Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Designing BSD Rootkits", Joseph Kong

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKDSBSDR.RVW 20071005 Designing BSD Rootkits , Joseph Kong, 2007, 1-59327-142-5, U$29.95/C$36.95 %A Joseph Kong %C 555 De Haro Street, Suite 250, San
    Message 1 of 1 , Jan 10, 2008
    • 0 Attachment
      BKDSBSDR.RVW 20071005

      "Designing BSD Rootkits", Joseph Kong, 2007, 1-59327-142-5,
      U$29.95/C$36.95
      %A Joseph Kong
      %C 555 De Haro Street, Suite 250, San Francisco, CA 94107
      %D 2007
      %G 1-59327-142-5 978-1-59327-142-8
      %I No Starch Press
      %O U$29.95/C$36.95 415-863-9900 fax 415-863-9950 info@...
      %O http://www.amazon.com/exec/obidos/ASIN/1593271425/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1593271425/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1593271425/robsladesin03-20
      %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 136 p.
      %T "Designing BSD Rootkits: An Introduction to Kernel Hacking"

      The purpose of the book is to teach how to use techniques of
      kernel-mode programming that will provide control over certain aspects
      of the FreeBSD (Berkeley Systems Distribution) operating system
      without making such control apparent to the user. As a secondary aim,
      the reader should also be able to consider recoding functions of the
      operating system, as well as techniques for detecting and removing
      rootkits.

      Chapter one introduces the programming of Loadable Kernel Modules
      (LKMs, which are also known as Dynamic Kernel Linkers or KLDs). C
      code for short routines and system calls are listed, although the
      explanations are extremely terse, and the reader would have to be well
      familiar with system programming in order to understand the use and
      access to these functions. Call hooking (or just "hooking"), the
      redirection of calls to standard operations in order to modify system
      behaviour, is the subject of chapter two. Kernel objects maintain
      information about the operations underway in the computer, and
      therefore direct manipulation of these structures, explained in
      chapter three, is necessary to hide from attempts to detect unusual
      processes. Since kernel objects also control program flow, chapter
      four briefly demonstrates how to hook the structures. Chapter five
      examines the type of programming necessary to directly patch code in
      the kernel memory area.

      Chapter six uses the various ideas discussed earlier to create a
      rootkit for avoiding detection by change-detection style host-based
      intrusion detection systems (HIDS), specifically Tripwire. Chapter
      seven outlines (without code examples) techniques for detecting the
      type of programming and activity described earlier in the book.

      In my opening sentence, I said that the volume's purpose was to teach
      kernel-mode programming. That statement, and the preface, begs the
      question of the intended audience. Actually, the book only addresses
      specific functions: it certainly doesn't teach kernel-mode programming
      as such. The reader will already have to know a fair mount of it in
      order to apply the content of the tome. The text does seem to imply
      that it is hoped whitehats will use it, but is the substance really
      directed at protective measures?

      The material in the book does provide a number of examples of kernel-
      mode programming, and may act as a guide for those interested in
      exploring the areas for which code is provided. Certain aspects of
      the internals of the BSD operating systems are explained. However,
      those interested in having in-depth examinations of the operating
      system, or those wishing to know about detection of these types of
      applications, may wish to look elsewhere.

      copyright Robert M. Slade, 2007 BKDSBSDR.RVW 20071005


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      At any given time, one third of the world's population is asleep.
      That means two thirds are awake and causing problems.
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.