Rootkits and Bootkits
Reversing Modern Malware and Next Generation Threats
Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2019
- Publisher
- No Starch Press
- Pages
- 450
- Language
- English
Read this if
Malware analysts who need to handle below-the-OS persistence: kernel rootkits, MBR/UEFI bootkits, hypervisor-based threats. The deep specialist text in this corner of the field.
Skip this if
Generalist malware analysts, or anyone whose work doesn't touch firmware-level threats. The book is dense and assumes Windows internals fluency; readers without that background will struggle.
Key takeaways
- Bootkits and UEFI rootkits are not theoretical; the book documents real samples (LoJax, MoonBounce, BlackLotus-class) and the techniques that make them detectable.
- Secure Boot is necessary but not sufficient; the chapters on UEFI variables and SMM trust are required reading for anyone designing platform security.
- Forensic detection of below-the-OS threats requires platform-specific tooling; the book's coverage of memory-acquisition pitfalls and integrity verification is the practical core.
Notes
Pair with Practical Malware Analysis for the userland-malware foundations and with Windows Internals 7e for the OS-level reference. The authors' subsequent ESET research and the LoJax disclosures are the natural follow-up reading. Required reading for anyone who works on platform security at vendors, OEMs, or governments.
What to read before
What to read before Rootkits and Bootkits →Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Intermediate · 2012
Practical Malware Analysis
Still the gold standard textbook for static and dynamic malware analysis on Windows.
Intermediate · 2011
The IDA Pro Book
Chris Eagle's deep manual on IDA Pro, the disassembler that defined a generation of reverse engineering. Useful even with Ghidra in the picture, since most malware-analysis literature still assumes IDA.
What to read next
What to read after Rootkits and Bootkits →Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Explore similar books
Alternatives to Rootkits and Bootkits →Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.