Re: Wrox: Professional Rootkits

[<assault () hush com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Tue, 08 May 2007 23:10:36 +0300 James Butler <butlerjr () acm org>
wrote:

....

> My problem with his book is that it makes no attempt to cite
> previous bodies
> of work.

as do so many others. even u.

> As one example, he talks of DKOM tricks of how to hide
> processes
> without mentioning FU.

are you suggesting that fu was the first to introduce /dev/mem
walki^W^Wdkom?

> He even renames structures I have used in
> talks and
> papers, which are Microsoft structure names. If the reader is not
> familiar
> with the space, you would think he invented every rootkit
> technique
> currently being used, when in actuality, his book doesn't bring
> anything new
> to the table.

just like yours, i assume? or are u completely ignoring yearz of
dos/linux malware research? do you mind telling what parts of the
rootkits book are the result of your own research?

> For the rest of you who haven't bought it yet, please consider
> carefully
> before you support someone blatantly making a profit from other
> people's
> work.

assault

> Jamie
>
> It is because of Ric and companies with this attitude that has
> driven the
> free disclosure of ideas underground on rootkit.com.
>
> Yes, I have a dog in this fight.
>
>
> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave
> Aitel
> Sent: Tuesday, May 08, 2007 1:53 PM
> To: dailydave
> Subject: [Dailydave] Wrox: Professional Rootkits
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-
> download_
> code.html
>
> I picked up a copy of Professional Rootkits by Ric Vieler. So far
> it's
> great! You get the feeling Ric is an exile from some random intel
> organization that he left after about ten years of writing
> rootkits.
> This book doesn't try to be super cutting edge - it is instead
> filled with
> practical advice for the professional rootkit writer. It's a
> small,
> understandable book.
>
> One criticism: There's a weird mini-disassembler on pages 74-96,
> which he
> uses to analyze a target binary to add hooks into it. This is the
> sort of
> thing that is a great idea, but wastes a lot of pages in the book.
> This
> should be downloadable, but perhaps not printed out line for line.
> If you
> really want a disassembler, you'll also probably want an analyzer,
> and
> you'll want do to something cool with your analyzer in order to
> make your
> hooks "future-proof".  This is probably something I'll have
> someone do with
> Immunity Debugger someday. A PGP trojan that works no matter what
> version of
> PGP they have, because it has a full binary analysis engine built
> in. Sound
> fun? Send me a estimate. :>
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF
> L60KkL45TLi+aRanlJWRM0s=
> =hevx
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkZA4+wACgkQwRKs9FnnsLTk0AP9GpjoKe+8Sd0+nuSHpTEsd0wXuMPg
17kC4qB3OQ2Gan1bYYXg/g2AXoecH9ssdLhudmvg1RD6x39SebiEJaaPAJZL6zE8HUxs
3bWN1lJhkWscCF2d8dcrIfLkzSlXsizi8qAQqkIpV1S72STi1oazbEtH2yEmYRZHsc1P
VvgnlK0=
=mwWQ
-----END PGP SIGNATURE-----

--
Click to find great rates on health insurance, save big, shop here
http://tagline.hushmail.com/fc/CAaCXv1QUczjhn9SvhpWprcUgMFaWVn0/


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave