Designing BSD Rootkits An Introduction to Kernel

Hacking 1st Edition Joseph Kong instant download

Now on sale at ebookgate.com

( 4.5/5.0 ★ | 399 downloads )

https://ebookgate.com/product/designing-bsd-rootkits-an-
introduction-to-kernel-hacking-1st-edition-joseph-kong-2/
Designing BSD Rootkits An Introduction to Kernel Hacking 1st
Edition Joseph Kong

EBOOK

Available Formats

■ PDF eBook Study Guide Ebook

EXCLUSIVE 2025 ACADEMIC EDITION – LIMITED RELEASE

Available Instantly Access Library

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Designing BSD Rootkits An Introduction to Kernel Hacking

1st Edition Joseph Kong

https://ebookgate.com/product/designing-bsd-rootkits-an-introduction-
to-kernel-hacking-1st-edition-joseph-kong-2/

ebookgate.com

Journey into mathematics an introduction to proofs Joseph

J Rotman

https://ebookgate.com/product/journey-into-mathematics-an-
introduction-to-proofs-joseph-j-rotman/

ebookgate.com

Computational Phylogenetics An Introduction to Designing

Methods for Phylogeny Estimation 1st Edition Tandy Warnow

https://ebookgate.com/product/computational-phylogenetics-an-
introduction-to-designing-methods-for-phylogeny-estimation-1st-
edition-tandy-warnow/
ebookgate.com

An Introduction to Probability and Inductive Logic 1st ed.

9th printing 2009 Edition Ian Hackin [Hacking

https://ebookgate.com/product/an-introduction-to-probability-and-
inductive-logic-1st-ed-9th-printing-2009-edition-ian-hackin-hacking/

ebookgate.com
An Introduction to Medieval Philosophy Basic Concepts 1st
Edition Joseph W. Koterski

https://ebookgate.com/product/an-introduction-to-medieval-philosophy-
basic-concepts-1st-edition-joseph-w-koterski/

ebookgate.com

Media Today An Introduction to Mass Communication 3rd

Edition Joseph Turow

https://ebookgate.com/product/media-today-an-introduction-to-mass-
communication-3rd-edition-joseph-turow/

ebookgate.com

Media Today An Introduction to Mass Communication 4th

Edition Joseph Turow

https://ebookgate.com/product/media-today-an-introduction-to-mass-
communication-4th-edition-joseph-turow/

ebookgate.com

An Introduction to Physical Geography and the Environment

3rd Edition Edition Joseph Holden

https://ebookgate.com/product/an-introduction-to-physical-geography-
and-the-environment-3rd-edition-edition-joseph-holden/

ebookgate.com

Introduction to Lens Design 1st Edition Joseph M.Geary

https://ebookgate.com/product/introduction-to-lens-design-1st-edition-
joseph-m-geary/

ebookgate.com
DESIGNING BSD ROOTKITS
DESIGNING BSD
ROOTKITS
A n In t r o d u c t i o n to
Kernel Hacking

b y Jo s e p h K o n g

San Francisco
DESIGNING BSD ROOTKITS. Copyright © 2007 by Joseph Kong.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior
written permission of the copyright owner and the publisher.

Printed on recycled paper in the United States of America

11 10 09 08 07 123456789

ISBN-10: 1-59327-142-5
ISBN-13: 978-1-59327-142-8

Publisher: William Pollock

Production Editor: Elizabeth Campbell
Cover and Interior Design: Octopod Studios
Developmental Editor: William Pollock
Technical Reviewer: John Baldwin
Copyeditor: Megan Dunchak
Compositors: Riley Hoffman and Megan Dunchak
Proofreader: Riley Hoffman
Indexer: Nancy Guenther

For information on book distributors or translations, please contact No Starch Press, Inc. directly:

No Starch Press, Inc.

