb nt!NtCreateProfile
82ab8ee4 82d46ac1 nt!NtCreateProfileEx
82ab8ee8 82be335f nt!NtCreateResourceManager
82ab8eec 82c5ef2b nt!NtCreateSection
82ab8ef0 82c4198d nt!NtCreateSemaphore
82ab8ef4 82c3d7f5 nt!NtCreateSymbolicLinkObject
82ab8ef8 82d17c02 nt!NtCreateThread
82ab8efc 82cac124 nt!NtCreateThreadEx
82ab8f00 82c3a304 nt!NtCreateTimer
82ab8f04 82c40ac8 nt!NtCreateToken
82ab8f08 82c0be62 nt!NtCreateTransaction
82ab8f0c 82be316b nt!NtCreateTransactionManager
82ab8f10 82caa056 nt!NtCreateUserProcess
82ab8f14 82be0134 nt!NtCreateWaitablePort
82ab8f18 82c4bf39 nt!NtCreateWorkerFactory
82ab8f1c 82ce9b36 nt!NtDebugActiveProcess
82ab8f20 82cea1f3 nt!NtDebugContinue
82ab8f24 82c6496f nt!NtDelayExecution
82ab8f28 82c2807b nt!NtDeleteAtom
82ab8f2c 82d4039b nt!NtDeleteBootEntry
82ab8f30 82d415f3 nt!NtDeleteDriverEntry
82ab8f34 82bd46ad nt!NtDeleteFile
82ab8f38 82c27911 nt!NtDeleteKey
82ab8f3c 82cc69df nt!NtDeleteObjectAuditAlarm
82ab8f40 82ccf6f6 nt!NtDeletePrivateNamespace
82ab8f44 82c19328 nt!NtDeleteValueKey
82ab8f48 82caf3ca nt!NtDeviceIoControlFile
82ab8f4c 82d034da nt!NtDisableLastKnownGood
82ab8f50 82d3e5ef nt!NtDisplayString
82ab8f54 82b4f259 nt!NtDrawText
82ab8f58 82c6d4f0 nt!NtDuplicateObject
82ab8f5c 82ca7974 nt!NtDuplicateToken
82ab8f60 82d035bb nt!NtEnableLastKnownGood
82ab8f64 82d4059d nt!NtEnumerateBootEntries
82ab8f68 82d417f3 nt!NtEnumerateDriverEntries
82ab8f6c 82ca2a59 nt!NtEnumerateKey
82ab8f70 82d4017b nt!NtEnumerateSystemEnvironmentValuesEx
82ab8f74 82d2ef4c nt!NtEnumerateTransactionObject
82ab8f78 82ca4ebf nt!NtEnumerateValueKey
82ab8f7c 82d09a0f nt!NtExtendSection
82ab8f80 82c20d81 nt!NtFilterToken
82ab8f84 82c2c8ff nt!NtFindAtom
82ab8f88 82c44117 nt!NtFlushBuffersFile
82ab8f8c 82bd090f nt!NtFlushInstallUILanguage
82ab8f90 82c3b4c2 nt!NtFlushInstructionCache
82ab8f94 82c1a9cd nt!NtFlushKey
82ab8f98 82a601b1 nt!NtFlushProcessWriteBuffers
82ab8f9c 82c16130 nt!NtFlushVirtualMemory
82ab8fa0 82d0c9b7 nt!NtFlushWriteBuffer
82ab8fa4 82d0c039 nt!NtFreeUserPhysicalPages
82ab8fa8 82af44db nt!NtFreeVirtualMemory
82ab8fac 82b0e6fc nt!NtFreezeRegistry
82ab8fb0 82d2f39a nt!NtFreezeTransactions
82ab8fb4 82c916a2 nt!NtFsControlFile
82ab8fb8 82cd0dc1 nt!NtGetContextThread
82ab8fbc 82cd0d56 nt!NtGetCurrentProcessorNumber
82ab8fc0 82d14e37 nt!NtGetDevicePowerState
82ab8fc4 82c4cdaf nt!NtGetMUIRegistryInfo
82ab8fc8 82d19b54 nt!NtGetNextProcess
82ab8fcc 82cc8c0a nt!NtGetNextThread
82ab8fd0 82c155c6 nt!NtGetNlsSectionPtr
82ab8fd4 82d2f4f4 nt!NtGetNotificationResourceManager
82ab8fd8 82bfae67 nt!NtGetPlugPlayEvent
82ab8fdc 82b255c7 nt!NtGetWriteWatch
82ab8fe0 82c317ca nt!NtImpersonateAnonymousToken
82ab8fe4 82d057a1 nt!NtImpersonateClientOfPort
