Abstract: The traditional SSDT_Hook and its detection methods are analyzed, then it also analyzes a twice-jump SSDT_Hook. This method uses MOV to reach a trustable address, then makes processing jumps to its code. It has broken through the JMP-detection and jump-analysis in traditional IPS（Intrusion Prevention System）. Finally, this paper presents a method for the detection of the SSDT_Hook. Focus on the improvements of addressing the SSDT, it has achieved good results.

Key words: SSDT_Hook, trusted address space, KeServiceDescriptorTable, the twice-jump

摘要： 对传统SSDT钩挂（SSDT_Hook）及其检测方法进行了分析，同时分析了一种经过了二次跳转的SSDT钩挂方法。该方法使用了MOV指令跳转到可信任地址空间，再二次跳转到恶意代码中，突破了传统主动防御系统的JMP指令检测法和指令跳转分析法。最后，给出了一种针对该SSDT_Hook的检测方法，重点对传统检测方法中的SSDT寻址方法进行了改进，取得了较好的效果。

关键词: SSDT钩挂, 可信任地址空间, KeServiceDescriptorTable, 二次跳转