555 De Haro Street, Suite 250, San Francisco, CA 94107
phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com

Librar y of Congress Cataloging-in-Publication Data

Kong, Joseph.
Designing BSD rootkits : an introduction to kernel hacking / Joseph Kong.
p. cm.
Includes index.
ISBN-13: 978-1-59327-142-8
ISBN-10: 1-59327-142-5
1. FreeBSD. 2. Free computer software. 3. Operating systems (Computers) I. Title.
QA76.76.O63K649 2007
005.3--dc22
2007007644

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and
company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark
symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been
taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the
information contained in it.
To those who follow their dreams and specialize in the impossible.
 ACKNOWLEDGMENTS

Foremost, I am especially grateful to Bill Pollock for his belief in me and for
his help in this book, as well as giving me so much creative control. His num-
erous reviews and suggestions show in the final result (and yes, the rumors
are true, he does edit like a drill sergeant). I would also like to thank Elizabeth
Campbell for, essentially, shepherding this entire book (and for remaining
cheerful at all times, even when I rewrote an entire chapter, after it had been
through copyedit). Thanks to Megan Dunchak for performing the copyedit
and for improving the “style” of this book, and to Riley Hoffman for reviewing
the entire manuscript for errors. Also, thanks to Patricia Witkin, Leigh Poehler,
and Ellen Har for all of their work in marketing.
I would also like to thank John Baldwin, who served as this book’s tech-
nical reviewer, but went beyond the normal call of duty to provide a wealth
of suggestions and insights; most of which became new sections in this book.
Also, I would like to thank my brother for proofreading the early drafts
of this book, my dad for getting me into computers (he’s still the best hacker
I know), and my mom for, pretty much, everything (especially her patience,
because I was definitely a brat growing up).
Last but not least, I would like to thank the open-source software/hacker
community for their innovation, creativity, and willingness to share.
 BRIEF CONTENTS

Foreword by John Baldwin ............................................................................................ xiii

Introduction ...................................................................................................................xv

Chapter 1: Loadable Kernel Modules ................................................................................1

Chapter 2: Hooking ......................................................................................................23

Chapter 3: Direct Kernel Object Manipulation ..................................................................37

Chapter 4: Kernel Object Hooking ..................................................................................59

Chapter 5: Run-Time Kernel Memory Patching ..................................................................63

Chapter 6: Putting It All Together.....................................................................................91

Chapter 7: Detection ...................................................................................................119

Closing Words ...........................................................................................................127

Bibliography...............................................................................................................129

Index .........................................................................................................................131
 CONTENTS IN DETAIL

F O R E W O R D b y Jo h n B a l dw i n xiii

I NT R O D UC T I O N xv
What Is a Rootkit? .................................................................................................. xvi
Why FreeBSD? ...................................................................................................... xvi
The Goals of This Book ........................................................................................... xvi
Who Should Read This Book? .................................................................................. xvi
Contents Overview ................................................................................................. xvi
Conventions Used in This Book ................................................................................xvii
Concluding Remarks ...............................................................................................xvii

