Yep. A bit of a surprise, unplanned book, I deviated into while working on Android Internals Vols III & IV
This is current as of March 7th, 2025.
Any week now.
System-level programming, Debugging, Reverse Engineering, Hooking & Tracing on Darwin, Linux and Android platforms, with a strong emphasis on ARM64
A long time ago before I got sucked into Internals I was a system-level programmer. I taught a course on Linux Debugging which almost had me relocate to China since it was so popular. Since then, I went even deeper, and got to writing MOXiI and AI (Android Internals, not Artificial Intelligence). The point of departure for those series was that people were already familiar with UN*X/POSIX systems programming.
I also taught a fair amount of Internals trainings - Android, Linux and Darwin - and was always surprised by how many participants had gaps. Sometimes there were minor and didn't really matter for the big picture. Other times these gaps were, IMHO, too big to skip over - things like DTrace, Linux ftrace, library injection, hooking, etc. I realized that if participants in trainings have these, surely some readers may have them as well.
I also show lots of stuff in the Internals books using all sorts of methods and workflows, which I hope to clarify through the "Experiments" (as in, follow along with me, expecting similar flow but different results). But those, too, take for granted knowledge that some people may not have.
Add to that, that I noticed there is a woeful lack of books on low level programming and debugging. And those that do exist, focus on Intel, not ARM64. Intel is, IMHO, in its dying throes. It's only a matter of time before QCOM or AVGO or TSMC (or all of them) end up buying it. Aarch64 is immeasurably superior in every way to x86_64. I love, love, LOVE the assembly, and I want to spread the good word to the masses. The ARM Architecture Reference Manual is a-ma-zing, but also 14,000 pages. The few other books out there are too basic. There needs to be, I think, something in the middle.
Lastly, and I'll be perfectly honest here - I would like to spread the good word of my tools. People who do show up to the trainings are really impressed (or really fake it) by my demos of advanced uses of jtrace
, disarm
, procexp
, and other tools I wrote over the last decade or so for Android and iOS. The tools are engineered around my workflows, but have 0 documentation . I just put them out there for free, but aside from rudimentary download pages with few examples, there's really no way to get the ideas and paradigms I use with them. disarm
is, for some flows, on par with or exceeding IDA/Ghidra. jtrace
leaves strace
far behind.
I ended up writing a book on all of the above. The book is special in that it covers both Linux (+ Android) and Darwin - because the two systems share the common POSIX(ish) core, and then have their own extensions. And so I work similarly - each chapter, where applicable, starts with the commonalities, then shows Darwin extensions and Linux Extensions. (at one point I thougt to also cover Windows, now that it's slowly moving to ARM, but.. well.. no).
Glad you asked! A full TOC will be available soon, but it has:
LD_PRELOAD
, DYLD_INSERT_LIBRARIES
, etc.). ptrace(2)
, *OS mach APIs, including working samples of my code injection for Linux/Android and Darwin. jtrace
here.disarm
disarm
.jtrace
.There is some. It's unavoidable for two reasons:
I would put the overlap at less than 40% for Darwin, and probably 20-25 for Android. And in the Darwin case there is discussion of stuff that either changed since I sealed MOXiI (kernel virtual memory management, I'm looking at you), or didn't exist then (DYLD chained fixups, launch constraints)
You can think of this is as "* Internals, Volume 0". From here you can move on to either Android Internals, or *OS Internals. I believe that , over all, this would complement both series, and also firmly tie them together with the pure theory OS books of Stallings, Tannenbaum, and other titans. Kind of like "Applied Operating Systems". Each chatper includes ample review questions*, and I really hope it will be used as academic material.
Not forever. ETA S0n. Very S0n. Let's not forget I have a real job and (*gasp!*) a real life, too. Yes, Vol II took me seven years, Vol III and IV weren't even planned at first, but I did end up rewriting I, finishing II (thank you, COVID), and (now that this is done), I aim to finally be done with III & IV before end of this year (and everyone can stay healthy this time around). Not much to go.
So email me. J@