REVIEW: "Designing BSD Rootkits", Joseph Kong
- BKDSBSDR.RVW 20071005
"Designing BSD Rootkits", Joseph Kong, 2007, 1-59327-142-5,
%A Joseph Kong
%C 555 De Haro Street, Suite 250, San Francisco, CA 94107
%G 1-59327-142-5 978-1-59327-142-8
%I No Starch Press
%O U$29.95/C$36.95 415-863-9900 fax 415-863-9950 info@...
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 136 p.
%T "Designing BSD Rootkits: An Introduction to Kernel Hacking"
The purpose of the book is to teach how to use techniques of
kernel-mode programming that will provide control over certain aspects
of the FreeBSD (Berkeley Systems Distribution) operating system
without making such control apparent to the user. As a secondary aim,
the reader should also be able to consider recoding functions of the
operating system, as well as techniques for detecting and removing
Chapter one introduces the programming of Loadable Kernel Modules
(LKMs, which are also known as Dynamic Kernel Linkers or KLDs). C
code for short routines and system calls are listed, although the
explanations are extremely terse, and the reader would have to be well
familiar with system programming in order to understand the use and
access to these functions. Call hooking (or just "hooking"), the
redirection of calls to standard operations in order to modify system
behaviour, is the subject of chapter two. Kernel objects maintain
information about the operations underway in the computer, and
therefore direct manipulation of these structures, explained in
chapter three, is necessary to hide from attempts to detect unusual
processes. Since kernel objects also control program flow, chapter
four briefly demonstrates how to hook the structures. Chapter five
examines the type of programming necessary to directly patch code in
the kernel memory area.
Chapter six uses the various ideas discussed earlier to create a
rootkit for avoiding detection by change-detection style host-based
intrusion detection systems (HIDS), specifically Tripwire. Chapter
seven outlines (without code examples) techniques for detecting the
type of programming and activity described earlier in the book.
In my opening sentence, I said that the volume's purpose was to teach
kernel-mode programming. That statement, and the preface, begs the
question of the intended audience. Actually, the book only addresses
specific functions: it certainly doesn't teach kernel-mode programming
as such. The reader will already have to know a fair mount of it in
order to apply the content of the tome. The text does seem to imply
that it is hoped whitehats will use it, but is the substance really
directed at protective measures?
The material in the book does provide a number of examples of kernel-
mode programming, and may act as a guide for those interested in
exploring the areas for which code is provided. Certain aspects of
the internals of the BSD operating systems are explained. However,
those interested in having in-depth examinations of the operating
system, or those wishing to know about detection of these types of
applications, may wish to look elsewhere.
copyright Robert M. Slade, 2007 BKDSBSDR.RVW 20071005
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
At any given time, one third of the world's population is asleep.
That means two thirds are awake and causing problems.