Designing BSD Rootkits: An Introduction to Kernel Hacking [NOOK Book]

Overview

Though rootkits have a fairly negative image, they can be used for both good and evil. Designing BSD Rootkits arms you with the knowledge you need to write offensive rootkits, to defend against malicious ones, and to explore the FreeBSD kernel and operating system in the process.

Organized as a tutorial, Designing BSD Rootkits will teach you the fundamentals of programming and developing rootkits under the FreeBSD operating system. Author ...
See more details below
Designing BSD Rootkits: An Introduction to Kernel Hacking

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$13.49
BN.com price
(Save 43%)$23.95 List Price

Overview

Though rootkits have a fairly negative image, they can be used for both good and evil. Designing BSD Rootkits arms you with the knowledge you need to write offensive rootkits, to defend against malicious ones, and to explore the FreeBSD kernel and operating system in the process.

Organized as a tutorial, Designing BSD Rootkits will teach you the fundamentals of programming and developing rootkits under the FreeBSD operating system. Author Joseph Kong's goal is to make you smarter, not to teach you how to write exploits or launch attacks. You'll learn how to maintain root access long after gaining access to a computer and how to hack FreeBSD.

Kongs liberal use of examples assumes no prior kernel-hacking experience but doesn't water down the information. All code is thoroughly described and analyzed, and each chapter contains at least one real-world application.

Included:

* The fundamentals of FreeBSD kernel module programming
* Using call hooking to subvert the FreeBSD kernel
* Directly manipulating the objects the kernel depends upon for its internal record-keeping
* Patching kernel code resident in main memory; in other words, altering the kernel's logic while it's still running
* How to defend against the attacks described

Hack the FreeBSD kernel for yourself!

"Designing BSD Rootkits" introduces the fundamentals of programming and developing rootkits under the FreeBSD operating system. Written in a friendly, accessible style and sprinkled with geek humor and pop culture references, the author favors a "learn by example" approach that assumes no prior kernel hacking experience.

Read More Show Less

Product Details

  • ISBN-13: 9781593271589
  • Publisher: No Starch Press San Francisco, CA
  • Publication date: 4/1/2007
  • Sold by: Barnes & Noble
  • Format: eBook
  • Sales rank: 1,072,190
  • File size: 2 MB

Meet the Author

Tinkering with computers has always been a primary passion of author Joseph Kong. He is a self-taught programmer who dabbles in information security, operating system theory, reverse engineering, and vulnerability assessment. He has written for Phrack Magazine and was a system administrator for the City of Toronto.
Read More Show Less

Table of Contents


Foreword   John Baldwin     xiii
Introduction     xv
What Is a Rootkit?     xvi
Why FreeBSD?     xvi
The Goals of This Book     xvi
Who Should Read This Book?     xvi
Contents Overview     xvi
Conventions Used in This Book     xvii
Concluding Remarks     xvii
Loadable Kernel Modules     1
Module Event Handler     2
The DECLARE_MODULE Macro     3
"Hello, world!"     4
System Call Modules     6
The System Call Function     6
The sysent Structure     7
The Offset Value     8
The SYSCALL_MODULE Macro     8
Example     9
The modfind Function     10
The modstat Function     10
The syscall Function     11
Executing the System Call     11
Executing the System Call Without C Code     12
Kernel/User Space Transitions     12
The copyin and copyinstr Functions     13
The copyout Function     13
The copystr Function     13
Character Device Modules     14
The cdevsw Structure     14
Character Device Functions     15
The Device Registration Routine     16
Example     17
Testing the Character Device     19
Linker Files and Modules     21
Concluding Remarks     22
Hooking     23
Hooking a System Call     24
Keystroke Logging     26
Kernel Process Tracing     28
Common System Call Hooks     29
Communication Protocols     30
The protosw Structure     30
The inetsw Switch Table     31
The mbuf Structure     32
Hooking a Communication Protocol     32
Concluding Remarks     33
Direct Kernel Object Manipulation     37
Kernel Queue Data Structures     37
The LIST_HEAD Macro     38
The LIST_HEAD_INITIALIZER Macro     38
The LIST_ENTRY Macro     38
The LlST_FOREACH Macro     39
The LIST_REMOVE Macro     39
Synchronization Issues     39
The mtx_lock Function     40
The mtx_unlock Function     40
The sx_slock and sx_xlock Functions     40
The sx_sunlock and sx_xunlock Functions      41
Hiding a Running Process     41
The proc Structure     41
The allproc List     42
Example     43
Hiding a Running Process Redux     46
The hashinit Function     47
pidhashtbl     47
The pfind Function     48
Example     48
Hiding with DKOM     51
Hiding an Open TCP-based Port     52
The inpcb Structure     52
The tcbinfo.listhead List     53
Example     54
Corrupting Kernel Data     56
Concluding Remarks     57
Kernel Object Hooking     59
Hooking a Character Device     59
The cdevp_list and cdev_priv Structures     60
The devmtx Mutex     60
Example     60
Concluding Remarks     62
Run-Time Kernel Memory Patching     63
Kernel Data Access Library     63
The kvm_openfiles Function     64
The kvm_nlist Function     64
The kvm_geterr Function     65
The kvm_read Function     65
The kvm_write Function     65
The kvm_close Function     66
Patching Code Bytes     66
Understanding x86 Call Statements     70
Patching Call Statements     70
Allocating Kernel Memory     73
The malloc Function     73
The MALLOC Macro     74
The free Function     74
The FREE Macro     74
Example     75
Allocating Kernel Memory from User Space     77
Example     77
Inline Function Hooking     81
Example     82
Gotchas     88
Cloaking System Call Hooks     88
Concluding Remarks     90
Putting It All Together     91
What HIDSes Do     91
Bypassing HIDSes     92
Execution Redirection     92
File Hiding     96
Hiding a KLD     101
The linker_files List     102
The linker_file Structure     102
The modules List     103
The module Structure     103
Example     104
Preventing Access, Modification, and Change Time Updates     107
Change Time     108
Example     112
Proof of Concept: Faking Out Tripwire     114
Concluding Remarks     117
Detection     119
Detecting Call Hooks     120
Finding System Call Hooks     120
Defecting DKOM     123
Finding Hidden Processes     123
Finding Hidden Ports     125
Defecting Run-Time Kernel Memory Patching     125
Finding Inline Function Hooks     125
Finding Code Byte Patches     125
Concluding Remarks     126
Closing Words     127
Bibliography     129
Index     131
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)