82ab8fe8 82cb55fc nt!NtImpersonateThread
82ab8fec 82c97f0d nt!NtInitializeNlsFiles
82ab8ff0 82bd41ca nt!NtInitializeRegistry
82ab8ff4 82ccb5c3 nt!NtInitiatePowerAction
82ab8ff8 82ccccdd nt!NtIsProcessInJob
82ab8ffc 82d14e1e nt!NtIsSystemResumeAutomatic
82ab9000 82bcede9 nt!NtIsUILanguageComitted
82ab9004 82bcbc75 nt!NtListenPort
82ab9008 82c01b78 nt!NtLoadDriver
82ab900c 82bcd426 nt!NtLoadKey
82ab9010 82bbaa1c nt!NtLoadKey2
82ab9014 82bdde72 nt!NtLoadKeyEx
82ab9018 82c3f32b nt!NtLockFile
82ab901c 82bb4026 nt!NtLockProductActivationKeys
82ab9020 82baf6d5 nt!NtLockRegistryKey
82ab9024 82a5f191 nt!NtLockVirtualMemory
82ab9028 82c021b1 nt!NtMakePermanentObject
82ab902c 82c47851 nt!NtMakeTemporaryObject
82ab9030 82c4c35b nt!NtMapCMFModule
82ab9034 82d0ab57 nt!NtMapUserPhysicalPages
82ab9038 82d0b12d nt!NtMapUserPhysicalPagesScatter
82ab903c 82c82394 nt!NtMapViewOfSection
82ab9040 82d4056c nt!NtModifyBootEntry
82ab9044 82d417c4 nt!NtModifyDriverEntry
82ab9048 82c31db6 nt!NtNotifyChangeDirectoryFile
82ab904c 82c35e17 nt!NtNotifyChangeKey
82ab9050 82c34f39 nt!NtNotifyChangeMultipleKeys
82ab9054 82bfbd6b nt!NtNotifyChangeSession
82ab9058 82c7e584 nt!NtOpenDirectoryObject
82ab905c 82d2d995 nt!NtOpenEnlistment
82ab9060 82c4bb92 nt!NtOpenEvent
82ab9064 82d46169 nt!NtOpenEventPair
82ab9068 82c6db10 nt!NtOpenFile
82ab906c 82cf2ca5 nt!NtOpenIoCompletion
82ab9070 82d1b057 nt!NtOpenJobObject
82ab9074 82c87642 nt!NtOpenKey
82ab9078 82c4badd nt!NtOpenKeyEx
82ab907c 82d4649f nt!NtOpenKeyedEvent
82ab9080 82c0b169 nt!NtOpenKeyTransacted
82ab9084 82c0b0f9 nt!NtOpenKeyTransactedEx
82ab9088 82c9d0e2 nt!NtOpenMutant
82ab908c 82c144b2 nt!NtOpenObjectAuditAlarm
82ab9090 82c15f07 nt!NtOpenPrivateNamespace
82ab9094 82c4d9dc nt!NtOpenProcess
82ab9098 82c9ffff nt!NtOpenProcessToken
82ab909c 82c8db37 nt!NtOpenProcessTokenEx
82ab90a0 82bb90c7 nt!NtOpenResourceManager
82ab90a4 82ca5674 nt!NtOpenSection
82ab90a8 82c210c6 nt!NtOpenSemaphore
82ab90ac 82cc2977 nt!NtOpenSession
82ab90b0 82c89b6f nt!NtOpenSymbolicLinkObject
82ab90b4 82c99d87 nt!NtOpenThread
82ab90b8 82cb42e4 nt!NtOpenThreadToken
82ab90bc 82c8dc4e nt!NtOpenThreadTokenEx
82ab90c0 82d45e0f nt!NtOpenTimer
82ab90c4 82d2e6f1 nt!NtOpenTransaction
82ab90c8 82d2f989 nt!NtOpenTransactionManager
82ab90cc 82c1f506 nt!NtPlugPlayControl
82ab90d0 82c7c970 nt!NtPowerInformation
82ab90d4 82d2e2a2 nt!NtPrepareComplete
82ab90d8 82d2dfc2 nt!NtPrepareEnlistment
82ab90dc 82d2e35a nt!NtPrePrepareComplete
82ab90e0 82d2e07a nt!NtPrePrepareEnlistment
82ab90e4 82c3293f nt!NtPrivilegeCheck
82ab90e8 82c01f60 nt!NtPrivilegedServiceAuditAlarm
82ab90ec 82c1ca51 nt!NtPrivilegeObjectAuditAlarm
82ab90f0 82d300e4 nt!NtPropagationComplete
82ab90f4 82d301aa nt!NtPropagationFailed
