Misplaced Pages

System Service Descriptor Table

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The System Service Descriptor Table ( SSDT ) is an internal dispatch table within Microsoft Windows .

#925074

14-481: The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a user space application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe. In modern Windows kernels, two SSDTs are used: One for generic routines ( KeServiceDescriptorTable ) and a second ( KeServiceDescriptorTableShadow ) for graphical routines. A parameter passed by

28-726: A partitioning to several regions according to the mathematical structure it has. In the case of total order , as for memory addresses , these are simply chunks . Like the hierarchical design of postal addresses , some nested domain hierarchies appear as a directed ordered tree , such as with the Domain Name System or a directory structure . In the Internet , the Internet Assigned Numbers Authority (IANA) allocates ranges of IP addresses to various registries so each can manage their parts of

42-523: A single address space for all user-mode code. (The kernel-mode code may be in the same address space, or it may be in a second address space). Other operating systems have a per-process address space, with a separate address space for each user-mode process. Another approach taken in experimental operating systems is to have a single address space for all software, and rely on a programming language's semantics to make sure that arbitrary memory cannot be accessed – applications cannot acquire any references to

56-437: Is strictly reserved for running a privileged operating system kernel , kernel extensions, and most device drivers . In contrast, user space is the memory area where application software and some drivers execute, typically one address space per process. The term user space (or userland ) refers to all code that runs outside the operating system's kernel. User space usually refers to the various programs and libraries that

70-583: The address space would be a combination of locations, such as a neighborhood, town, city, or country. Some elements of a data address space may be the same, but if any element in the address is different, addresses in said space will reference different entities. For example, there could be multiple buildings at the same address of "32 Main Street" but in different towns, demonstrating that different towns have different, although similarly arranged, street address spaces. An address space usually provides (or allows)

84-654: The calling userspace application determines which SSDT shall be used. Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, hooking SSDT calls is often used as a technique in both Windows kernel mode rootkits and antivirus software . In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to exploits using race conditions to attack

98-459: The edge of different IP spaces, such as a local area network and the Internet. An iconic example of virtual-to-physical address translation is virtual memory , where different pages of virtual address space map either to page file or to main memory physical address space. It is possible that several numerically different virtual addresses all refer to one physical address and hence to

112-502: The global Internet address space. Uses of addresses include, but are not limited to the following: Another common feature of address spaces are mappings and translations , often forming numerous layers. This usually means that some higher-level address must be translated to lower-level ones in some way. For example, a file system on a logical disk operates using linear sector numbers, which have to be translated to absolute LBA sector addresses, in simple cases, via addition of

126-663: The kernel to map part of another process's memory space to its own, as is the case for debuggers . Programs can also request shared memory regions with other processes, although other techniques are also available to allow inter-process communication . The most common way of implementing a user mode separate from kernel mode involves operating system protection rings . Protection rings, in turn, are implemented using CPU modes . Typically, kernel space programs run in kernel mode , also called supervisor mode ; normal applications in user space run in user mode. Some operating systems are single address space operating systems —they have

140-616: The objects that they are not allowed to access. This approach has been implemented in JXOS , Unununium as well as Microsoft's Singularity research project. Address space In computing , an address space defines a range of discrete addresses, each of which may correspond to a network host , peripheral device , disk sector , a memory cell or other logical or physical entity. For software programs to save and retrieve stored data, each datum must have an address where it can be located. The number of address spaces available depends on

154-619: The operating system uses to interact with the kernel: software that performs input/output , manipulates file system objects, application software , etc. Each user space process normally runs in its own virtual memory space, and, unless explicitly allowed, cannot access the memory of other processes. This is the basis for memory protection in today's mainstream operating systems, and a building block for privilege separation . A separate user mode can also be used to build efficient virtual machines – see Popek and Goldberg virtualization requirements . With enough privileges, processes can request

SECTION 10

#1732801556926

168-645: The partition's first sector address. Then, for a disk drive connected via Parallel ATA , each of them must be converted to logical cylinder-head-sector address due to the interface historical shortcomings. It is converted back to LBA by the disk controller , then, finally, to physical cylinder , head and sector numbers. The Domain Name System maps its names to and from network-specific addresses (usually IP addresses), which in turn may be mapped to link layer network addresses via Address Resolution Protocol . Network address translation may also occur on

182-483: The products' security checks. This Microsoft Windows article is a stub . You can help Misplaced Pages by expanding it . User space A modern computer operating system usually uses virtual memory to provide separate address spaces or separate regions of a single address space, called user space and kernel space . Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour. Kernel space

196-486: The underlying address structure, which is usually limited by the computer architecture being used. Often an address space in a system with virtual memory corresponds to a highest level translation table, e.g., a segment table in IBM System/370 . Address spaces are created by combining enough uniquely identified qualifiers to make an address unambiguous within the address space. For a person's physical address,

#925074