Rootkits: Subverting the Windows Kernel

Rootkits: Subverting the Windows Kernel is a technical guide that examines methods used to compromise and maintain control of Windows operating systems. The book focuses on rootkit techniques that can modify the Windows kernel to hide malicious code and maintain persistence on infected systems. The authors present detailed explanations of Windows internals, kernel structures, and system call mechanisms that are relevant to rootkit development. Code examples and practical demonstrations illustrate concepts like function hooking, direct kernel object manipulation, and techniques for concealing processes and files. The work includes analysis of real-world rootkit samples and defense strategies for detecting and preventing rootkit infections. Technical diagrams and code listings support the material throughout. This book operates in the intersection between offensive security research and system internals, raising questions about the dual nature of security knowledge. The content serves as both a warning about system vulnerabilities and a reference for understanding operating system architecture at a fundamental level.

Readers found this 2005 technical manual provides in-depth coverage of Windows kernel manipulation and rootkit development techniques. The book has maintained a 4.5/5 rating on Amazon across 40+ reviews and 4.1/5 on Goodreads. Readers appreciated: - Clear explanations of complex kernel concepts - Practical code examples and implementations - Detailed coverage of Windows internals - Value for both offensive and defensive security work Common criticisms: - Outdated content focused on Windows XP/2000 - Some code samples contain errors - Limited coverage of modern anti-rootkit techniques One security researcher noted "the technical depth remains relevant even if the specific OS details have changed." Another reader mentioned "the fundamental concepts transfer to modern Windows versions despite the aged examples." Multiple reviews criticized the book's age but acknowledged it as a starting point for understanding kernel manipulation, with one reader stating "read it for the theory, not the implementation details."

Practical Malware Analysis by Michael Sikorski This book teaches the tools and techniques to dissect malicious software through hands-on examples and reversing challenges.

The Shellcoder's Handbook by Chris Anley, John Heasman, Felix Lindner, and Gerardo Richarte The text covers exploitation methods and shellcode development for both Linux and Windows systems.

The Art of Memory Forensics by Michael Hale Ligh, Andrew Case, Jamie Levy, and AAron Walters The book provides techniques for analyzing volatile memory and investigating Windows, Linux, and Mac memory artifacts.

Gray Hat Python by Justin Seitz This book demonstrates Python programming for security professionals with examples of debuggers, fuzzers, and hooking techniques.

Windows Internals by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, and David A. Solomon The text delivers deep technical information about Windows architecture, processes, threads, and system mechanisms.

🔒 Greg Hoglund founded rootkit.com in 2000, which became one of the most significant online communities for rootkit research and discussion before its closure in 2016. 💻 The book introduced many security professionals to the concept of "Direct Kernel Object Manipulation" (DKOM), a technique that allows rootkits to hide processes by manipulating the Windows kernel structures. 🛡️ Co-author James Butler worked as the Director of Research and Development at HBGary, where he developed sophisticated anti-rootkit technologies. 🌐 The techniques described in the book led to significant changes in Windows security architecture, particularly in how Microsoft handles kernel-mode drivers and digital signatures. 🔍 The book's source code examples were so powerful that some antivirus companies used them as reference material to improve their detection capabilities for advanced persistent threats (APTs).