Designing BSD Rootkits: An Introduction to Kernel Hacking
by Andrew Simmons - Monday, 24 December 2007.
Author: Joseph Kong
Pages: 144
Publisher: No Starch Press
ISBN: 1593271425



Introduction

This book covers a very technical and fascinating topic that hasn't received much bookshelf space before this book was released. This title aims to give you the knowledge necessary to understand rootkits while exploring the FreeBSD operating system and kernel.

About the author

Tinkering with computers has always been a primary passion of author Joseph Kong. He is a self-taught programmer who dabbles in information security, operating system theory, reverse engineering, and vulnerability assessment. He has written for Phrack Magazine and was a system administrator for the City of Toronto.

Inside the book

The book starts with a chapter dedicated to loadable kernel modules (LKM) which is natural since the majority of rootkits today are LKMs. You immediately realize you've entered programmer's territory since there's lots of code and examples. What's important to note about this chapter and the book in general is the exceptional organization of code that makes it easy to understand and look through.

What comes next is a look at hooking, a programming technique that employs handler functions to modify control flow. It is the most popular rootkit technique and Kong offers you an insight into how it works before moving on to discuss one of the hardest rootkit techniques to detect - direct kernel object manipulation (DKOM) as well as kernel object hooking (KOH).

Kong continues by discussing run-time kernel memory patching and reveals how you can patch a running kernel with userland code. All the material described in previous chapters comes together when you go hands-on and get instructions on how to write a complete example rootkit that will bypass a Host Instrusion Detection System (HIDS). The book concludes with a very important topic - detection.

Final thoughts

As you can see from the details above, Designing BSD Rootkits is aimed at a knowledgeable audience that enjoys to dwell into very technical material and is comfortable with the C programming language. Despite the low page count, the book is packed with very informative material and it delivers exactly what it promises.

A website for the book is available here. It contains some bonus content as well as all the code ready for download. All the readers that wish to work with the code will find this quite valuable.



Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Nov 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //