Vigil@nce - Antivirus: bypassing SSDT Hooking
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an antivirus redirects the SSDT to detect viruses, a local
attacker can use an atomicity error, in order to bypass this
protection.
Severity: 2/4
Creation date: 10/05/2010
Revision date: 11/05/2010
DESCRIPTION OF THE VULNERABILITY
The SSDT table (System Service Descriptor Table) contains
references of system calls:
– NtCreateKey : create a key in registry
– NtCreateThread : create a thread
– NtDeleteFile : delete a file
– etc.
Antiviruses redirect entries of this table to verification
functions. Several implementations check parameters, and then call
the origin system call. However, between these two operations, a
local attacker can change parameters of the system call. A
attacker can therefore create a program using legitimate
parameters, and then change them just before the system call.
When an antivirus redirects the SSDT to detect viruses, a local
attacker can therefore use an atomicity error, in order to bypass
this protection.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Antivirus-bypassing-SSDT-Hooking-9633