Publisher: No Starch Press
This book covers a very technical and fascinating topic that hasn't received much bookshelf space before this book was released. This title aims to give you the knowledge necessary to understand rootkits while exploring the FreeBSD operating system and kernel.
About the author
Tinkering with computers has always been a primary passion of author Joseph Kong. He is a self-taught programmer who dabbles in information security, operating system theory, reverse engineering, and vulnerability assessment. He has written for Phrack Magazine and was a system administrator for the City of Toronto.
Inside the book
The book starts with a chapter dedicated to loadable kernel modules (LKM) which is natural since the majority of rootkits today are LKMs. You immediately realize you've entered programmer's territory since there's lots of code and examples. What's important to note about this chapter and the book in general is the exceptional organization of code that makes it easy to understand and look through.
What comes next is a look at hooking, a programming technique that employs handler functions to modify control flow. It is the most popular rootkit technique and Kong offers you an insight into how it works before moving on to discuss one of the hardest rootkit techniques to detect - direct kernel object manipulation (DKOM) as well as kernel object hooking (KOH).
Kong continues by discussing run-time kernel memory patching and reveals how you can patch a running kernel with userland code. All the material described in previous chapters comes together when you go hands-on and get instructions on how to write a complete example rootkit that will bypass a Host Instrusion Detection System (HIDS). The book concludes with a very important topic - detection.
As you can see from the details above, Designing BSD Rootkits is aimed at a knowledgeable audience that enjoys to dwell into very technical material and is comfortable with the C programming language. Despite the low page count, the book is packed with very informative material and it delivers exactly what it promises.
A website for the book is available here. It contains some bonus content as well as all the code ready for download. All the readers that wish to work with the code will find this quite valuable.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.