BKDSBSDR.RVW 20071005 "Designing BSD Rootkits", Joseph Kong, 2007, 1-59327-142-5, U$29.95/C$36.95 %A Joseph Kong %C 555 De Haro Street, Suite 250, San Francisco, CA 94107 %D 2007 %G 1-59327-142-5 978-1-59327-142-8 %I No Starch Press %O U$29.95/C$36.95 415-863-9900 fax 415-863-9950 info@nostarch.com %O http://www.amazon.com/exec/obidos/ASIN/1593271425/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1593271425/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1593271425/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 136 p. %T "Designing BSD Rootkits: An Introduction to Kernel Hacking" The purpose of the book is to teach how to use techniques of kernel-mode programming that will provide control over certain aspects of the FreeBSD (Berkeley Systems Distribution) operating system without making such control apparent to the user. As a secondary aim, the reader should also be able to consider recoding functions of the operating system, as well as techniques for detecting and removing rootkits. Chapter one introduces the programming of Loadable Kernel Modules (LKMs, which are also known as Dynamic Kernel Linkers or KLDs). C code for short routines and system calls are listed, although the explanations are extremely terse, and the reader would have to be well familiar with system programming in order to understand the use and access to these functions. Call hooking (or just "hooking"), the redirection of calls to standard operations in order to modify system behaviour, is the subject of chapter two. Kernel objects maintain information about the operations underway in the computer, and therefore direct manipulation of these structures, explained in chapter three, is necessary to hide from attempts to detect unusual processes. Since kernel objects also control program flow, chapter four briefly demonstrates how to hook the structures. Chapter five examines the type of programming necessary to directly patch code in the kernel memory area. Chapter six uses the various ideas discussed earlier to create a rootkit for avoiding detection by change-detection style host-based intrusion detection systems (HIDS), specifically Tripwire. Chapter seven outlines (without code examples) techniques for detecting the type of programming and activity described earlier in the book. In my opening sentence, I said that the volume's purpose was to teach kernel-mode programming. That statement, and the preface, begs the question of the intended audience. Actually, the book only addresses specific functions: it certainly doesn't teach kernel-mode programming as such. The reader will already have to know a fair mount of it in order to apply the content of the tome. The text does seem to imply that it is hoped whitehats will use it, but is the substance really directed at protective measures? The material in the book does provide a number of examples of kernel- mode programming, and may act as a guide for those interested in exploring the areas for which code is provided. Certain aspects of the internals of the BSD operating systems are explained. However, those interested in having in-depth examinations of the operating system, or those wishing to know about detection of these types of applications, may wish to look elsewhere. copyright Robert M. Slade, 2007 BKDSBSDR.RVW 20071005