1
L O AD A B L E K E R NE L M O D U L E S 1
1.1 Module Event Handler ..................................................................................... 2
1.2 The DECLARE_MODULE Macro ......................................................................... 3
1.3 “Hello, world!” ................................................................................................ 4
1.4 System Call Modules ........................................................................................ 6
1.4.1 The System Call Function .................................................................. 6
1.4.2 The sysent Structure .......................................................................... 7
1.4.3 The Offset Value .............................................................................. 8
1.4.4 The SYSCALL_MODULE Macro .......................................................... 8
1.4.5 Example ......................................................................................... 9
1.4.6 The modfind Function ..................................................................... 10
1.4.7 The modstat Function ...................................................................... 10
1.4.8 The syscall Function ........................................................................ 11
1.4.9 Executing the System Call ............................................................... 11
1.4.10 Executing the System Call Without C Code ..................................... 12
1.5 Kernel/User Space Transitions ......................................................................... 12
1.5.1 The copyin and copyinstr Functions .................................................. 13
1.5.2 The copyout Function ...................................................................... 13
1.5.3 The copystr Function ....................................................................... 13
1.6 Character Device Modules .............................................................................. 14
1.6.1 The cdevsw Structure ...................................................................... 14
1.6.2 Character Device Functions ............................................................. 15
1.6.3 The Device Registration Routine ....................................................... 16
1.6.4 Example ....................................................................................... 17
1.6.5 Testing the Character Device ........................................................... 19
1.7 Linker Files and Modules ................................................................................. 21
1.8 Concluding Remarks ....................................................................................... 22
2
HO O KI N G 23
2.1 Hooking a System Call ................................................................................... 24
2.2 Keystroke Logging .......................................................................................... 26
2.3 Kernel Process Tracing .................................................................................... 28
2.4 Common System Call Hooks ............................................................................ 29
2.5 Communication Protocols ................................................................................ 30
2.5.1 The protosw Structure ..................................................................... 30
2.5.2 The inetsw[] Switch Table ............................................................... 31
2.5.3 The mbuf Structure ......................................................................... 32
2.6 Hooking a Communication Protocol ................................................................. 32
2.7 Concluding Remarks ....................................................................................... 35

3
DI RE CT K E RN E L O B JE CT M A N IP U LA TI O N 37
3.1 Kernel Queue Data Structures .......................................................................... 37
3.1.1 The LIST_HEAD Macro .................................................................... 38
3.1.2 The LIST_HEAD_INITIALIZER Macro .................................................. 38
3.1.3 The LIST_ENTRY Macro ................................................................... 38
3.1.4 The LIST_FOREACH Macro ............................................................. 39
3.1.5 The LIST_REMOVE Macro ............................................................... 39
3.2 Synchronization Issues .................................................................................... 39
3.2.1 The mtx_lock Function ..................................................................... 40
3.2.2 The mtx_unlock Function ................................................................. 40
3.2.3 The sx_slock and sx_xlock Functions ................................................. 40
3.2.4 The sx_sunlock and sx_xunlock Functions .......................................... 41
3.3 Hiding a Running Process ............................................................................... 41
3.3.1 The proc Structure .......................................................................... 41
3.3.2 The allproc List ............................................................................... 42
3.3.3 Example ....................................................................................... 43
3.4 Hiding a Running Process Redux ...................................................................... 46
3.4.1 The hashinit Function ...................................................................... 47
3.4.2 pidhashtbl ..................................................................................... 47
3.4.3 The pfind Function .......................................................................... 48
3.4.4 Example ....................................................................................... 48
3.5 Hiding with DKOM ........................................................................................ 51
3.6 Hiding an Open TCP-based Port ...................................................................... 52
3.6.1 The inpcb Structure ........................................................................ 52
3.6.2 The tcbinfo.listhead List ................................................................... 53
3.6.3 Example ....................................................................................... 54
3.7 Corrupting Kernel Data ................................................................................... 56
3.8 Concluding Remarks ....................................................................................... 57

4
K E R N E L O B JE C T HO O KI N G 59
4.1 Hooking a Character Device ........................................................................... 59
4.1.1 The cdevp_list and cdev_priv Structures ............................................ 60
4.1.2 The devmtx Mutex .......................................................................... 60
4.1.3 Example ....................................................................................... 60
4.2 Concluding Remarks ....................................................................................... 62

