Book of the month : ROOTKITS

This is the incredible book ever written on darkest area of computer security world. Authors have done splendid job in presenting the most mysterious subject of computer security in very simple and easy to understandable format.


Here is the detailed table of contents….

1. Leave No Trace.

Understanding Attackers’ Motives.

What Is a Rootkit?

Why Do Rootkits Exist?

How Long Have Rootkits Been Around?

How Do Rootkits Work?

What a Rootkit Is Not.

Rootkits and Software Exploits.

Offensive Rootkit Technologies.

2. Subverting the Kernel.

Important Kernel Components.

Rootkit Design.

Introducing Code into the Kernel.

Building the Windows Device Driver.

Loading and Unloading the Driver.

Logging the Debug Statements.

Fusion Rootkits: Bridging User and Kernel Modes.

Loading the Rootkit.

Decompressing the .sys File from a Resource.

Surviving Reboot.

3. The Hardware Connection.

Ring Zero.

Tables, Tables, and More Tables.

Memory Pages.

The Memory Descriptor Tables.

The Interrupt Descriptor Table.

The System Service Dispatch Table.

The Control Registers.

Multiprocessor Systems.

4. The Age-Old Art of Hooking.

Userland Hooks.

Kernel Hooks.

A Hybrid Hooking Approach.

5. Runtime Patching.

Detour Patching.

Jump Templates.

Variations on the Method.

6. Layered Drivers.

A Keyboard Sniffer.

The KLOG Rootkit: A Walk-through.

File Filter Drivers.

7. Direct Kernel Object Manipulation.

DKOM Benefits and Drawbacks.

Determining the Version of the Operating System.

Communicating with the Device Driver from Userland.

Hiding with DKOM.

Token Privilege and Group Elevation with DKOM.

8. Hardware Manipulation.

Why Hardware?

Modifying the Firmware.

Accessing the Hardware.

Example: Accessing the Keyboard Controller.

How Low Can You Go? Microcode Update.

9. Covert Channels.

Remote Command, Control, and Exfiltration of Data.

Disguised TCP/IP Protocols.

Kernel TCP/IP Support for Your Rootkit Using TDI.

Raw Network Manipulation.

Kernel TCP/IP Support for Your Rootkit Using NDIS.

Host Emulation.

10. Rootkit Detection.

Detecting Presence.

Detecting Behavior.


This is highly technical book which goes from basics to advanced topics of rootkits. It starts with explaining what rootkit is and what it is not. In second chapter, it describes the basics of kernel driver and then gets into explaining more detailed techniques for rootkit injection, covert channels, DKOM, various hooking mechanisms including userland, kernel and hybrid methods.  It also sheds light on hardware aspect of rootkits such as playing firmware/hardware by using the example of keyboard controller.  Last chapter briefly describes about various ways of detecting the rootkits.

Though the authors have not covered much on rootkit detection, overall this book presents enough information for novice person to master the darkest secrects of computer security.


If you are the person who lives in binary world and black is your favorite color then this is the  book for you…!


[Ebook Download Link – ]


Similar posts
  • Computer Security Tips: Stay Safe Onl... In recent times cyber security has raised the level of awareness and public consciousness as never before. Both large corporations and big organizations try to take care of online security as much as they can. That’s why cyber criminals and hackers have focused more on smaller companies and single entrepreneurs. This awful tendency leads to [...]
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]

Leave a Reply