I'm not a rootkit expert, but I had a similar impression as Jamie of the Rox book. To me it seemed like a watered down version of the content from Jamie's book and <a href="http://rootkits.com">rootkits.com</a>. It's possibly a bit more user friendly but just a compilation of stuff resources done by others.
<br><br><div><span class="gmail_quote">On 5/8/07, <b class="gmail_sendername">James Butler</b> <<a href="mailto:butlerjr@acm.org">butlerjr@acm.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dave,<br><br>I am surprised that you liked this book. Well, with code and concepts<br>"borrowed" from many of the contributors at <a href="http://rootkit.com">rootkit.com</a> and Russinovich, I<br>guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He worked
<br>there as a tester for some things we were developing.<br><br>My problem with his book is that it makes no attempt to cite previous bodies<br>of work. As one example, he talks of DKOM tricks of how to hide processes<br>
without mentioning FU. He even renames structures I have used in talks and<br>papers, which are Microsoft structure names. If the reader is not familiar<br>with the space, you would think he invented every rootkit technique
<br>currently being used, when in actuality, his book doesn't bring anything new<br>to the table.<br><br>For the rest of you who haven't bought it yet, please consider carefully<br>before you support someone blatantly making a profit from other people's
<br>work.<br><br>Jamie<br><br>It is because of Ric and companies with this attitude that has driven the<br>free disclosure of ideas underground on <a href="http://rootkit.com">rootkit.com</a>.<br><br>Yes, I have a dog in this fight.
<br><br><br>-----Original Message-----<br>From: <a href="mailto:dailydave-bounces@lists.immunitysec.com">dailydave-bounces@lists.immunitysec.com</a><br>[mailto:<a href="mailto:dailydave-bounces@lists.immunitysec.com">dailydave-bounces@lists.immunitysec.com
</a>] On Behalf Of Dave Aitel<br>Sent: Tuesday, May 08, 2007 1:53 PM<br>To: dailydave<br>Subject: [Dailydave] Wrox: Professional Rootkits<br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br><a href="http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_">
http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_</a><br>code.html<br><br>I picked up a copy of Professional Rootkits by Ric Vieler. So far it's<br>great! You get the feeling Ric is an exile from some random intel
<br>organization that he left after about ten years of writing rootkits.<br>This book doesn't try to be super cutting edge - it is instead filled with<br>practical advice for the professional rootkit writer. It's a small,
<br>understandable book.<br><br>One criticism: There's a weird mini-disassembler on pages 74-96, which he<br>uses to analyze a target binary to add hooks into it. This is the sort of<br>thing that is a great idea, but wastes a lot of pages in the book. This
<br>should be downloadable, but perhaps not printed out line for line. If you<br>really want a disassembler, you'll also probably want an analyzer, and<br>you'll want do to something cool with your analyzer in order to make your
<br>hooks "future-proof". This is probably something I'll have someone do with<br>Immunity Debugger someday. A PGP trojan that works no matter what version of<br>PGP they have, because it has a full binary analysis engine built in. Sound
<br>fun? Send me a estimate. :><br><br>- -dave<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.6 (GNU/Linux)<br><br>iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF<br>L60KkL45TLi+aRanlJWRM0s=<br>
=hevx<br>-----END PGP SIGNATURE-----<br><br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">
http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br><br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com
</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></blockquote></div><br><br clear="all"><br>-- <br>Matthew Wollenweber<br><a href="mailto:mwollenweber@gmail.com">
mwollenweber@gmail.com</a><br><br>