Rootkits:SubvertingtheWindowsKernelByGregHoglund,JamesButler...............................................Publisher:AddisonWesleyProfessionalPubDate:July22,2005ISBN:0-321-29431-9Pages:352TableofContents|IndexIt'simperativethateverybodyworkinginthefieldofcyber-securityreadthisbooktounderstandthegrowingthreatofrootkits.--MarkRussinovich,editor,WindowsITPro/Windows&.NETMagazineThismaterialisnotonlyup-to-date,itdefinesup-to-date.Itistrulycutting-edge.Astheonlybookonthesubject,RootkitswillbeofinteresttoanyWindowssecurityresearcherorsecurityprogrammer.It'sdetailed,wellresearchedandthetechnicalinformationisexcellent.Theleveloftechnicaldetail,research,andtimeinvestedindevelopingrelevantexamplesisimpressive.Inoneword:Outstanding.--TonyBautts,SecurityConsultant;CEO,Xtivix,Inc.ThisbookisanessentialreadforanyoneresponsibleforWindowssecurity.Securityprofessionals,Windowssystemadministrators,andprogrammersingeneralwillwanttounderstandthetechniquesusedbyrootkitauthors.AtatimewhenmanyITandsecurityprofessionalsarestillworryingaboutthelateste-mailvirusorhowtogetallofthismonth'ssecuritypatchesinstalled,Mr.HoglundandMr.ButleropenyoureyestosomeofthemoststealthyandsignificantthreatstotheWindowsoperatingsystem.Onlybyunderstandingtheseoffensivetechniquescanyouproperlydefendthenetworksandsystemsforwhichyouareresponsible.--JenniferKolde,SecurityConsultant,Author,andInstructorWhat'sworsethanbeingowned?Notknowingit.FindoutwhatitmeanstobeownedbyreadingHoglundandButler'sfirst-of-a-kindbookonrootkits.Attheapexthemalicioushackertoolset--whichincludesdecompilers,disassemblers,fault-injectionengines,kerneldebuggers,payloadcollections,coveragetools,andflowanalysistools--istherootkit.BeginningwhereExploitingSoftwareleftoff,thisbookshowshowattackershideinplainsight.Rootkitsareextremelypowerfulandarethenextwaveofattacktechnology.Likeothertypesofmaliciouscode,rootkitsthriveonstealthiness.Theyhideawayfromstandardsystemobservers,employinghooks,trampolines,andpatchestogettheirworkdone.Sophisticatedrootkitsruninsuchawaythatotherprogramsthatusuallymonitormachinebehaviorcan'teasilydetectthem.Arootkitthusprovidesinsideraccessonlytopeoplewhoknowthatitisrunningandavailabletoacceptcommands.Kernelrootkitscanhidefilesandrunningprocessestoprovideabackdoorintothetargetmachine.Understandingtheultimateattacker'stoolprovidesanimportantmotivatorforthoseofustryingtodefendsystems.Noauthorsarebettersuitedtogiveyouadetailedhands-onunderstandingofrootkitsthanHoglundandButler.Bettertoownthisbookthantobeowned.--GaryMcGraw,Ph.D.,CTO,Cigital,coauthorofExploitingSoftware(2004)andBuildingSecureSoftware(2002),bothfromAddison-WesleyGregandJamieareunquestionablythego-toexpertswhenitcomestosubvertingtheWindowsAPIandcreatingrootkits.Thesetwomasterscometogethertopiercetheveilofmysterysurroundingrootkits,bringingthisinformationoutoftheshadows.AnyoneevenremotelyinterestedinsecurityforWindowssystems,includingforensicanalysis,shouldincludethisbookveryhighontheirmust-readlist.--HarlanCarvey,authorofWindowsForensicsandIncidentRecovery(Addison-Wesley,2005)Rootkitsaretheultimatebackdoor,givinghackersongoingandvirtuallyundetectableaccesstothesystemstheyexploit.Now,twooftheworld'sleadingexpertshavewrittenthefirstcomprehensiveguidetorootkits:whattheyare,howtheywork,howtobuildthem,andhowtodetectthem.Rootkit.com'sGregHoglundandJamesButlercreatedandteachBlackHat'slegendarycourseinrootkits.Inthisbook,theyrevealnever-before-toldoffensiveaspectsofrootkittechnology--learnhowattackerscangetinandstayinforyears,withoutdetection.HoglundandButlershowexactlyhowtosubverttheWindowsXPandWindows2000kernels,teachingconceptsthatareeasilyappliedtovirtuallyanymodernoperatingsystem,fromWindowsServer2003toLinuxandUNIX.Usingextensivedownloadableexamples,theyteachrootkitprogrammingtechniquesthatcanbeusedforawiderangeofsoftware,fromwhitehatsecuritytoolstooperatingsystemdriversanddebuggers.Afterreadingthisbook,readerswillbeableto●Understandtheroleofrootkitsinremotecommand/controlandsoftwareeavesdropping●Buildkernelrootkitsthatcanmakeprocesses,files,anddirectoriesinvisible●Masterkeyrootkitprogrammingtechniques,includinghooking,runtimepatching,anddirectlymanipulatingkernelobjects●Workwithlayereddriverstoimplementkeyboardsniffersandfilefilters●Detectrootkitsandbuildhost-basedintrusionpreventionsoftwarethatresistsrootkitattacksVisitrootkit.comforcodeandprogramsfromthisbook.Thesitealsocontainsenhancementstothebook'stext,suchasup-to-the-minuteinformationonrootkitsavailablenowhereelse.Rootkits:SubvertingtheWindowsKernelByGregHoglund,JamesButler...............................................Publisher:AddisonWesleyProfessionalPubDate:July22,2005ISBN:0-321-29431-9Pages:352TableofContents|IndexCopyrightPraiseforRootkitsPrefaceHistoricalBackgroundTargetAudiencePrerequisitesScopeAcknowledgmentsAbouttheAuthorsAbouttheCoverChapter1.LeaveNoTraceUnderstandingAttackers'MotivesWhatIsaRootkit?WhyDoRootkitsExist?HowLongHaveRootkitsBeenAround?HowDoRootkitsWork?WhataRootkitIsNotRootkitsandSoftwareExploitsOffensiveRootkitTechnologiesConclu