The following is the table of contents, along with a brief description of each chapter, for my upcoming book:
- Basics: This chapter covers the fundamentals of FreeBSD kernel module programming (which is the basis of "modern" FreeBSD rootkits). It also briefly goes over the local kernel debugger (ddb).
- Hooking: This chapter covers the use of Call Hooking with kernel modules to subvert the FreeBSD kernel. To make this chapter more interesting, the example programs hook some of the more obscure or lesser known tables within the kernel.
- Kernel Object Manipulation: This chapter covers patching the objects (structures, queues, and so on) the kernel depends upon for its internal record keeping.
- Kernel Object Hooking: This chapter is the end result of combining the techniques in the
previous two chapters.
- Runtime Kernel Memory Patching: This chapter covers patching the kernel code stored in main memory.
- Putting It All Together: This chapter demonstrates what one can achieve when they combine the
techniques described in the previous four chapters. Note: While the previous chapters focused on the "how", this one focuses on the "what".
- Defense: This chapter focuses on detecting rootkits employing the techniques described throughout this book.
Essentially Chapter 1 is a whirlwind tour to bring readers up to speed. Chapters 2-5 explain the "how", through a combination of trivial and non-trivial examples. Chapter 6 is something I included for fun, and Chapter 7 should be self-explanatory.
I asked Joe how he convinced No Starch to publish a book on such a niche topic. He wrote:
To be honest with you, I have no idea how I convinced No Starch to publish my book. I just wrote them a proposal, gave them a sample chapter, and they wrote me back.
I look forward to reading this book. The FreeBSD public rootkit community seems fairly small; Stephanie Wehner and pragmatic come to mind. A few private folks come to mind too; you know who you are. :)