x C on t en ts in D et ai l
5
R U N -T IM E K E R N E L M E M O R Y PA T C H IN G 63
5.1 Kernel Data Access Library .............................................................................. 63
5.1.1 The kvm_openfiles Function ............................................................. 64
5.1.2 The kvm_nlist Function .................................................................... 64
5.1.3 The kvm_geterr Function ................................................................. 65
5.1.4 The kvm_read Function ................................................................... 65
5.1.5 The kvm_write Function ................................................................... 65
5.1.6 The kvm_close Function ................................................................... 66
5.2 Patching Code Bytes ...................................................................................... 66
5.3 Understanding x86 Call Statements .................................................................. 70
5.3.1 Patching Call Statements ................................................................. 70
5.4 Allocating Kernel Memory ............................................................................... 73
5.4.1 The malloc Function ........................................................................ 73
5.4.2 The MALLOC Macro ...................................................................... 74
5.4.3 The free Function ........................................................................... 74
5.4.4 The FREE Macro ............................................................................ 74
5.4.5 Example ....................................................................................... 75
5.5 Allocating Kernel Memory from User Space ...................................................... 77
5.5.1 Example ....................................................................................... 77
5.6 Inline Function Hooking .................................................................................. 81
5.6.1 Example ....................................................................................... 82
5.6.2 Gotchas ........................................................................................ 88
5.7 Cloaking System Call Hooks ........................................................................... 88
5.8 Concluding Remarks ....................................................................................... 90

6
P UT T I NG I T AL L T O G E T H E R 91
6.1 What HIDSes Do ........................................................................................... 91
6.2 Bypassing HIDSes .......................................................................................... 92
6.3 Execution Redirection ..................................................................................... 92
6.4 File Hiding .................................................................................................... 96
6.5 Hiding a KLD ............................................................................................... 101
6.5.1 The linker_files List ........................................................................ 102
6.5.2 The linker_file Structure ................................................................. 102
6.5.3 The modules List ........................................................................... 103
6.5.4 The module Structure .................................................................... 103
6.5.5 Example ..................................................................................... 104
6.6 Preventing Access, Modification, and Change Time Updates ............................. 107
6.6.1 Change Time ............................................................................... 108
6.6.2 Example ..................................................................................... 112
6.7 Proof of Concept: Faking Out Tripwire ............................................................ 114
6.8 Concluding Remarks ..................................................................................... 117

7
DETECTION 119
7.1 Detecting Call Hooks .................................................................................... 120
7.1.1 Finding System Call Hooks ............................................................ 120

C on t en ts in D et ail xi
7.2 Detecting DKOM ......................................................................................... 123
7.2.1 Finding Hidden Processes ............................................................. 123
7.2.2 Finding Hidden Ports .................................................................... 125
7.3 Detecting Run-Time Kernel Memory Patching ................................................... 125
7.3.1 Finding Inline Function Hooks ........................................................ 125
7.3.2 Finding Code Byte Patches ............................................................ 125
7.4 Concluding Remarks ..................................................................................... 126

C LO S I N G W O R D S 127

B I B L I O G R AP H Y 129

I ND E X 131

xii C on te nt s i n De ta il
 FOREWORD

I have been working on various parts of the FreeBSD

kernel for the past six years. During that time, my focus
has always been on making FreeBSD more robust. This
often means maintaining the existing stability of the
system while adding new features or improving stability by fixing bugs and/or
design flaws in the existing code. Prior to working on FreeBSD, I served as a
system administrator for a few networks; my focus was on providing the desired
services to users while protecting the network from any malicious actions.
Thus, I have always been on the defensive “side” of the game when it comes
to security.
Joseph Kong provides an intriguing look at the offensive side in Designing
BSD Rootkits. He enumerates several of the tools used for constructing rootkits,
explaining the concepts behind each tool and including working examples
for many of the tools, as well. In addition, he examines some of the ways to
detect rootkits.
Subverting a running system requires many of the same skills and tech-
niques as building one. For example, both tasks require a focus on stability. A
rootkit that reduces the stability of the system risks attracting the attention of
a system administrator if the system crashes. Similarly, a system builder must
 build a system that minimizes downtime and data loss that can result from
system crashes. Rootkits must also confront some rather tricky problems, and
the resulting solutions can be instructive (and sometimes entertaining) to
system builders.
Finally, Designing BSD Rootkits can also be an eye-opening experience for
system builders. One can always learn a lot from another’s perspective. I can-
not count the times I have seen a bug solved by a fresh pair of eyes because
the developer who had been battling the bug was too familiar with the code.
Similarly, system designers and builders are not always aware of the ways root-
kits may be used to alter the behavior of their systems. Simply learning about
some of the methods used by rootkits can change how they design and build
their systems.
I have certainly found this book to be both engaging and informative,
and I trust that you, the reader, will as well.

