Trusted SF Member
Joined: 02 May 2005
Location: Scotland, UK
|Posted: Fri Sep 30, 2005 8:05 pm Post subject: Book Review - Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Author(s): Greg Hoglund, James Butler
Publisher: Addison Wesley http://www.awprofessional.com/
Date Published: July 2005
Book Specifications: Softcover, 324 pages
Publisher's Suggested User Level: Not Rated
Reviewer's Recommended User Level: Advanced
Suggested Publisher Price: $44.99 US / $62.99 CDN
Amazon.com: Book Title US
Amazon.co.uk: Book Title UK
Blurb from back cover:
Rootkits are the ultimate backdoor, giving hackers ongoing and virtually undetectable access to the systems they exploit. Now, two of the world's leading experts have written the first comprehensive guide to rootkits: what they are, how they work, how to build them, and how to detect them. Rootkit.com's Greg Hoglund and James Butler created and teach Black hat's legendary course in rootkits. In this book, they reveal never-before-told offensive aspects of rootkit technology – learn how attackers can get in and stay in for years, without detection.
The authors both work for HBGary Inc, a provider of “Software Security verification Services”. Both are no strangers to the field of rootkits, having between the two of them accomplished such feats as coding one of the first network vulnerability scanners, creating & documenting the first Windows NT-based rootkits. The authors also founded rootkit.com, the leading rootkit-centric website and the inspiration and catalyst for much of the book. As the back cover introduction indicates, they are regarded as leading experts in the field and are regular participants in conferences such as BlackHat. According to the introduction, this book is aimed at “those who are interested in computer security”, moving from an introduction into why rootkits are created and why they pose a risk to the security of computer systems onto how windows rootkits (can) work, with a final chapter on how they are detected.
Chapter Synopsis & Review Comments
Chapter One, Leave no Trace, introduces us to some of the general background underpinning rootkits. Starting out with 'understanding attackers' motives', the chapter provides an excellent introduction to the topic and why you should care about it, as well as making an important point about the role of the book, that “Many books discuss how to penetrate computer systems and software. [...] This book is different. Instead of covering the attacks, this book will teach you how attackers stay in after the break-in. With the exception of computer forensics books, few discuss what to do after a successful penetration.”. The introduction to the topic here has much clarity, and goes a long way towards making the subject matter to the general security audience. It goes on to provide background information on the general principles of rootkits and their use.
Chapter Two, Subverting the Kernel, introduces us to some of the basic tenets of Operating System design, such as the concept of an OS Kernel, and what roles it plays, and how this is relevant to rootkit design. It provides basic overviews of ways in which a rootkit may behave, and how a rootkit may be designed. This chapter gradually raises the level of explanation from the general overview of the first chapter to a more hands-on one, providing a fairly good gradual transition for readers not approaching the topic from a background which includes experience of win32 internals. The chapter guides the reader through the basics of device driver design, and – practically – teaches us how a (very simple) device driver is designed and inserted into the kernel. In the latter parts of the chapter, we are introduced to the concept of “fusion rootkits”, at which point the chapter becomes considerably more technical (and the proportion of code to text increases noticeably).
Chapter Three, The Hardware Connection, introduces us to some more (important) baseline knowledge, explaining the relationship between hardware and software (as the name implies), and introducing the reader to concepts such as processor rings and how they are relevant to a system's security. Memory, paging, processes, descriptor tables and registers are just some of the concepts that the reader is introduced to.
Chapter Four, The Age-Old Art of Hooking, takes us back into the internals of the Windows Operating System and (again, as the name implies) introduces the reader to Userland and Kernel hooking. In this chapter, prior knowledge of win32 internals becomes particularly useful, and the book may prove extremely challenging to a reader who wants to get the most out of the book and either has no experience of this or doesn't have the time and/or inclination to find some reference material to augment their reading with.
Chapter Five, Runtime Patching now moves into material which is particularly unique to the book, and although there is a good introduction to the topic, prior knowledge of win32 internals proves invaluble at this point. Detour Patching and Jump Templates are two major topics covered in this chapter.
Chapter Six, Layered Drivers, introduces us to Layered Drivers and why they are important for legitimate Operating System Activity (the example used is hard disk encryption). The book then goes on to explain how layered drivers are also applicable to rootkits, and goes into considerable depth in explaining how this works with reference to a keylogger. The chapter then walks through code from a real-world rootkit (KLOG) and then goes on to explain File Filter Drivers.
Chapter Seven, Direct Kernel Object Manipulation, introduces us to another method available to rootkit developers, and one which avoids hooking. We are introduced to the concept, the advantages and disadvantages it poses, and the slightly black art of tailoring code to fit the operating system (as is required for code which manipulates the Operating System in this way). The chapter explains communication via IOCTLs, and then explains how accounting information can be hidden from the user, and explains how process hiding works in this manner, along with sample code to illustrate. The chapter then goes on to explain token privilege and group elevation (with, again, much example code), including adding SIDs to process tokens, and preventing process information from being logged to the eventlog.
Chapter eight, Hardware Manipulation, opens with a story to illustrate, after which follows a discussion of the implications (and pitfalls) of modifying hardware, which expands greatly on information on hardware-level functionality which is provided in the opening chapters. The chapter explains how flash memory can be modified to insert rootkit code, and how hardware is accessed, along with a thorough explanation of the architecture of a motherboard and how the various devices attached to it are accessed and behave. We then move onto another example well annotated with code, detailing how the keyboard controller is accessed, before concluding with an introduction to Microcode Updates.
Chapter nine, Covert Channels, takes us back into application territory, and discusses (again, as indicated by the descriptive chapter title) how communications between the rootkit and a third party may not only be conducted, but conducted with a minimal possibility of being discovered. There is an excellent discussion of disguising TCP/IP data. The chapter then goes on to introduce us to TDI and NDIS (and the pros and cons of their use in rootkits) and explains to us how a rootkit might implement communications via TDI. We then move on to Raw Network Manipulation using raw sockets with usermode applications in Windows XP. We then move on to perhaps the most challenging topic in the chapter, implementing kernel TCP/IP support using NDIS, continuing to explain the concept of Host Emulation
Chapter ten, Rootkit Detection, does exactly what it says on the tin! After the comprehensive introduction to kernel and userspace nastiness contained in the preceding chapters, this chapter seems in a sense anticlimactic; although short, is useful (and contains more excellent example code).
Style and Detail
The authors' prose is consistently accessible and well setout. Every chapter is written in a similar structure, starting out with a high level overview of the topic in hand and the relevance of it, before gradually moving closer to the topic itself before discussing it practically with copious code examples.
Although much of the material in the book is extremely technical, there is some benefit of the book to those in the security community (and the IT community at large) without win32 internals experience. Those without this experience who are short on time, however, may find themselves skipping considerable chunks of most of the chapters and glossing over the code; this said, even the high-level information contained in the beginnings of chapters is extremely useful, and the introduction alone provides an informative wake up call to IT Pros and IT Managers unaware of the issues of rootkits, and this alone makes the book worth the money, whilst those more technically gifted will find chapters 4 onwards particularly enthralling.
This book is obviously written by two authors who are not only deeply knowledgeable, but also very enthusiastic about their subject, and the quality of the book reflects this. All in all, this is a truly excellent book, and deserved of a place on the bookshelf of anyone who works with Windows Security.
The book holds a unique position, and the quality of the writing and the subject material is excellent. The book (and by extension, the reader) also benefits greatly from the code in the book, (all of which is downloadable - links are provided in the book), and the tie in the book has with the authors' website.
This book receives an honored SFDC Rating of 10/10.
This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.