Dailydave mailing list archives
Re: Wrox: Professional Rootkits
From: "James Butler" <butlerjr () acm org>
Date: Tue, 8 May 2007 16:10:36 -0400
Dave, I am surprised that you liked this book. Well, with code and concepts "borrowed" from many of the contributors at rootkit.com and Russinovich, I guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He worked there as a tester for some things we were developing. My problem with his book is that it makes no attempt to cite previous bodies of work. As one example, he talks of DKOM tricks of how to hide processes without mentioning FU. He even renames structures I have used in talks and papers, which are Microsoft structure names. If the reader is not familiar with the space, you would think he invented every rootkit technique currently being used, when in actuality, his book doesn't bring anything new to the table. For the rest of you who haven't bought it yet, please consider carefully before you support someone blatantly making a profit from other people's work. Jamie It is because of Ric and companies with this attitude that has driven the free disclosure of ideas underground on rootkit.com. Yes, I have a dog in this fight. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel Sent: Tuesday, May 08, 2007 1:53 PM To: dailydave Subject: [Dailydave] Wrox: Professional Rootkits -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_ code.html I picked up a copy of Professional Rootkits by Ric Vieler. So far it's great! You get the feeling Ric is an exile from some random intel organization that he left after about ten years of writing rootkits. This book doesn't try to be super cutting edge - it is instead filled with practical advice for the professional rootkit writer. It's a small, understandable book. One criticism: There's a weird mini-disassembler on pages 74-96, which he uses to analyze a target binary to add hooks into it. This is the sort of thing that is a great idea, but wastes a lot of pages in the book. This should be downloadable, but perhaps not printed out line for line. If you really want a disassembler, you'll also probably want an analyzer, and you'll want do to something cool with your analyzer in order to make your hooks "future-proof". This is probably something I'll have someone do with Immunity Debugger someday. A PGP trojan that works no matter what version of PGP they have, because it has a full binary analysis engine built in. Sound fun? Send me a estimate. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF L60KkL45TLi+aRanlJWRM0s= =hevx -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Wrox: Professional Rootkits Dave Aitel (May 08)
- Re: Wrox: Professional Rootkits James Butler (May 08)
- Re: Wrox: Professional Rootkits matthew wollenweber (May 08)
- Re: Wrox: Professional Rootkits Jason Syversen (May 08)
- Re: Wrox: Professional Rootkits dan (May 08)
- Re: Wrox: Professional Rootkits Thomas Ptacek (May 08)
- Re: Wrox: Professional Rootkits Matt Conover (May 09)
- <Possible follow-ups>
- Re: Wrox: Professional Rootkits assault (May 08)
- Re: Wrox: Professional Rootkits James Butler (May 08)