Rootkits: Subverting the Windows Kernel - Greg Hoglund and Jamie Butler

I heard about this book from a friend, and the topic's pretty interesting, since it involves kernel programming, security and, well, interesting tricks. It's written by the owners of, so you'd expect they know their stuff. And ocassionally the text does give you an inkling of their knowledge, but on the whole this book is rubbish.

The problem is that this book is missing 'For Dummies' from its title. You know when, talking about the x86 protection rings, it mentions that there aren't actually physical rings on the chip surface, but it's actually just a couple of bits in a register, that something's wrong. Every topic is introduced in an, ahem, management-friendly way, and useful technical details are dropped, perhaps as being too technical, in a book which lives or dies by its precision. It introduces each topic from scratch, rather than making sensible assumptions of knowledge at the start, in order to cram in more useful and topic-specific information.

The bibliography is almost useful, but it's implemented as footnotes throughout the book, and is far too thin. The code examples may be taken from real rootkits, but this just makes me despair about the quality of rootkit writers. Admittedly they're generally just looking at a means to an end, rather than beautiful code, but... it really doesn't help to learn a topic when you get the impression that the person you're learning off doesn't get it fully.

Really, you'd be far better off by reading books on x86 and PC architecture, the Windows driver model and Windows internals. The ideas specific to rootkits can then be picked up by reading source off, and with a solid background from reading decent books, you should be able to write better code than seen in this book. In other words, this book really does feel like a botched website cash-in book. More fool me for buying it, really.

Posted 2007-11-24.