[Dailydave] Wrox: Professional Rootkits

Jason Syversen jason.syversen at gmail.com
Tue May 8 17:33:04 EDT 2007 

You raise an interesting point Jamie... at what point do things like
Rootkits move out of the research domain and into production? We don't
reference who built the hammer, the designer of the nail, or the sawhorse
when writing a book about carpentry. At some point it's just part of the
body of knowledge, and if you are writing a practitioners book there is a
good chance prior art is not properly referenced.

I dug up some of my C/C++ books to see if people like Bjarne Stroustrup, Dennis
Ritchie, etc. were referenced, and in my sample of 6 books half the time the
author/inventor of the language (or pretty much anyone else) was not
referenced. IMO, it seemed to correlate with the quality of the book...
those who were experts in their field and attempting to contribute to the
body of available knowledge referenced prior art, while those were very
newbie-oriented, implementation focused or just trying to get a book out
there were more likely to neglect references. I would not attribute
Mr. Vieler's
actions to malice, however it is probably "bad form" and indicative of the
level/quality of the book one would be acquiring.

Books with no references (that I could find):
1)
http://www.amazon.com/gp/reader/1572318570/ref=sib_dp_srch_pop/103-2831680-9988614?v=search-inside&keywords=Stroustrup&go.x=16&go.y=9&go=Go%21
2) Advanced C++, Namir Clement Shammas, Sams Publishing, 1992.
3)
http://www.amazon.com/gp/reader/0672305100/ref=sib_dp_srch_bod/103-2831680-9988614?v=search-inside&keywords=ritchie&go.x=0&go.y=0&go=Go%21#<http://www.amazon.com/gp/reader/0672305100/ref=sib_dp_srch_bod/103-2831680-9988614?v=search-inside&keywords=ritchie&go.x=0&go.y=0&go=Go%21#>

Standard references:
1)
http://www.amazon.com/gp/reader/076005018X/ref=sib_dp_pt/103-2831680-9988614#
2)
http://www.amazon.com/gp/reader/0764546546/ref=sib_dp_pt/103-2831680-9988614#reader-link

Example with good references in each chapter:
1) Classic Data Structures in C++, Timothy A. Budd, Addison Wesley
Publishing Company, 1994

- Jason

On 5/8/07, James Butler <butlerjr at acm.org> wrote:
>
> Dave,
>
> I am surprised that you liked this book. Well, with code and concepts
> "borrowed" from many of the contributors at rootkit.com and Russinovich, I
> guess it couldn't be bad.  Yes, Ric is an exile, but from HBGary. He
> worked
> there as a tester for some things we were developing.
>
> My problem with his book is that it makes no attempt to cite previous
> bodies
> of work. As one example, he talks of DKOM tricks of how to hide processes
> without mentioning FU. He even renames structures I have used in talks and
> papers, which are Microsoft structure names. If the reader is not familiar
> with the space, you would think he invented every rootkit technique
> currently being used, when in actuality, his book doesn't bring anything
> new
> to the table.
>
> For the rest of you who haven't bought it yet, please consider carefully
> before you support someone blatantly making a profit from other people's
> work.
>
> Jamie
>
> It is because of Ric and companies with this attitude that has driven the
> free disclosure of ideas underground on rootkit.com.
>
> Yes, I have a dog in this fight.
>
>
> -----Original Message-----
> From: dailydave-bounces at lists.immunitysec.com
> [mailto:dailydave-bounces at lists.immunitysec.com ] On Behalf Of Dave Aitel
> Sent: Tuesday, May 08, 2007 1:53 PM
> To: dailydave
> Subject: [Dailydave] Wrox: Professional Rootkits
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_
> code.html
>
> I picked up a copy of Professional Rootkits by Ric Vieler. So far it's
> great! You get the feeling Ric is an exile from some random intel
> organization that he left after about ten years of writing rootkits.
> This book doesn't try to be super cutting edge - it is instead filled with
> practical advice for the professional rootkit writer. It's a small,
> understandable book.
>
> One criticism: There's a weird mini-disassembler on pages 74-96, which he
> uses to analyze a target binary to add hooks into it. This is the sort of
> thing that is a great idea, but wastes a lot of pages in the book. This
> should be downloadable, but perhaps not printed out line for line. If you
> really want a disassembler, you'll also probably want an analyzer, and
> you'll want do to something cool with your analyzer in order to make your
> hooks "future-proof".  This is probably something I'll have someone do
> with
> Immunity Debugger someday. A PGP trojan that works no matter what version
> of
> PGP they have, because it has a full binary analysis engine built in.
> Sound
> fun? Send me a estimate. :>
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF
> L60KkL45TLi+aRanlJWRM0s=
> =hevx
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070508/c49deeb6/attachment-0001.htm

More information about the Dailydave mailing list