Review: Designing BSD Rootkits An Introduction to Kernel Hacking

by Michael Hernandez <michael.hernandez@techally.com>

When I first picked up Designing BSD Rootkits from No Starch Press I was surprised. I first thought to myself, "This seems like such a light book for such a heavy topic... it's a 136 page introduction to BSD Kernel Hacking! Surely a book on kernel hacking should be a massive and intimidating volume that reads like a man page? Or should it?”

My second surprise came when I turned to the introduction and found that I "should 'theoretically' be able to rewrite the entire operating system, on the fly" by the time I finished the book. It was then that I thought "Oh this must be for people who are already hacking Linux drivers and want to learn about the BSD kernel..." I read on to find that kernel hacking experience is neither required nor expected. I stared at the book with mixed feelings of cynicism and overwhelming curiosity.

Designing BSD Rootkits is packed full of examples that aim to teach the reader about topics which include loadable kernel modules, direct kernel object manipulation, kernel object hooking and runtime kernel memory patching. At the end of the book you'll find a short chapter (approximately 6 pages long) about rootkit detection. An extensive review of the book's contents is difficult due to the ratio of examples to text. If you could arrange the 136 pages so that the text and code were listed sequentially, you'd see about 10 pages of text with the balance being code. I am only slightly exaggerating; This book is basically all code examples and explanation of those examples. What better way is there to teach a topic than by example? For instance, why merely discuss a key logger? Why not show how to write one and see how it works? Why write about methods that can be used to hide a process when you can teach someone how to write, compile and run his or her own module that hides processes (or open TCP ports!). Are you excited yet?

Although I've finished the book and cannot say with any degree of confidence that I can rewrite FreeBSD on the fly, I can say that my initial feelings of FUD that I associated with kernel hacking faded with each code example. The author's familiar tone and style helped me to relax and learn about what I once looked at as the dark cellar of my system. The cover of the book cleverly depicts the creating of a daemon-shaped “voodoo doll” from a “you do voodoo” kit. That's basically what Designing BSD Rootkits is – a DIY voodoo kit, demystifying the dark scary magic that is kernel code. Never before have I felt more in touch with what is going on "under the hood". In writing this book Joseph Kong has given us more than code snippets and links to man pages, he's given us a path to understanding more about the operating system we use every day. Some might view books such as this to be dangerous. Simple tutorials on writing rootkits might open a door for trouble. Actually, however, this book opens a door for everyday admins to enter a more secure future.