This book addresses a controversial and timely issue in the field of network security. Rootkits are notoriously used by the black hat hacking community. A rootkit allows an attacker to subvert a compromised system. This subversion can take place at the application level, as is the case for the early rootkits that replaced a set of common administrative tools, but can be more dangerous when it occurs at the kernel level. A rootkit hides the network traffic, processes, and files that an attacker decides to keep invisible to administrators and system management tools.

Blunden provides complete and detailed coverage of kernel-level rootkits for the Windows operating system (OS). Part 1 begins with three chapters on the IA-32 architecture and the Windows OS. The scope is very broad, starting with the well-known flat memory/segmented memory layout, and ending with an updated description of the booting process and underlying architecture. Chapter 4, on the first rootkit, uses an example to show how the writing and debugging of a complete rootkit is done. (Subsequent chapters present the kernel-specific structures that can be subverted.)

Part 2 begins with chapter 5, “Hooking Call Tables.” Chapter 6 shows different code detouring techniques, and chapter 7 is dedicated to the manipulation of the EPROCESS kernel structure. This part is relatively self-contained--although Blunden provides background material on the Windows-specific architecture, there is a steep learning curve to understand and follow these chapters. Once they are mastered, astute readers will know the different possibilities for hiding malicious code in a running system. Part 2 ends with chapter 8, “Deploying Filter Drivers.”

Part 3 consists of chapters 9 to 12, which address the subverting of file system data and network analysis. I appreciate the material on foiling runtime executable analysis by defeating both kernel-level and user-mode debuggers. Also, this section nicely covers network driver interface specification (NDIS) drivers and domain name system (DNS) tunneling.

Part 4 covers practical, hands-on rootkit development. Chapter 13 presents a list of 11 rootkit-related projects. Part 4 ends with chapter 14, “Closing Thoughts.”

Example code from real rootkits is provided in each chapter, and the information presented is extensive and up to date. While the book can be read from cover to cover, readers can also pick and choose specific chapters. The book’s size and technical content is impressive. At more than 800 pages, it is a difficult but rewarding read. Since the book is very technical, readers must have a strong background in IA-32 architectures and system-level programming. If you work on defensive solutions--anti-virus and malware detection tools--or are interested in low-level system programming, you must read this book. In fact, for the intended audience, this is one of the best books of 2009.

The world of rootkits is a difficult one, requiring great software and system programming skills. Motivated readers will learn the essentials from this outstanding reference book.