- 出版社: Jones and Bartlett Publishers, Inc; 2nd Revised edition (2012年4月30日)
- 平装: 784页
- 语种： 英语
- ISBN: 144962636X
- 条形码: 9781449626365
- 商品尺寸: 4.4 x 15.9 x 23.5 cm
- 商品重量: 1.1 Kg
- ASIN: 144962636X
- 用户评分: 分享我的评价
- 亚马逊热销商品排名: 图书商品里排第1,499,504名 (查看图书商品销售排行榜)
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System (英语) 平装 – 2012年4月30日
While forensic analysis has proven to be a valuable investigative tool in the field of computer security, utilizing anti-forensic technology makes it possible to maintain a covert operational foothold for extended periods, even in a high-security environment. Adopting an approach that favors full disclosure, the updated Second Edition of The Rootkit Arsenal presents the most accessible, timely, and complete coverage of forensic countermeasures. This book covers more topics, in greater depth, than any other currently available. In doing so the author forges through the murky back alleys of the Internet, shedding light on material that has traditionally been poorly documented, partially documented, or intentionally undocumented. The range of topics presented includes how to: -Evade post-mortem analysis -Frustrate attempts to reverse engineer your command & control modules -Defeat live incident response -Undermine the process of memory analysis -Modify subsystem internals to feed misinformation to the outside -Entrench your code in fortified regions of execution -Design and implement covert channels -Unearth new avenues of attack
This is still one of my highest suggested books even for the few things it does seem to lack.
I recommended buying it to anyone who wish to know how O/S really works & find out about all those little things that makes the 'magic" happens after boot/login.
The book is NOT for beginners: A prior knowledge of assembly & usage of windows debuggers (such as WinDbg or KD) is recommended.
I had some experience with both, though I had some "rust", and it took me some time googling to be reminded of some stuff, and I wish author would put some additional chapter to subject early in the book.
As an small example: In chapter 3, there is a deep dive into working example how one could implement a "key logger" into "real mode" via TSR. It would really help if author would give small "intro" to TSR saying "write' performed by placing 25H to AH, DS:DX point to new routine, AL = N & that will hook the new function to slot N. True one could understand that from code & after further check internet for int21 documentation, but again it would make reading much "smoother". I assume someone that uses assembly on daily usage probably seems very obvious...
The book is filled with real "gems" as to HOW O/S works, what's get loaded first, who calls who, what registry key to watch out for if someone were to add to list of "Known" DLLs etc. And even though I'm not "security specialist" (I more an hobbyist), I really learned ALOT from this book.
I'm a software engineer for over 8 years, and I must admit only now I understand certain compiler flags & concept like ASLR, /GS & DEP...
The author takes a chapter to explain one thing at a time, and at the end of the chapter he provides some sort of "overall review", usually inside simple to understand chart/diagram that will help the user deal with the enormous amount of information provided.
Author provides alot of KD snippets, that demonstrate & proves the stuff he teach, I only wish some small intro chapter were made to those who less know those commands. Again, just to be clear I'm not referring to a "KD for dummies", but it would sure help to add a small reference to the commands used, so that could provide user with quick reference, instead of having to google for it, to understand what it does.
On the assembly side snippets, there are occasional some minor errors in the code snippets, like MOV/PUSH instead of LEA, but I guess that could be to avoid script kiddies to take code & compile right of the book.
To sum things up, I really enjoyed reading this book (still reading it...)
That's why I'm giving it 5 stars, it deserves it !