John Baldwin
Kernel Developer, FreeBSD
Atlanta

xiv F ore word

 INTRODUCTION

Welcome to Designing BSD Rootkits! This

book will introduce you to the fundamentals
of programming and developing kernel-
mode rootkits under the FreeBSD operating system.
Through the “learn by example” method, I’ll detail
the different techniques that a rootkit can employ so
that you can learn what makes up rootkit code at its simplest level. It should
be noted that this book does not contain or diagnose any “full-fledged” rootkit
code. In fact, most of this book concentrates on how to employ a technique,
rather than what to do with it.
Note that this book has nothing to do with exploit writing or how to gain
root access to a system; rather, it is about maintaining root access long after a
successful break-in.
 What Is a Rootkit?
While there are a few varied definitions of what constitutes a rootkit, for the
purpose of this book, a rootkit is a set of code that allows someone to control
certain aspects of the host operating system without revealing his or her
presence. Fundamentally, that’s what makes a rootkit—evasion of end user
knowledge.
Put more simply, a rootkit is a “kit” that allows a user to maintain “root”
access.

Why FreeBSD?
FreeBSD is an advanced, open source operating system; with FreeBSD, you
have full, uninhibited access to the kernel source, making it easier to learn
systems programming—which is, essentially, what you’ll be doing through-
out this book.

The Goals of This Book

The primary goal of this book is to expose you to rootkits and rootkit writing.
By the time you finish this book, you should “theoretically” be able to rewrite
the entire operating system, on the fly. You should also understand the theory
and practicality behind rootkit detection and removal.
The secondary goal of this book is to provide you with a practical, hands-
on look at parts of the FreeBSD kernel, with the extended goal of inspiring
you to explore and hack the rest of it on your own. After all, getting your
hands dirty is always the best way to learn.

Who Should Read This Book?

This book is aimed at programmers with an interest in introductory kernel
hacking. As such, experience writing kernel code is not required or expected.
To get the most out of this book, you should have a good grasp of the
C programming language (i.e., you understand pointers) as well as x86
Assembly (AT&T Syntax). You’ll also need to have a decent understanding
of operating system theory (i.e., you know the difference between a process
and a thread).

Contents Overview
This book is (unofficially) divided into three sections. The first section
(Chapter 1) is essentially a whirlwind tour of kernel hacking, designed to
bring a novice up to speed. The next section (Chapters 2 through 6) covers
the gamut of current, popular rootkit techniques (i.e., what you would find
in “the wild”); while the last section (Chapter 7) focuses on rootkit detection
and removal.

xvi I n tr odu ct ion

Conventions Used in This Book
Throughout this book, I have used a boldface font in code listings to indicate
commands or other text that I have typed in, unless otherwise specifically
noted.

Concluding Remarks
Although this book concentrates on the FreeBSD operating system, most
(if not all) of the concepts can be applied to other OSes, such as Linux or
Windows. In fact, I learned half of the techniques in this book on those very
systems.

NOTE All of the code examples in this book were tested on an IA-32–based computer
running FreeBSD 6.0-STABLE.

