Rootkits: Subverting the Windows Kernel
by Greg Hoglund and James Butler

Addison-Wesley 2006. $44.99. ISBN 0-321-29431-9.

Reviewed by  Bob Bruen   09/19/05 

Rootkits are generally a set of programs that either replace or alter system binaries so that the intruder can control events on a computer. The alteration may happen in real time. Early Unix rootkits generally replaced the system program that listed files and process ("ls" and "ps") and manipulated log files in order to conceal the presence of the intruder. Later versions expanded the replacement list, eventually adding Kernel modules.

Rootkits for the Windows OS have had similar goals, but different techniques. Hoglund founded about ten years ago after discovering rootkits. Since then rootkits have become extremely sophisticated, and so have the authors. The proprietary nature of Windows code does not appear to have stopped the spread of details on how things work. The expertise required to put together a Windows rootkit using the techniques explained in this book is substantial. The detailed description of the conceptual aspects coupled with clearly written code make it all quite accessible, not a trivial task.

Any worthwhile rootkit needs to be able to hide from the people who used to own the box, but methods for controlling and hiding have gone past the operating system level. The chapter on hardware techniques is nice. It starts out with a scenario in which an intruder breaks into room with a computer. The first failure is obviously in physical security, but the best part is the modification of the Ethernet card and the BIOS. The Windows operating system can be checked for viruses, updated, upgraded and reinstalled with no effect. Whatever we do to make our systems better merely opens up another avenue for an attacker.

The problem source is in two parts, one is simply the nature of the digital world. It is all pretend, based on the difference between two states, mostly an one and a zero. Everything is based on the logical distinctions by grouping and defining the interpretations. There is no ultimate source or fix available. It is all about how things are designed. These designs can be figured out by someone who wants to do so, especially when you consider that each user must have some form of the design to run an application or their machine. Design understanding can only be made more difficult, but not impossible.

Much of the design and implementation of code is just not very good. This fact eases the burden on those who wish the subvert code. Several really good books have come out this past year or so which explain how things work and to break them. More can still be done. For example this excellent book is Windows-centric, a Linux-centric equivalent would be welcome. The knowledge is out there.

This review cannot do justice to the excellent work in the file system, process handling, networking, kernel insights and other operating system functions that are opened up for everyone in Rootkits. It would help the reader to have an operating system and computer architecture background because the book delves deeply into the machine's operation.

This book is a "must have" for anyone interested in security. The depth of of the authors' expertise is enviable and their willingness to share to share it is appreciated. Software and hardware will not improve until it is demonstrated that there are no secrets. This book goes a long way to establishing that. There is no substitute for expertise.