ROOTKITS: Subverting the Windows Kernel

Rootkits is intended for those who are interested in computer security and want a truer perspective concerning security threats. A lot has been written on how intruders gain access to computer systems but little has been said regarding what can happen once an intruder gains that initial access. Like the title implies, this book will cover what intruders can do to cover their presence on a compromised machine.

Most software vendors, including Microsoft, do not take rootkits seriously. The material in this book is not groundbreaking for someone who has worked with rootkits or operating systems for years--but for most people this book should prove that rootkits are a serious threat. It should prove that your virus scanner or desktop firewall is never good enough. It should prove that a rootkit can get into your computer and stay there for years, and you will never know about it.

To best convey rootkit information, this book is written from an attacker's perspective; however, the book ends on a defensive posture. As you begin to learn your attackers' goals and techniques, you will understand your own system's weaknesses and how to mitigate its shortcomings. Reading this book will help you improve the security of your system and help you make informed decisions when it comes to purchasing security software.

After reading this book, readers will be able to:

• Understand the role of rootkits in remote command/control and software eavesdropping
• Build kernel rootkits that can make processes, files, and directories invisible
• Master key rootkit programming techniques, including hooking, runtime patching, and directly manipulating kernel objects
• Work with layered drivers to implement keyboard sniffers and file filters
• Detect rootkits and build host-based intrusion prevention software that resists rootkit attacks

Visit rootkit.com for code and programs from this book. The site also contains enhancements to the book's text, such as up-to-the-minute information on rootkits available nowhere else.

Authors

Greg Hoglund has been a pioneer in the area of software security. He is CEO of HBGary, Inc., a leading provider of software security verification services. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding rootkit.com in the process. Greg is a frequent speaker at Black Hat, RSA, and other security conferences. He co-authored the bestselling Exploiting Software: How to Break Code (Addison-Wesley, 2004).

James Butler, Director of Engineering at HBGary, has a world-class talent for kernel programming and rootkit development and extensive experience in host-based intrusion-detection systems. He is the developer of VICE, a rootkit detection and forensics system. Jamie's previous positions include Senior Security Software Engineer at Enterasys and Computer Scientist at the National Security Agency. He is a frequent trainer and speaker at Black Hat.