[Dailydave] Wrox: Professional Rootkits
matthew wollenweber
mwollenweber at gmail.com
Tue May 8 16:29:22 EDT 2007
I'm not a rootkit expert, but I had a similar impression as Jamie of the Rox
book. To me it seemed like a watered down version of the content from
Jamie's book and rootkits.com. It's possibly a bit more user friendly but
just a compilation of stuff resources done by others.
On 5/8/07, James Butler <butlerjr at acm.org> wrote:
>
> Dave,
>
> I am surprised that you liked this book. Well, with code and concepts
> "borrowed" from many of the contributors at rootkit.com and Russinovich, I
> guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He
> worked
> there as a tester for some things we were developing.
>
> My problem with his book is that it makes no attempt to cite previous
> bodies
> of work. As one example, he talks of DKOM tricks of how to hide processes
> without mentioning FU. He even renames structures I have used in talks and
> papers, which are Microsoft structure names. If the reader is not familiar
> with the space, you would think he invented every rootkit technique
> currently being used, when in actuality, his book doesn't bring anything
> new
> to the table.
>
> For the rest of you who haven't bought it yet, please consider carefully
> before you support someone blatantly making a profit from other people's
> work.
>
> Jamie
>
> It is because of Ric and companies with this attitude that has driven the
> free disclosure of ideas underground on rootkit.com.
>
> Yes, I have a dog in this fight.
>
>
> -----Original Message-----
> From: dailydave-bounces at lists.immunitysec.com
> [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel
> Sent: Tuesday, May 08, 2007 1:53 PM
> To: dailydave
> Subject: [Dailydave] Wrox: Professional Rootkits
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_
> code.html
>
> I picked up a copy of Professional Rootkits by Ric Vieler. So far it's
> great! You get the feeling Ric is an exile from some random intel
> organization that he left after about ten years of writing rootkits.
> This book doesn't try to be super cutting edge - it is instead filled with
> practical advice for the professional rootkit writer. It's a small,
> understandable book.
>
> One criticism: There's a weird mini-disassembler on pages 74-96, which he
> uses to analyze a target binary to add hooks into it. This is the sort of
> thing that is a great idea, but wastes a lot of pages in the book. This
> should be downloadable, but perhaps not printed out line for line. If you
> really want a disassembler, you'll also probably want an analyzer, and
> you'll want do to something cool with your analyzer in order to make your
> hooks "future-proof". This is probably something I'll have someone do
> with
> Immunity Debugger someday. A PGP trojan that works no matter what version
> of
> PGP they have, because it has a full binary analysis engine built in.
> Sound
> fun? Send me a estimate. :>
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF
> L60KkL45TLi+aRanlJWRM0s=
> =hevx
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
Matthew Wollenweber
mwollenweber at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070508/3f324fbc/attachment-0001.htm
More information about the Dailydave
mailing list