Designing BSD Rootkits: An Introduction to Kernel Hacking

[tripwire45]

Designing BSD Rootkits: An Introduction to Kernel Hacking

Author: Joseph Kong
Format: Paperback, 144 pages
Publisher: No Starch Press (April 10, 2007)
ISBN-10: 1593271425
ISBN-13: 978-1593271428

Review by James Pyles
May 8, 2007

A lot of why I requested this book for review was sheer curiosity. Like many people, I'm used to thinking "Rootkit = bad". Why the heck would any author or publisher want to take on the liability of teaching their readers how to behave unethically and criminally? The little voodoo doll on the cover did nothing to allay my concerns. However, once I had the book in my hands and began to work through it, I saw it with different eyes.

I recently reviewed O'Reilly's, Linux Kernel in a Nutshell for the European version of Linux Magazine and the No Starch Press book Webbots, Spiders, and Screen Scrapers: A Guide to Developing Internet Agents with PHP/CURL and Kong's Designing BSD Rootkits seems related to both. As the book's subtitle implies, this text is more about teaching the reader beginning kernel hacking than it is about becoming the programmer's version of a criminal mastermind.

The main goal might sound intimidating to the novice programmer; learn to introduce new code into a running operating system kernel. Said another way, you learn how to rewrite the operating system on the fly. This is what makes the misuse of rootkits so dangerous. An invasive program enters your computer without anyone knowing that it's there. The program runs with root access so anything is possible. The rootkit has instructions to rewrite the operating system kernel in any way the rootkit programmer sees fit. That's a little like having a sniper with a high powered rifle and scope sitting on a rooftop across from your house, following your every move while you are totally unaware of the sniper's presence.

What I liked best about Kong's book: Lots and lots of practical examples. I'm not the kind of person that can learn a technical subject by taking a book to the park and reading it under a shade tree. Sure, that's fine for reading comic books or the great American novel, but when I'm trying to learn, I need to do. I have to be sitting at a keyboard in my lair, surrounded by my tools and ready to start hammering away. It's a huge disappointment when I want to learn to program and my source material excessively explains conceptual information without letting me get my hands dirty. To his credit, Kong writes to the practical programmer in all of us.

So what's the "legitimate" goal of this book? In one sense, it's the same goal as training soldiers how to use high powered rifles with scopes. The best defense is a good offense. If you understand how rootkits are written and operate, you have a better chance of detecting them or better yet, preventing them from getting on your system in the first place. Wait. There's more. The art of designing rootkits is the art of kernel hacking. The rationale here is the same one that Greg Kroah-Hartman had in writing Linux Kernel in a Nutshell. If you work with Linux or BSD systems, sooner or later, you'll not only need to hack the kernel, you'll probably want to.

You don't have to be a genius to learn from this book but you do need a basic grasp of programming principles and experience in C in particular. Also, the book is only 144 pages long, so Kong doesn't baby you by teaching you a "Programming 101" class. For safety's sake (or at least to reduce your anxiety), it would be best of you didn't try any of this out on a production system. Pick a machine that you don't mind blowing up. Any one who's been programming for more than ten seconds know that "life happens" and the chances are, you'll fubar something on your way to learning new skills.

Yes, the book is short, but that's because the author doesn't waste space or time teaching you what you should already know. If this is your first foray into programming in general, put this book back on the shelf and pick up something a little more basic. If you have a basic programming background and this is your first foray into kernel hacking, scoop this book up and head to the check out stand.

One caveat. Yes, it's possible to misuse the information in this book to write malicious rootkits and make yourself a pain in the arse. If you're thinking in that direction, stop. Do yourself and the rest of us a favor and just use whatever you learn to better your skill sets and use those skills to contribute to the programming community, to the open source community, and to the human race. Taking the moral high road will always be the better choice and it's not like you're going to starve if you use your talents to make an honest living.