The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
I’ve begun reading this very interesting book, and so far I am very impressed.
As one commenter from the review on Amazon said:
The first part of the book, “Foundations”, has an excellent introduction to IA32 architecture and Windows internals that I have never seen so well-described for beginners. Even if you aren’t interested in rootkits, this portion of the book is something I would recommend to anyone getting started in related fields, like reverse-engineering or exploit development. Digging further into the text, the second section on “System Modification” makes up the “meat” of the book, delving into the details of subverting Windows internals in many different ways. As technical and in-depth as the book gets, though, it never seems to leave the reader behind. Each new concept is well-explained and builds upon the material the reader has already learned. You may have to go through the text slower than you had anticipated, and go back to review previous material, but you’re never left feeling hopelessly lost.
The remainder of the book is a treat, as well. I can’t recall another book that goes into any kind of detail on defeating forensic analysis of memory and file systems. Anyone interested in developing forensic tools or curious about how analysis with tools like Encase and FTK might be subverted, should give it a read. The author closes the text with some strategic guidelines for rootkit development, and his own thoughts on how evasion and deception can be used to similar ends on a larger scale than operating systems.
This is now one of my favorite computer security books, and I believe that if you review its contents, you’ll find that you’re getting a great value for your money. If you are familiar with C and have a beginner’s knowledge of IA-32 assembly, you should have the prerequisites you need to follow along with this book. I highly recommend it, and hope that it becomes less-hidden of a gem that it already is.