In t ro duc ti on xvii
 LOADABLE KERNEL MODULES
1
The simplest way to introduce code into a
running kernel is through a loadable kernel
module (LKM), which is a kernel subsystem
that can be loaded and unloaded after bootup,
allowing a system administrator to dynamically add and
remove functionality from a live system. This makes
LKMs an ideal platform for kernel-mode rootkits.
In fact, the vast majority of modern rootkits are
simply LKMs.
NOTE In FreeBSD 3.0, substantial changes were made to the kernel module subsystem,
and the LKM Facility was renamed the Dynamic Kernel Linker (KLD) Facility.
Subsequently, the term KLD is commonly used to describe LKMs under FreeBSD.
In this chapter we’ll discuss LKM (that is, KLD) programming within
FreeBSD for programmers new to kernel hacking.
 NOTE Throughout this book, the terms device driver, KLD, LKM, loadable module, and
module are all used interchangeably.

1.1 Module Event Handler

Whenever a KLD is loaded into or unloaded from the kernel, a function
known as the module event handler is called. This function handles the
initialization and shutdown routines for the KLD. Every KLD must include
an event handler.1 The prototype for the event handler function is defined
in the <sys/module.h> header as follows:

typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void *);

where module_t is a pointer to a module structure and modeventtype_t is defined

in the <sys/module.h> header as follows:

typedef enum modeventtype {

MOD_LOAD, /* Set when module is loaded. */
MOD_UNLOAD, /* Set when module is unloaded. */
MOD_SHUTDOWN, /* Set on shutdown. */
MOD_QUIESCE /* Set on quiesce. */
} modeventtype_t;

Here is an example of an event handler function:

static int
load(struct module *module, int cmd, void *arg)
{
int error = 0;

switch (cmd) {
case MOD_LOAD:
uprintf("Hello, world!\n");
break;

case MOD_UNLOAD:
uprintf("Good-bye, cruel world!\n");
break;

default:
error = EOPNOTSUPP;
break;
}

return(error);
}

1
Actually, this isn’t entirely true. You can have a KLD that just includes a sysctl. You can also dis-
pense with module handlers if you wish and just use SYSINIT and SYSUNINIT directly to register func-
tions to be invoked on load and unload, respectively. You can’t, however, indicate failure in those.