82ab90f8 82c7e403 nt!NtProtectVirtualMemory
82ab90fc 82ccf5a7 nt!NtPulseEvent
82ab9100 82c939a1 nt!NtQueryAttributesFile
82ab9104 82d40a3e nt!NtQueryBootEntryOrder
82ab9108 82d40e83 nt!NtQueryBootOptions
82ab910c 82afed34 nt!NtQueryDebugFilterState
82ab9110 82cb2b8c nt!NtQueryDefaultLocale
82ab9114 82bdef5c nt!NtQueryDefaultUILanguage
82ab9118 82c6fd11 nt!NtQueryDirectoryFile
82ab911c 82c949f0 nt!NtQueryDirectoryObject
82ab9120 82d41381 nt!NtQueryDriverEntryOrder
82ab9124 82bcdb4a nt!NtQueryEaFile
82ab9128 82c3681e nt!NtQueryEvent
82ab912c 82cbc5d5 nt!NtQueryFullAttributesFile
82ab9130 82c2824c nt!NtQueryInformationAtom
82ab9134 82d2dba2 nt!NtQueryInformationEnlistment
82ab9138 82c916d5 nt!NtQueryInformationFile
82ab913c 82cc80ff nt!NtQueryInformationJobObject
82ab9140 82d057d4 nt!NtQueryInformationPort
82ab9144 82c72644 nt!NtQueryInformationProcess
82ab9148 82d2f5fe nt!NtQueryInformationResourceManager
82ab914c 82c98d6d nt!NtQueryInformationThread
82ab9150 82c8e06e nt!NtQueryInformationToken
82ab9154 82d2e8e4 nt!NtQueryInformationTransaction
82ab9158 82bb8bcf nt!NtQueryInformationTransactionManager
82ab915c 82b4fe81 nt!NtQueryInformationWorkerFactory
82ab9160 82c1ac3f nt!NtQueryInstallUILanguage
82ab9164 82d46e6b nt!NtQueryIntervalProfile
82ab9168 82cf2d68 nt!NtQueryIoCompletion
82ab916c 82c87cae nt!NtQueryKey
82ab9170 82c3de8d nt!NtQueryLicenseValue
82ab9174 82c1ccc0 nt!NtQueryMultipleValueKey
82ab9178 82d4657c nt!NtQueryMutant
82ab917c 82c3ced6 nt!NtQueryObject
82ab9180 82cd7b05 nt!NtQueryOpenSubKeys
82ab9184 82cc5df8 nt!NtQueryOpenSubKeysEx
82ab9188 82c4c277 nt!NtQueryPerformanceCounter
82ab918c 82d182c4 nt!NtQueryPortInformationProcess
82ab9190 82cf4349 nt!NtQueryQuotaInformationFile
82ab9194 82cb29e6 nt!NtQuerySection
82ab9198 82c322d0 nt!NtQuerySecurityAttributesToken
82ab919c 82c35e4c nt!NtQuerySecurityObject
82ab91a0 82d3f3fc nt!NtQuerySemaphore
82ab91a4 82c89c15 nt!NtQuerySymbolicLinkObject
82ab91a8 82d3f5d3 nt!NtQuerySystemEnvironmentValue
82ab91ac 82d3fbc7 nt!NtQuerySystemEnvironmentValueEx
82ab91b0 82c6bcd4 nt!NtQuerySystemInformation
82ab91b4 82ca4ddd nt!NtQuerySystemInformationEx
82ab91b8 82cb2af7 nt!NtQuerySystemTime
82ab91bc 82d45ece nt!NtQueryTimer
82ab91c0 82c28729 nt!NtQueryTimerResolution
82ab91c4 82c86405 nt!NtQueryValueKey
82ab91c8 82c976a7 nt!NtQueryVirtualMemory
82ab91cc 82c922c8 nt!NtQueryVolumeInformationFile
82ab91d0 82c37caa nt!NtQueueApcThread
82ab91d4 82c33e67 nt!NtQueueApcThreadEx
82ab91d8 82a7bd54 nt!NtRaiseException
82ab91dc 82c130a3 nt!NtRaiseHardError
82ab91e0 82c9dc8c nt!NtReadFile
82ab91e4 82bd36a7 nt!NtReadFileScatter
82ab91e8 82d2e580 nt!NtReadOnlyEnlistment
82ab91ec 82d058b9 nt!NtReadRequestData
