Tuesday, August 08, 2006

Exclusive: FreeBSD Rootkits Book Forthcoming

While searching Amazon.com I found a forthcoming book titled Designing BSD Rootkits by Joseph Kong. Joe wrote Playing Games With Kernel Memory ... FreeBSD Style last year. I emailed him and asked if he would describe the table of contents.

The following is the table of contents, along with a brief description of each chapter, for my upcoming book:

  1. Basics: This chapter covers the fundamentals of FreeBSD kernel module programming (which is the basis of "modern" FreeBSD rootkits). It also briefly goes over the local kernel debugger (ddb).

  2. Hooking: This chapter covers the use of Call Hooking with kernel modules to subvert the FreeBSD kernel. To make this chapter more interesting, the example programs hook some of the more obscure or lesser known tables within the kernel.

  3. Kernel Object Manipulation: This chapter covers patching the objects (structures, queues, and so on) the kernel depends upon for its internal record keeping.

  4. Kernel Object Hooking: This chapter is the end result of combining the techniques in the
    previous two chapters.

  5. Runtime Kernel Memory Patching: This chapter covers patching the kernel code stored in main memory.

  6. Putting It All Together: This chapter demonstrates what one can achieve when they combine the
    techniques described in the previous four chapters. Note: While the previous chapters focused on the "how", this one focuses on the "what".

  7. Defense: This chapter focuses on detecting rootkits employing the techniques described throughout this book.


Essentially Chapter 1 is a whirlwind tour to bring readers up to speed. Chapters 2-5 explain the "how", through a combination of trivial and non-trivial examples. Chapter 6 is something I included for fun, and Chapter 7 should be self-explanatory.

I asked Joe how he convinced No Starch to publish a book on such a niche topic. He wrote:

To be honest with you, I have no idea how I convinced No Starch to publish my book. I just wrote them a proposal, gave them a sample chapter, and they wrote me back.

I look forward to reading this book. The FreeBSD public rootkit community seems fairly small; Stephanie Wehner and pragmatic come to mind. A few private folks come to mind too; you know who you are. :)

2 comments:

Brian Best said...

I find this an interesting topic. I look forward to reading this book. Also, very timely...

Check out what Joanna is up to over at invisiblethings - http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

This has also garnered some press, http://tinyurl.com/nh3ku, as the blue pill leverages AMD's SVM/Pacifica technology and not the underlying OS. This makes other OSes that run on x64 vulnerable as well. This is some very cool stuff.

Regards,

Brian

Anonymous said...

I can't wait until this book is available. However, No Starch still doesn't even have a cover for the book on their website so it appears the release date will slip.