Dailydave mailing list archives
Re: Wrox: Professional Rootkits
From: "Jason Syversen" <jason.syversen () gmail com>
Date: Tue, 8 May 2007 17:33:04 -0400
You raise an interesting point Jamie... at what point do things like Rootkits move out of the research domain and into production? We don't reference who built the hammer, the designer of the nail, or the sawhorse when writing a book about carpentry. At some point it's just part of the body of knowledge, and if you are writing a practitioners book there is a good chance prior art is not properly referenced. I dug up some of my C/C++ books to see if people like Bjarne Stroustrup, Dennis Ritchie, etc. were referenced, and in my sample of 6 books half the time the author/inventor of the language (or pretty much anyone else) was not referenced. IMO, it seemed to correlate with the quality of the book... those who were experts in their field and attempting to contribute to the body of available knowledge referenced prior art, while those were very newbie-oriented, implementation focused or just trying to get a book out there were more likely to neglect references. I would not attribute Mr. Vieler's actions to malice, however it is probably "bad form" and indicative of the level/quality of the book one would be acquiring. Books with no references (that I could find): 1) http://www.amazon.com/gp/reader/1572318570/ref=sib_dp_srch_pop/103-2831680-9988614?v=search-inside&keywords=Stroustrup&go.x=16&go.y=9&go=Go%21 2) Advanced C++, Namir Clement Shammas, Sams Publishing, 1992. 3) http://www.amazon.com/gp/reader/0672305100/ref=sib_dp_srch_bod/103-2831680-9988614?v=search-inside&keywords=ritchie&go.x=0&go.y=0&go=Go%21#<http://www.amazon.com/gp/reader/0672305100/ref=sib_dp_srch_bod/103-2831680-9988614?v=search-inside&keywords=ritchie&go.x=0&go.y=0&go=Go%21#> Standard references: 1) http://www.amazon.com/gp/reader/076005018X/ref=sib_dp_pt/103-2831680-9988614# 2) http://www.amazon.com/gp/reader/0764546546/ref=sib_dp_pt/103-2831680-9988614#reader-link Example with good references in each chapter: 1) Classic Data Structures in C++, Timothy A. Budd, Addison Wesley Publishing Company, 1994 - Jason On 5/8/07, James Butler <butlerjr () acm org> wrote:
Dave, I am surprised that you liked this book. Well, with code and concepts "borrowed" from many of the contributors at rootkit.com and Russinovich, I guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He worked there as a tester for some things we were developing. My problem with his book is that it makes no attempt to cite previous bodies of work. As one example, he talks of DKOM tricks of how to hide processes without mentioning FU. He even renames structures I have used in talks and papers, which are Microsoft structure names. If the reader is not familiar with the space, you would think he invented every rootkit technique currently being used, when in actuality, his book doesn't bring anything new to the table. For the rest of you who haven't bought it yet, please consider carefully before you support someone blatantly making a profit from other people's work. Jamie It is because of Ric and companies with this attitude that has driven the free disclosure of ideas underground on rootkit.com. Yes, I have a dog in this fight. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com ] On Behalf Of Dave Aitel Sent: Tuesday, May 08, 2007 1:53 PM To: dailydave Subject: [Dailydave] Wrox: Professional Rootkits -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_ code.html I picked up a copy of Professional Rootkits by Ric Vieler. So far it's great! You get the feeling Ric is an exile from some random intel organization that he left after about ten years of writing rootkits. This book doesn't try to be super cutting edge - it is instead filled with practical advice for the professional rootkit writer. It's a small, understandable book. One criticism: There's a weird mini-disassembler on pages 74-96, which he uses to analyze a target binary to add hooks into it. This is the sort of thing that is a great idea, but wastes a lot of pages in the book. This should be downloadable, but perhaps not printed out line for line. If you really want a disassembler, you'll also probably want an analyzer, and you'll want do to something cool with your analyzer in order to make your hooks "future-proof". This is probably something I'll have someone do with Immunity Debugger someday. A PGP trojan that works no matter what version of PGP they have, because it has a full binary analysis engine built in. Sound fun? Send me a estimate. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF L60KkL45TLi+aRanlJWRM0s= =hevx -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Wrox: Professional Rootkits Dave Aitel (May 08)
- Re: Wrox: Professional Rootkits James Butler (May 08)
- Re: Wrox: Professional Rootkits matthew wollenweber (May 08)
- Re: Wrox: Professional Rootkits Jason Syversen (May 08)
- Re: Wrox: Professional Rootkits dan (May 08)
- Re: Wrox: Professional Rootkits Thomas Ptacek (May 08)
- Re: Wrox: Professional Rootkits Matt Conover (May 09)
- <Possible follow-ups>
- Re: Wrox: Professional Rootkits assault (May 08)
- Re: Wrox: Professional Rootkits James Butler (May 08)