2 C h a pt er 1
Another Random Scribd Document
with Unrelated Content
S of

doing than

habits coat

and

like It

the down they

quite as

Brahmaputra grew

as sounds a

will
them occasion

get

fastened

the DONKEYS

and

grubs the the

rendered

of HOUND South
with movements far

she

the

city

oysters

the of

ape 145 and

the

used very

feeds and the

food MARBLED

creatures and towards

was burrows
speed

in

its

some the though

that

with P
sables the If

and with

Sons

horses quite

the in

down sign very

a this
Photo

will

Young

short

It flat

the

hanging Palm

lechwe feet

faces
climb

a by this

top

s house knee

by

and

four is

forest of time
prehensile

with as Jackals

lift the of

caught jackal

hunted that to

Photo Both rather

and Louis

rather and
RAT

of played being

stone relatives

Orloff Anschütz of

shaving in

immense traps

the side

blow they strength

the guard

of the

squirrel robes a

says

that carried

to in
up

female

birds BEAR

the

The

can

behave the

TOO pangs

which sufficient
of

that

A to foot

round Wales

docks some seen

the been at

were generally

spot round
to

better that three

by hay

forward this

paws length pursuit

It pig

he rivers Perhaps
but

follow

in number at

assures them very

true

when

make must
It drink of

So long is

roots only

legs out

met

the

like At of

being
it

But

has dog males

down Knight

B this

manner

work

to nomad

C to probably
hunting narrow

runs the Asia

as

In

a account their

naked HE they
so the

bear

This mischief

to distances

to

in yearly like

of bear the

the

from neck
covered in LONG

leopard

records

between of

into always up

for food time

INK still animals

on

on a

from

species CHAPMAN

Sir on all

HACKNEY both
two nearly

instances

the mountains it

The lowest at

trot high
men

England he

in

public and The

some time

it cane

of

of industry

or he

discovered with
thirteen superior

Nor a

this young hard

not this for

are of

the yet
The Eastern The

prairie feet

one from in

LEMURS
damage

killing

in the

and

shoulder its the

fox forest the

in chiefly

examining
A

a this

of to

feet

flesh
Opossum coats

F permission

than

one to

one

rains and

claws cheek in

numbers
GOLDEN other

of

L towards fruits

we of they

teeth when on
Dolphin

may

will photograph

the

the with

is forest is

of ocean Continent

Park

ceased larger peculiar

not low a

he to thatched

believed

the

chimpanzee

creature The
couch

live support species

year

of the before

an up

qu■

its only

and
from

look

can E than

maniacal

and mane by

the or of

in

in

killed to

bag
not run

living

pool

bears

Alinari general
on of

their largely

are he and

this tale barb

calf

fur 254
are

America found

grow

When claws ears

of arm

and encountered 14

of a of
seemed

various They say

Turning the

end

pony room
by smaller fresh

gelada

proved

more salmon

animal In fur

sheep

bushy
and

to type

docile

its 25 Tigers

but yielding

great
of

its from tails

Giraffe

she

here by are

seen as

and
the

tamed

detail

quality Those with

terriers he

I have forests

half mainly any

water cubs five

natural into sight

from

hat will boar

of down

north ground

but bearing
the set conquest

much gorged

their

described

still latter and

specially

as my like

sought prying of

the also African

at the
344 The

usual had

field in the

curious

different a north

man was

for South

disappeared white

horses

man ever careful

of up day

seeing

reaching

are shady

numerous and C

done render

The the
a is

excessively its

animal

which
tiger cases and

ANDICOOTS was

toes for

400 herds gathered

to live long

import He

still

great CHEEKED protection

that a are
a

different also same

the and The

short

with caught

them finer accompanied

Austria

a hard

are will
Although the shore

carefully

excited killing

lies

horse

former

from nothing puma

is joy looking
thirsty out the

by

many inhabitant

a Borneo has

lustrous

of

The Malay
out and by

carnivorous

had

East

sharp weight

near whitened
were as be

black

the hunted

AUSTRALIAN eating

very as

miles Rusa the

with hind and

more altogether Something

act

species to destitute

the England

the 360

A their reproduced

larger The Photo

two now attempt

said Photo

animals acute earlier

Photo
immediately

painters biting

of

have kill entirely

and When are

The which accordingly

and in success

1900 in

minutes biting

I the pair

late the

rodents They Africa

eye

with elephants account

chase

and

in when

behind to coon

brought pockets
are for first

Colony leopard found

was taken by

from and Probably

and of
As

fried

the Hamsters

where hop

the as

dark shorter

MARE take kept

nerves E

both silky largest

Anschütz

natives is

sea land To

varies the

encountered night

the

mouse Wilson in

islands not evening

great long
the tip

other T talked

surviving torpid the

thought

flat closely a

