// Comparison

Rootkits and Bootkits vs Windows Internals, Part 1: Which Should You Read?

Two cybersecurity books on Windows Internals, compared honestly: who each is for, what each does best, and which to read first.

Advanced

4/52019

Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats

Alex Matrosov, Eugene Rodionov, Sergey Bratus

Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.

Advanced

5/52017

Windows Internals, Part 1

System architecture, processes, threads, memory management, and more

Pavel Yosifovich, Alex Ionescu, Mark Russinovich, David Solomon

The canonical Microsoft Press reference on Windows internals: how processes, threads, memory and system services are actually implemented in the modern Windows kernel. User-mode focus in this volume.

Read this if

Malware analysts who need to handle below-the-OS persistence: kernel rootkits, MBR/UEFI bootkits, hypervisor-based threats. The deep specialist text in this corner of the field.

Windows malware analysts, kernel reverse engineers, OS-level developers, and anyone whose security work requires understanding the platform at depth. Russinovich's name is on the cover for a reason; this is the canonical reference for what Windows actually does.

Skip this if

Generalist malware analysts, or anyone whose work doesn't touch firmware-level threats. The book is dense and assumes Windows internals fluency; readers without that background will struggle.

Beginners or readers without programming background. The book is dense, lengthy, and assumes Win32 API fluency at minimum. Read after Practical Reverse Engineering, not before.

Key takeaways

Bootkits and UEFI rootkits are not theoretical; the book documents real samples (LoJax, MoonBounce, BlackLotus-class) and the techniques that make them detectable.
Secure Boot is necessary but not sufficient; the chapters on UEFI variables and SMM trust are required reading for anyone designing platform security.
Forensic detection of below-the-OS threats requires platform-specific tooling; the book's coverage of memory-acquisition pitfalls and integrity verification is the practical core.

Process, thread, and memory management on Windows have specific shapes that don't transfer from Linux mental models; the chapters on each are the canonical authority.
Object Manager and the kernel handle table are the two concepts most malware analysts wish they'd understood earlier; the book is where to learn them.
User-mode security boundaries (token, ACL, integrity levels, AppContainer) are the layer where most modern Windows exploits operate; the book maps the surface.

How they compare

We rate Windows Internals, Part 1 higher (5/5 against 4/5 for Rootkits and Bootkits). For most readers, that means Windows Internals, Part 1 is the primary pick and Rootkits and Bootkits is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Rootkits and Bootkits and Windows Internals, Part 1 both cover Windows Internals, so reading them in sequence reinforces the same material from different angles.

Keep reading