The Rootkit Arsenal

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System is a technical guide to rootkit technology authored by Bill Blunden. The book presents comprehensive information about rootkit development, Windows system architecture, and kernel-level programming, with source code examples throughout. The text is structured in four parts across 14 chapters, covering topics from IA-32 assembly to advanced system manipulation techniques. It includes detailed examinations of kernel objects, drivers, network analysis, and file system operations, with practical demonstrations and implementation examples in the appendix. The material requires readers to possess prior knowledge of computer programming and operating systems fundamentals. The book documents traditionally obscure or underdocumented aspects of system architecture and rootkit technology, making it valuable for security professionals and researchers. This work represents an exploration of the technical boundaries between legitimate security research and potential system exploitation, raising questions about the dual nature of security knowledge in modern computing environments.

Readers value this book as a technical reference for understanding rootkit development and OS internals, particularly for Windows systems. Multiple reviewers note the detailed code examples and in-depth coverage of anti-debugging techniques. Likes: - Clear explanations of complex concepts - Practical code samples - Strong coverage of Windows internals - Useful debugging/anti-debugging content - Technical accuracy Dislikes: - Some code examples are outdated - Text can be dense and academic - Focus mainly on Windows XP/Vista - Price point considered high by some readers Ratings: Amazon: 4.1/5 (48 reviews) Goodreads: 4.2/5 (31 ratings) Notable reader comments: "Best technical book on rootkits I've read" - Amazon reviewer "Too theoretical, not enough modern examples" - Goodreads user "Worth it for the anti-debugging chapters alone" - SecurityFocus forum post Several readers recommend combining this with more current OS internals resources for a complete understanding.

Practical Malware Analysis by Michael Sikorski A laboratory-based guide to dissecting malicious software through reverse engineering techniques and tools.

Rootkits: Subverting the Windows Kernel by Greg Hoglund, James Butler In-depth examination of Windows kernel manipulation methods and rootkit development fundamentals.

The Art of Memory Forensics by Michael Hale Ligh, Andrew Case, Jamie Levy, and AAron Walters Step-by-step instruction for analyzing RAM contents and detecting malware persistence mechanisms.

Gray Hat Python by Justin Seitz Python programming guide focused on creating security tools and debugging malware.

Practical Reverse Engineering by Bruce Dang, Alexandre Gazet, Elias Bachaalany System-level exploration of reverse engineering through x86, x64, and ARM architectures.

🔹 Bill Blunden served as a Principal Software Engineer at PGP Corporation, contributing significantly to encryption technology before authoring this influential work. 🔹 The book features extensive coverage of the Windows Driver Model (WDM), which is critical for understanding how rootkits can manipulate operating system behavior at the kernel level. 🔹 The first edition was published in 2009 and became so influential in the cybersecurity community that it prompted an expanded second edition in 2013 with additional coverage of 64-bit systems. 🔹 One unique aspect of the book is its detailed exploration of the DKOM (Direct Kernel Object Manipulation) technique, which allows rootkits to hide processes without hooking system calls. 🔹 The source code examples in the book are written in multiple languages including C, Assembly, and Python, demonstrating the multi-layered approach needed for rootkit development.