SSDT Hook Detector

> C

User-mode tool that reads the SSDT from kernel memory and detects hooked syscalls by comparing function pointers against ntoskrnl.exe's expected base range.

Overview

A user-mode utility that detects SSDT hooks installed by rootkits or anti-cheat software. It reads the System Service Descriptor Table from kernel memory via a custom driver and compares each entry against the expected address range of ntoskrnl.exe.

How It Works

  1. Loads a signed kernel driver that exposes an IOCTL interface
  2. Reads KeServiceDescriptorTable pointer from driver context
  3. Iterates all syscall entries and checks if the address falls within ntoskrnl’s .text section
  4. Reports hooked entries with the hook address and closest known symbol

Detection Scope

  • Direct SSDT inline hooks
  • SSDT pointer replacement (table swap)
  • Partial hooked ranges in third-party modules

< Back to Projects