This relates to combating malicious attacks against computer systems.
Over the last few years, rootkits and stealth memory attacks on computing platforms have increased exponentially. These attacks modify the lowest layers in the host operating system (OS)/hardware registers, such as the Interrupt Dispatch Tables (IDTs), exception handlers, and System Call Tables, to circumvent or disable anti-virus or other security software agents on the system.
A common vector used by hackers for circumvention of software programs is the interception of function pointers relating to the program. The mechanics of how this accomplished vary slightly based on the specific target of the attack (two examples are provided below). One of the main reasons for attackers to use this method is to avoid detection by executable code integrity checkers such as System Integrity Services (See OS Independent Run-Time System Integrity Services, 2005, available from Intel Corporation, Santa Clara, Calif.).
Such an attack may be accomplished by the circumvention of an interrupt handler. As used herein, an “interrupt handler” includes exception handlers. A processor looks up the address of the Interrupt Dispatch Table (IDT) in a processor register. Other mechanisms can also be used to access interrupt handlers. Using the IRQ number provided by the interrupt controller, the processor selects a specific entry in the IDT. This value is the address of the interrupt service routine. The interrupt service routine then executes, and through the course of its execution it may schedule a deferred procedure call (DPC) to handle additional processing associated with the interrupt before returning execution control to the operating system kernel and retiring the interrupt.
An attacker can circumvent this process by modifying any one of the function pointers that make up the executable code chain. By changing such a pointer to point to an attacker's code, the attacker is able to run malicious code while remaining undetected by integrity checkers that only monitor static executable code. For example, if an integrity checker simply measured and protected the interrupt service routine and DPC executable code, this attack will go undetected.
Another manner this attack can be waged is via modification of a program's Import Address Table (IAT) or other mechanisms for transferring control to other software programs. This is a per process table of function pointers that is initialized when a program loads into memory with the addresses of executable code that the loaded program references such as dynamic link libraries and system services.
In both of these examples, the attacker modified a dynamic function pointer at runtime within a program that is otherwise protected by existing security methods.