Chapter 11 Modifying Call Tables
A call table is just an array where each element of the array stores the address of a routine. Call tables exist both in user space and kernel space and assume different forms depending on the call table’s basic role in the grand scheme of things (see Table 11.1).
Table 11.1 Call Tables
| Location | Table | Types of Addresses Stored |
| User space | IAT | Windows DLL routines imported by module |
| Kernel space | IDT | Interrupt handling routines (mostly hardware related) |
| Kernel space | CPU MSRs | Machine-specific registers (e.g., IA32_SYSENTER_EIP) |
| Kernel space | GDT | Entire segments of memory |
| Kernel space | SSDT | Stores addresses of executive system call routines |
| Kernel space | IRP dispatch table | Routines used by a driver to ... |
Get The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
