New book available: This Is Server Country

From C to Windows Kernel Defense: A Practitioner's Guide to Windows Kernel Security

textbook
authors: Bommarito, M. J.
year: 2026
venue: Self-published (draft)
details: Draft manuscript (380 pages, 25 chapters). The Windows companion to From C to Kernel Defense, built on the same offense-defense arms race: every kernel defense exists because someone broke the previous one. Five parts move from C and the Windows programming model (memory and lifetimes, the type and error model, the process and segment heaps, PE/COFF and the loader, x64 assembly and SEH, the user/kernel boundary) through a part the Linux volume never needs -- reading closed source (symbols and PDBs, decompiler literacy, Patch-Tuesday diffing), since on Windows you reconstruct both the bug and the defense from binaries, not source -- then kernel internals (the object manager, IRQL and the IRP/IOCTL model, the kernel pool, driver frameworks, tokens and access control), offensive technique (vulnerability classes, info leaks and KASLR defeat, pool grooming, reclaim objects and the I/O Ring RegBuffers primitive, control-flow hijacking and its limits, data-only attacks on PreviousMode and the token), and defense (the mitigation landscape, VBS/HVCI/kCET, a quantified defense-effectiveness matrix, and where the arms race goes next). Every exploit is paired with the mitigation that stops it and every mitigation with the technique that bypasses it and its default-on-by-build/SKU reality; every mechanism claim is pinned to a decompiler listing, symbol offset, or patch diff, and ships with a companion open-source lab. Not for citation.
Download PDF

pdf preview

citation

Bommarito, M. J. (2026). From C to Windows Kernel Defense: A Practitioner's Guide to Windows Kernel Security. Self-published (draft). Draft manuscript (380 pages, 25 chapters). The Windows companion to From C to Kernel Defense, built on the same offense-defense arms race: every kernel defense exists because someone broke the previous one. Five parts move from C and the Windows programming model (memory and lifetimes, the type and error model, the process and segment heaps, PE/COFF and the loader, x64 assembly and SEH, the user/kernel boundary) through a part the Linux volume never needs -- reading closed source (symbols and PDBs, decompiler literacy, Patch-Tuesday diffing), since on Windows you reconstruct both the bug and the defense from binaries, not source -- then kernel internals (the object manager, IRQL and the IRP/IOCTL model, the kernel pool, driver frameworks, tokens and access control), offensive technique (vulnerability classes, info leaks and KASLR defeat, pool grooming, reclaim objects and the I/O Ring RegBuffers primitive, control-flow hijacking and its limits, data-only attacks on PreviousMode and the token), and defense (the mitigation landscape, VBS/HVCI/kCET, a quantified defense-effectiveness matrix, and where the arms race goes next). Every exploit is paired with the mitigation that stops it and every mitigation with the technique that bypasses it and its default-on-by-build/SKU reality; every mechanism claim is pinned to a decompiler listing, symbol offset, or patch diff, and ships with a companion open-source lab. Not for citation..