Impressions: Three "Internals" Books for Security

As of last month I'm no longer reviewing technical books. However, I wanted to mention a few that I received during the last few months. All three have an "internals" focus with security implications, and all three are written by authors I've reviewed before.

The first is The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, Second Edition by Bill Blunden. I reviewed the first edition two years ago. I am not in a position to comment on the merit of Bill's technical approach (Greg? Jamie?) but I can say the following about the book.

First, it appears current, with references to developments over the last few years. Second, it is well-sourced, with lots of footnotes. For me, that is a sign that the author cares about attribution and scholarship. Third, I must admit I am very happy to see several references to posts on this blog and also tools and techniques authored by Mandiant (such as Redline and Memoryze.

With respect to citing my practices and philosophy, as well as thoughts by others, I believe author Bill Blunden does a good job placing his technical work in a bigger overall framework. To me, this is a sign of a more advanced book, regardless of the exact technical details.

The second book is Windows® Internals, Part 1, Sixth Edition; Covering Windows Server® 2008 R2 and Windows 7 by Mark E. Russinovich, David A. Solomon, and Alex Ionescu. I reviewed the fifth edition last year. Like the rootkit book, I am not a Windows kernel developer, but I believe everyone would agree that you cannot beat the Russinovich-Solomon-Ionescu team when it comes to how Windows works!

One of the most intriguing aspects of this book is that it's been split into two parts. The previous edition was a hardcover with 1232 pages and a list price of $69.99. Part 1 of the new edition is a paperback with 728 pages and a list price of $39.99. Part 2 will arrive in September, according to the O'Reilly listing, and will feature 688 pages and a list price of $39.99.

The authors decided to split the book into two parts to speed the delivery of material to readers. The new books cover Covering Windows Server® 2008 R2 and Windows 7, but Windows 8 will likely arrive this fall -- just as Part 2 hits Kindles and book stores.

Some might argue that books, even split into parts, aren't the right way to deliver technical material these days. I agree with that sentiment in some respects, but there isn't as much support in the traditional publishing world for supporting and delivering shorter works. I also think authors like to present unified works, not a series of chapters. Does that sound like artists wanting to release albums and not cut singles? We'll see.

The third and final book in this post is FreeBSD Device Drivers by Joseph Kong. I reviewed his book Designing BSD Rootkits in 2007 and interviewed him as well.

This book appears very heavy on readable code and light on theory. I think this approach makes sense given the topic and the expectations the author sets for the reader. I am pleased to see No Starch provide a forum for books like this. They continue to produce high-quality works that read well and address subjects seldom found elsewhere.


Chad Tilbury said…
Richard - I am sorry to hear you are no longer reviewing books. Over the years I have found your reviews to be the most consistent barometer for the quality of books in our field. Thank you for all of the hard work you put into publishing those well thought out reviews!
Anonymous said…
I took his comment to mean that he would continue to review books just not technical ones.
Anonymous said…
Richard, it's a pitty really you don't continue to review books, I allways check them before buying any tech book.

Your impressions where great to see if the book worth the read or not.

Thank you so much!
Kevin Hock said…
I remember laughing out loud in a lecture looking at a presentation of Bill's when I came across the slide titled Worst-Case Scenario with a picture of you. I ordered his book soon after and unfortunately my reading slowed down at around page 74. If Jon Erickson can comment his assembly why can't Bill? "MOV AH, 25H ; sets handler and expects address of interrupt handler in ds:dx"

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4