82ab91f0 82c9b82c nt!NtReadVirtualMemory
82ab91f4 82d2db46 nt!NtRecoverEnlistment
82ab91f8 82be388c nt!NtRecoverResourceManager
82ab91fc 82be5128 nt!NtRecoverTransactionManager
82ab9200 82d2ff38 nt!NtRegisterProtocolAddressInformation
82ab9204 82d1909c nt!NtRegisterThreadTerminatePort
82ab9208 82c6c0ed nt!NtReleaseKeyedEvent
82ab920c 82c64873 nt!NtReleaseMutant
82ab9210 82c4eb6a nt!NtReleaseSemaphore
82ab9214 82abec28 nt!NtReleaseWorkerFactoryWorker
82ab9218 82c41a8e nt!NtRemoveIoCompletion
82ab921c 82c3ca8e nt!NtRemoveIoCompletionEx
82ab9220 82ce9c81 nt!NtRemoveProcessDebug
82ab9224 82cd7d4b nt!NtRenameKey
82ab9228 82d2fbd4 nt!NtRenameTransactionManager
82ab922c 82cd7898 nt!NtReplaceKey
82ab9230 82b173d3 nt!NtReplacePartitionUnit
82ab9234 82c2ca3d nt!NtReplyPort
82ab9238 82c745e2 nt!NtReplyWaitReceivePort
82ab923c 82c74165 nt!NtReplyWaitReceivePortEx
82ab9240 82d05a85 nt!NtReplyWaitReplyPort
82ab9244 82cbc435 nt!NtRequestPort
82ab9248 82c798d9 nt!NtRequestWaitReplyPort
82ab924c 82c17ec3 nt!NtResetEvent
82ab9250 82b25c18 nt!NtResetWriteWatch
82ab9254 82ccd904 nt!NtRestoreKey
82ab9258 82d198fd nt!NtResumeProcess
82ab925c 82cac34b nt!NtResumeThread
82ab9260 82d2e636 nt!NtRollbackComplete
82ab9264 82d2e1ea nt!NtRollbackEnlistment
82ab9268 82be1c7c nt!NtRollbackTransaction
82ab926c 82d2fd36 nt!NtRollforwardTransactionManager
82ab9270 82ccf176 nt!NtSaveKey
82ab9274 82cce91c nt!NtSaveKeyEx
82ab9278 82cd6bbb nt!NtSaveMergedKeys
82ab927c 82c99dbc nt!NtSecureConnectPort
82ab9280 82bc6f07 nt!NtSerializeBoot
82ab9284 82d40c7f nt!NtSetBootEntryOrder
82ab9288 82d4116b nt!NtSetBootOptions
82ab928c 82d18cff nt!NtSetContextThread
82ab9290 82bac9bd nt!NtSetDebugFilterState
82ab9294 82bca895 nt!NtSetDefaultHardErrorPort
82ab9298 82bdece1 nt!NtSetDefaultLocale
82ab929c 82bdf250 nt!NtSetDefaultUILanguage
82ab92a0 82d41bf5 nt!NtSetDriverEntryOrder
82ab92a4 82cf3dda nt!NtSetEaFile
82ab92a8 82c656de nt!NtSetEvent
82ab92ac 82d3f0b7 nt!NtSetEventBoostPriority
82ab92b0 82d46435 nt!NtSetHighEventPair
82ab92b4 82d46367 nt!NtSetHighWaitLowEventPair
82ab92b8 82cea3b9 nt!NtSetInformationDebugObject
82ab92bc 82d2ddea nt!NtSetInformationEnlistment
82ab92c0 82c9275c nt!NtSetInformationFile
82ab92c4 82c37cce nt!NtSetInformationJobObject
82ab92c8 82cd73ad nt!NtSetInformationKey
82ab92cc 82c44314 nt!NtSetInformationObject
82ab92d0 82c74603 nt!NtSetInformationProcess
82ab92d4 82d2f80c nt!NtSetInformationResourceManager
82ab92d8 82ca5aaf nt!NtSetInformationThread
82ab92dc 82c3f780 nt!NtSetInformationToken
82ab92e0 82d2f146 nt!NtSetInformationTransaction
82ab92e4 82d2fdfb nt!NtSetInformationTransactionManager
82ab92e8 82ae8362 nt!NtSetInformationWorkerFactory
82ab92ec 82d46e48 nt!NtSetIntervalProfile
