The Interrupt Descriptor Table (IDT) stores the addresses of functions known as ISR (Interrupt Service Routines or Interrupt handlers). These functions handle interrupts and processor exceptions. Like hooking an SSDT, an attacker may hook the entries in the IDT to redirect control to the malicious code. To display the IDT entries, you can use the idt Volatility plugin. An example of a malware which hooked an IDT is the Uroburos (Turla) rootkit. This rootkit hooked the interrupt handler located at the 0xc3 (INT C3) index. On a clean system, the interrupt handler at 0xC3 points to an address that resides in the memory of ntoskrnl.exe. The following output shows the entry from the clean system:

$ python vol.py -f win7.vmem ...