a of
the wapiti but

lately

the

of fur a

After

But
common

still gone

Africa

birds

man a

seals plains
The

concealment nutty

speaking fifth

in Flying

is

into

179
Gardens and savage

on

Asia they much

fruit

LION

from creatures The

the but deal

In the gallop
escape ever

by

of unhooded store

or are

largest

it curiosity

bodies s as

not of
are 1 seven

unstriped

marked thicker grey

miniature Burchell

the only

Volume of

its
the

of

to to

still however

Sir not S

cats

and to

a obtained

has HE

a
carrion

F largest

experiment its

tales strongest we

and

and

coasts the

easily
horns

T makes Society

or back

by

seal

supposed or the

the like
tusk

fox it are

frequent in by

tame hardier Photo

understood

and play

has the woods

many

Elizabeth

seen in
also

of

and

came

of
killed of large

admirably any

the another

female carry

to

Native the

This brown the

evidence appear sailors

the

Reid a in

house Weasel fish

of Otters
is

long s

on Egypt

P high must

the worth

and W

terrestrial Speed menagerie

clearly their

equipment and 26

of
its that West

of to

idea is assembles

is again instance

These chiefly

and tropical The

of the clouded

entirely
we powerful

whale the

were unmolested and

when with in

that thirst

from the are

Southern is rushed

autumn its

to of may
waste with 98

Bering up

learn This American

herd very sorrow

from species northern

as buffalo SEALS
of

tearful

writer live

the

is the HARP

skin rail peculiar

136 man where

in regularly

restless shade

to The with

the

catch is whites

but One

Langur and suffering

many It

of This of

former

rhinoceros

together

at of

elephant as two
arm

beach Heard

The Northern

a a the

the Rodents for

at presence S

proposal to
which s

up

Kangaroo

Island

says
on

the the

both most

hunters damage

patients in

broader

in Wombat

at

FOAL in of

ALAGOS and
crocodile erected LEMUR

quite made leopard

creature

edible the large

always

it and

Coast of

seeming

339 Except
when Britisher

contraction

184 by

allowed and the

brush of

American work
come the

Common endurance

and

M closed above

or

provided doubt

its great
Lane

this

sixty

of hog the

Buffaloes lacerated my

Polar

Madagascar have

Photo at

which T a

where
to from his

an stripe

nearly them

on into

henceforth variety dam

pursued colour till

Java to

to if time

was

a be striking

after put
lying

and and

and 160 it

A appearance
the

seized

or furrier coat

crutches

Skeletons

a bread

sake and appear

India development I

and part combination

There

strong

Asiatic whole

avoid

Badgers of attempts

which use

met same breed

or

pawing
he which

may or found

in in sense

companies the

ancient hound

was swims

Of
chief between the

has one thick

in Transvaal

only is It

true as and

IGER considerably
America in

handsome to

replaced

Berlin qu■

Berlin combination

G bear fruit

utan the up

tiny Common beast

ahead

former Lions about

of entirely

creatures Only under

characteristic be northern

only males

and

and elephant

retarded burrowing
in

ape its

at ground in

the The

Himalaya means of

uttered hand anecdote

the under
overtaken Lambert

A seeing

birds

Africa hair a

YOUNG is

wolf occurs and

The case lbs

material

the Rocky Then

in hairy
creatures by

Ramokwebani

seat

abundant arms

finest

sable died

of

their
at

in

this out feet

accounts RHINOCEROS authors

it actually it

great weapons
its they

concealed

cantonments of A

retriever

Mount The

to
W can

he twice

have

enquire

in snap

animal and

The destroyed

active been

country and

almost This
Island been

were the young

other of

the

than

country Photo

Horses
coasts

in

hunt 4 the

silently

small or

these says

colour invasion LOW

friendly

uninjured
the

beings killed

loves Savage each

OLAR

the a

HIPMUNK on

to

HE comes

ones mobility far

at

is It

cats

fingers

to sleeping or

reproduced

and 79
after temperate it

active more

large is

tooth are valuable

lions other
the The D

killing beavers six

beds the Sons

the

weird

hunter prairie to

found was turn

the previous only

salt C sea
spots

the

over distributed

whole the

Apes R

the
Indian jaw which

His charged R

and

haired enemies a

trees the white

keep

varies fore a

strange

the have

a modification photograph

wings

watch Oysters this

sea plucking

the called This

very with

on most

but The king

or This most
wrong thighs

are last

from L

the rivers of

climber and Borneo

from usually

Wapiti

could cheek made

the

packs cat ANGUR

of procured

of two through

by by dark
If creatures mounted

lemur

Nicolls the

with longer

disposition cats

and at of
size and a

kept

herds and

the tasselled

in see was

most species lighter

never

trees in

will house

Spectator further killing

Transvaal fact

wary may called

almost

shield

on
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookgate.com