82ab92f0 82c1fb82 nt!NtSetIoCompletion
82ab92f4 82cf2e8e nt!NtSetIoCompletionEx
82ab92f8 82d1ad17 nt!NtSetLdtEntries
82ab92fc 82d463d2 nt!NtSetLowEventPair
82ab9300 82d462fc nt!NtSetLowWaitHighEventPair
82ab9304 82cf495f nt!NtSetQuotaInformationFile
82ab9308 82c3d626 nt!NtSetSecurityObject
82ab930c 82d3f8cd nt!NtSetSystemEnvironmentValue
82ab9310 82d3fedf nt!NtSetSystemEnvironmentValueEx
82ab9314 82c8a0ee nt!NtSetSystemInformation
82ab9318 82d5cd7a nt!NtSetSystemPowerState
82ab931c 82ccbe70 nt!NtSetSystemTime
82ab9320 82cd2b4d nt!NtSetThreadExecutionState
82ab9324 82abed52 nt!NtSetTimer
82ab9328 82ad14b9 nt!NtSetTimerEx
82ab932c 82c2cb3e nt!NtSetTimerResolution
82ab9330 82bce2d7 nt!NtSetUuidSeed
82ab9334 82c46427 nt!NtSetValueKey
82ab9338 82cf4979 nt!NtSetVolumeInformationFile
82ab933c 82d3e5ad nt!NtShutdownSystem
82ab9340 82c4e9b7 nt!NtShutdownWorkerFactory
82ab9344 82b08701 nt!NtSignalAndWaitForSingleObject
82ab9348 82d2e4ca nt!NtSinglePhaseReject
82ab934c 82d46b84 nt!NtStartProfile
82ab9350 82d46d7b nt!NtStopProfile
82ab9354 82d1989f nt!NtSuspendProcess
82ab9358 82cd0e2d nt!NtSuspendThread
82ab935c 82cc1464 nt!NtSystemDebugControl
82ab9360 82c2e36f nt!NtTerminateJobObject
82ab9364 82c969bf nt!NtTerminateProcess
82ab9368 82cb4334 nt!NtTerminateThread
82ab936c 82cabafa nt!NtTestAlert
82ab9370 82b0e75f nt!NtThawRegistry
82ab9374 82d2f478 nt!NtThawTransactions
82ab9378 82c8b9bb nt!NtTraceControl
82ab937c 82b016a0 nt!NtTraceEvent
82ab9380 82d41df9 nt!NtTranslateFilePath
82ab9384 82d0574b nt!NtUmsThreadYield
82ab9388 82cf51cf nt!NtUnloadDriver
82ab938c 82cc4503 nt!NtUnloadKey
82ab9390 82cc451d nt!NtUnloadKey2
82ab9394 82cd6d53 nt!NtUnloadKeyEx
82ab9398 82c41eaf nt!NtUnlockFile
82ab939c 82a57b17 nt!NtUnlockVirtualMemory
82ab93a0 82ca063a nt!NtUnmapViewOfSection
82ab93a4 82d33769 nt!NtVdmControl
82ab93a8 82ce9ed7 nt!NtWaitForDebugEvent
82ab93ac 82c6be16 nt!NtWaitForKeyedEvent
82ab93b0 82c64435 nt!NtWaitForMultipleObjects
82ab93b4 82d0f904 nt!NtWaitForMultipleObjects32
82ab93b8 82c63ae7 nt!NtWaitForSingleObject
82ab93bc 82abe7b1 nt!NtWaitForWorkViaWorkerFactory
82ab93c0 82d46293 nt!NtWaitHighEventPair
82ab93c4 82d4622a nt!NtWaitLowEventPair
82ab93c8 82af74b4 nt!NtWorkerFactoryWorkerReady
82ab93cc 82caaf2b nt!NtWriteFile
82ab93d0 82bdb2f7 nt!NtWriteFileGather
82ab93d4 82d05926 nt!NtWriteRequestData
82ab93d8 82c9b71c nt!NtWriteVirtualMemory
82ab93dc 82a665c5 nt!NtYieldExecution
References
- ↑ "Windows rootkits of 2005, part one". Symantec. 2005.
- 1 2 "Attack defeats 'most' antivirus software". ZD Net UK. 2010.
This article is issued from Wikipedia - version of the Sunday, January 03, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.