[Dailydave] Wrox: Professional Rootkits
Thomas Ptacek
tqbf at matasano.com
Tue May 8 20:31:00 EDT 2007
Do you cite amodload? Google doesn't think so. Daymont used a very
similar trick to Joanna to load his code into SunOS 4.1.3, back in
1995 (!). I talk to him all the time and never once heard him complain
that he wasn't getting cited enough. So I think we're all off the hook
on "DKOM" citation.
I feel silly every time I say "DKOM", too.
On 5/8/07, James Butler <butlerjr at acm.org> wrote:
> Dave,
>
> I am surprised that you liked this book. Well, with code and concepts
> "borrowed" from many of the contributors at rootkit.com and Russinovich, I
> guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He worked
> there as a tester for some things we were developing.
>
> My problem with his book is that it makes no attempt to cite previous bodies
> of work. As one example, he talks of DKOM tricks of how to hide processes
> without mentioning FU. He even renames structures I have used in talks and
> papers, which are Microsoft structure names. If the reader is not familiar
> with the space, you would think he invented every rootkit technique
> currently being used, when in actuality, his book doesn't bring anything new
> to the table.
>
> For the rest of you who haven't bought it yet, please consider carefully
> before you support someone blatantly making a profit from other people's
> work.
>
> Jamie
>
> It is because of Ric and companies with this attitude that has driven the
> free disclosure of ideas underground on rootkit.com.
>
> Yes, I have a dog in this fight.
>
>
> -----Original Message-----
> From: dailydave-bounces at lists.immunitysec.com
> [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel
> Sent: Tuesday, May 08, 2007 1:53 PM
> To: dailydave
> Subject: [Dailydave] Wrox: Professional Rootkits
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_
> code.html
>
> I picked up a copy of Professional Rootkits by Ric Vieler. So far it's
> great! You get the feeling Ric is an exile from some random intel
> organization that he left after about ten years of writing rootkits.
> This book doesn't try to be super cutting edge - it is instead filled with
> practical advice for the professional rootkit writer. It's a small,
> understandable book.
>
> One criticism: There's a weird mini-disassembler on pages 74-96, which he
> uses to analyze a target binary to add hooks into it. This is the sort of
> thing that is a great idea, but wastes a lot of pages in the book. This
> should be downloadable, but perhaps not printed out line for line. If you
> really want a disassembler, you'll also probably want an analyzer, and
> you'll want do to something cool with your analyzer in order to make your
> hooks "future-proof". This is probably something I'll have someone do with
> Immunity Debugger someday. A PGP trojan that works no matter what version of
> PGP they have, because it has a full binary analysis engine built in. Sound
> fun? Send me a estimate. :>
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF
> L60KkL45TLi+aRanlJWRM0s=
> =hevx
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
More information about the Dailydave
mailing list