Cyber Shelf

// Comparison

The Shellcoder's Handbook vs Windows Security Internals: Which Should You Read?

Two cybersecurity books on Offensive, compared honestly: who each is for, what each does best, and which to read first.

Advanced
4/52007
The Shellcoder's Handbook

Discovering and Exploiting Security Holes

Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte

A foundational text on memory-corruption exploitation across Linux, Windows, Solaris and embedded targets. Pre-modern-mitigations in spirit but still the canonical introduction to the techniques the modern toolchain is built to defeat.

Advanced
5/52024
Windows Security Internals

A Deep Dive into Windows Authentication, Authorization, and Auditing

James Forshaw

Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.

Read this if

Readers committed to learning binary exploitation seriously, after they've already finished Hacking: The Art of Exploitation and want a multi-platform reference that goes deeper.
Vulnerability researchers, red teamers, and platform security engineers who need ground truth on tokens, SDs, logon, and the kernel security reference monitor.

Skip this if

Anyone expecting modern (post-2010) mitigations or current heap allocators. The book pre-dates ASLR enforcement, modern heap hardening, CFI, and the entire arc of mitigations the modern toolchain assumes. It teaches the techniques modern systems are built to defeat.
Anyone after a high-level overview or defensive playbook. This is mechanism, not policy, and it assumes you want to read SDDL by hand.

Key takeaways

  • The Windows exploitation chapters are still the best print introduction to the SEH/PE-format-specific mechanics that don't exist in Erickson.
  • The heap chapters teach the conceptual vocabulary (unlinking, frontlinking, magic values, freelists) you need to read modern CTF write-ups, even though the specific allocators have moved on.
  • The "track patches, don't track exploits" chapter is the most underrated piece of vulnerability-research advice in print.
  • Windows authorization is one coherent system once you see the SRM, tokens, and security descriptors as a single pipeline.
  • The author's NtObjectManager PowerShell toolkit turns abstract security theory into something you can poke at interactively.
  • Most Windows privilege-escalation bugs come from misunderstanding this model, not from exotic memory corruption.

How they compare

We rate Windows Security Internals higher (5/5 against 4/5 for The Shellcoder's Handbook). For most readers, that means Windows Security Internals is the primary pick and The Shellcoder's Handbook is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

The Shellcoder's Handbook and Windows Security Internals both cover Offensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

The Shellcoder's Handbook

Alternatives to The Shellcoder's HandbookWhat to read after The Shellcoder's Handbook

Windows Security Internals

Alternatives to Windows Security InternalsWhat to read after Windows Security Internals

Related topics

Offensive