Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Kernel

ssdt

System Service Descriptor Table

Usage

  • Detect syscall hooking
  • SSDT entry points outside ntoskrnl → Hooking.

Commands

# Inspect SSDT hooks (Vol2)  
vol.py -f <mem> --profile=<profile> ssdt  
  
# Inspect SSDT (Vol3)  
python3 vol.py -f <mem> windows.ssdt