Dailydave mailing list archives
Re: Wrox: Professional Rootkits
From: <assault () hush com>
Date: Tue, 08 May 2007 23:59:21 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 08 May 2007 23:10:36 +0300 James Butler <butlerjr () acm org> wrote: ....
My problem with his book is that it makes no attempt to cite previous bodies of work.
as do so many others. even u.
As one example, he talks of DKOM tricks of how to hide processes without mentioning FU.
are you suggesting that fu was the first to introduce /dev/mem walki^W^Wdkom?
He even renames structures I have used in talks and papers, which are Microsoft structure names. If the reader is not familiar with the space, you would think he invented every rootkit technique currently being used, when in actuality, his book doesn't bring anything new to the table.
just like yours, i assume? or are u completely ignoring yearz of dos/linux malware research? do you mind telling what parts of the rootkits book are the result of your own research?
For the rest of you who haven't bought it yet, please consider carefully before you support someone blatantly making a profit from other people's work.
assault
Jamie It is because of Ric and companies with this attitude that has driven the free disclosure of ideas underground on rootkit.com. Yes, I have a dog in this fight. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel Sent: Tuesday, May 08, 2007 1:53 PM To: dailydave Subject: [Dailydave] Wrox: Professional Rootkits -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd- download_ code.html I picked up a copy of Professional Rootkits by Ric Vieler. So far it's great! You get the feeling Ric is an exile from some random intel organization that he left after about ten years of writing rootkits. This book doesn't try to be super cutting edge - it is instead filled with practical advice for the professional rootkit writer. It's a small, understandable book. One criticism: There's a weird mini-disassembler on pages 74-96, which he uses to analyze a target binary to add hooks into it. This is the sort of thing that is a great idea, but wastes a lot of pages in the book. This should be downloadable, but perhaps not printed out line for line. If you really want a disassembler, you'll also probably want an analyzer, and you'll want do to something cool with your analyzer in order to make your hooks "future-proof". This is probably something I'll have someone do with Immunity Debugger someday. A PGP trojan that works no matter what version of PGP they have, because it has a full binary analysis engine built in. Sound fun? Send me a estimate. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF L60KkL45TLi+aRanlJWRM0s= =hevx -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkZA4+wACgkQwRKs9FnnsLTk0AP9GpjoKe+8Sd0+nuSHpTEsd0wXuMPg 17kC4qB3OQ2Gan1bYYXg/g2AXoecH9ssdLhudmvg1RD6x39SebiEJaaPAJZL6zE8HUxs 3bWN1lJhkWscCF2d8dcrIfLkzSlXsizi8qAQqkIpV1S72STi1oazbEtH2yEmYRZHsc1P VvgnlK0= =mwWQ -----END PGP SIGNATURE----- -- Click to find great rates on health insurance, save big, shop here http://tagline.hushmail.com/fc/CAaCXv1QUczjhn9SvhpWprcUgMFaWVn0/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Wrox: Professional Rootkits Dave Aitel (May 08)
- Re: Wrox: Professional Rootkits James Butler (May 08)
- Re: Wrox: Professional Rootkits matthew wollenweber (May 08)
- Re: Wrox: Professional Rootkits Jason Syversen (May 08)
- Re: Wrox: Professional Rootkits dan (May 08)
- Re: Wrox: Professional Rootkits Thomas Ptacek (May 08)
- Re: Wrox: Professional Rootkits Matt Conover (May 09)
- <Possible follow-ups>
- Re: Wrox: Professional Rootkits assault (May 08)
- Re: Wrox: Professional Rootkits James Butler (May 08)