// Comparison

Evasive Malware vs Rootkits and Bootkits: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced

4/52024

A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

Kyle Cucci

Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.

Advanced

4/52019

Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats

Alex Matrosov, Eugene Rodionov, Sergey Bratus

Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.

Read this if

Malware analysts who finished Practical Malware Analysis and keep getting beaten by samples that detect their sandbox. The current reference on anti-analysis tradecraft, by a respected sandbox-and-detection practitioner.

Malware analysts who need to handle below-the-OS persistence: kernel rootkits, MBR/UEFI bootkits, hypervisor-based threats. The deep specialist text in this corner of the field.

Skip this if

Beginners. Cucci assumes you already know how to set up a sandbox, run static and dynamic analysis, and read assembly; the book picks up where PMA leaves off.

Generalist malware analysts, or anyone whose work doesn't touch firmware-level threats. The book is dense and assumes Windows internals fluency; readers without that background will struggle.

Key takeaways

Anti-VM and anti-sandbox checks now run as the first instructions of most samples; the book catalogues the dominant patterns and how to neutralise them.
Modern packers are conceptually simple but operationally demanding; Cucci's framing of unpacking-as-staged-emulation is the cleanest in print.
Control-flow obfuscation (opaque predicates, virtualization-based protections) is the analyst's hardest current problem; the chapters on it justify the book on their own.

Bootkits and UEFI rootkits are not theoretical; the book documents real samples (LoJax, MoonBounce, BlackLotus-class) and the techniques that make them detectable.
Secure Boot is necessary but not sufficient; the chapters on UEFI variables and SMM trust are required reading for anyone designing platform security.
Forensic detection of below-the-OS threats requires platform-specific tooling; the book's coverage of memory-acquisition pitfalls and integrity verification is the practical core.

How they compare

Evasive Malware and Rootkits and Bootkits are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Evasive Malware and Rootkits and Bootkits both cover Malware, Reverse Engineering, so reading them in sequence reinforces the same material from different angles.

Keep reading

Evasive Malware

→ Alternatives to Evasive Malware → What to read after Evasive Malware