What?! A NEW Book? By Jonathan Levin?

Yep. A bit of a surprise, unplanned book, I deviated into while working on Android Internals Vols III & IV

Wait, Define "NEW". Did you refresh this page, or is this old news?

This is current as of March 7^th, 2025.

When??

Any week now.

What's it about?

System-level programming, Debugging, Reverse Engineering, Hooking & Tracing on Darwin, Linux and Android platforms, with a strong emphasis on ARM64

Why?

A long time ago before I got sucked into Internals I was a system-level programmer. I taught a course on Linux Debugging which almost had me relocate to China since it was so popular. Since then, I went even deeper, and got to writing MOXiI and AI (Android Internals, not Artificial Intelligence). The point of departure for those series was that people were already familiar with UN*X/POSIX systems programming.

I also taught a fair amount of Internals trainings - Android, Linux and Darwin - and was always surprised by how many participants had gaps. Sometimes there were minor and didn't really matter for the big picture. Other times these gaps were, IMHO, too big to skip over - things like DTrace, Linux ftrace, library injection, hooking, etc. I realized that if participants in trainings have these, surely some readers may have them as well.

I also show lots of stuff in the Internals books using all sorts of methods and workflows, which I hope to clarify through the "Experiments" (as in, follow along with me, expecting similar flow but different results). But those, too, take for granted knowledge that some people may not have.

Add to that, that I noticed there is a woeful lack of books on low level programming and debugging. And those that do exist, focus on Intel, not ARM64. Intel is, IMHO, in its dying throes. It's only a matter of time before QCOM or AVGO or TSMC (or all of them) end up buying it. Aarch64 is immeasurably superior in every way to x86_64. I love, love, LOVE the assembly, and I want to spread the good word to the masses. The ARM Architecture Reference Manual is a-ma-zing, but also 14,000 pages. The few other books out there are too basic. There needs to be, I think, something in the middle.

Lastly, and I'll be perfectly honest here - I would like to spread the good word of my tools. People who do show up to the trainings are really impressed (or really fake it) by my demos of advanced uses of jtrace, disarm, procexp, and other tools I wrote over the last decade or so for Android and iOS. The tools are engineered around my workflows, but have 0 documentation . I just put them out there for free, but aside from rudimentary download pages with few examples, there's really no way to get the ideas and paradigms I use with them. disarm is, for some flows, on par with or exceeding IDA/Ghidra. jtrace leaves strace far behind.

So...?

I ended up writing a book on all of the above. The book is special in that it covers both Linux (+ Android) and Darwin - because the two systems share the common POSIX(ish) core, and then have their own extensions. And so I work similarly - each chapter, where applicable, starts with the commonalities, then shows Darwin extensions and Linux Extensions. (at one point I thougt to also cover Windows, now that it's slowly moving to ARM, but.. well.. no).

What's in the book?

Glad you asked! A full TOC will be available soon, but it has:

• Chapter 1: An ARM Assembly Primer:
  • 60+ pages covering everything I could think of as essential, from the basics of bits and bytes, through registers, syntax, etc, through the "Working Vocabulary" of common instructions, through the feature sets of ARMv8.1 through v9.6!
• Chapter 2: Compilation & Linking:
  • a quick tour of compilation stages (preprocesing, compilation and linking).
  • Emphasis on the linking processes - both static and dynamic
• Chapter 3: Binary Formats:
  ELF
  • Mach-O
  Yes, there is some overlap here with MOXiI vol I/6-7, but it's kept to a minimum and also catches up (with Chained Fixups, DYLD Shared Cache changes, etc)
• Chapter 4: Process Lifecycle:
  • Starting with the basics of system calls
  • Looking at those syscalls involving process creation/termination/identifiers/credentials
  • Resource usage tracking
• Chapter 5:Memory - I - The System View: Looking at memory from the OS level.
  • Basics of virtual memory, paging.
  • POSIX memory APIs.
  • Darwin (Mach) Memory APIs.
  • Memory Metrics.
• Chapter 6: Memory - II - The Process View:
  • Detailing the layout of the stack, prologs, epilogs, backtraces and more.
  • Detailing Heap implementations:
    • GlibC 2.40 (Arenas)
    • Android's Scudo, in depth.
  • Memory Bugs (from overflows to UaFs).
  • Exploit mitigation strategies (PAC & MTE!)
• Chapter 7: MultiThreading:
  • POSIX thread APIS.
  • Darwin extensions.
  • Pthread implementations in GNU, Android, and Darwin.
  • Multithreading challenges - synchronization, atomics, Darwin ulocks, spinlocks, etc. ARMv9.x TME.
  • Darwin GCD.
  Scheduling APIs.
• Chapter 8: I/O and IPC:
  • File I/O system calls.
  • Async I/O.
  • UN*X IPC (Sockets, Pipes, shmem).
  • Darwin IPC (Mach Messages, XPC).
  • Android's Binder.
  • IPC Security.
• Chapter 9: Profiling & Auditing.
  • Linux: ftrace, kprobes, systemTap, and much more.
  • Darwin: Kdebug, proc_info, stackshotting, file monitoring, Core Analytics, and more.
  • Linux auditing
  • MacOS EndPointSecurity.
  • Extending via eBPF, DTrace.
• chapter 10: Hooking & Injecting.
  • Load time hooking (LD_PRELOAD, DYLD_INSERT_LIBRARIES, etc.).
  • Runtime hooking/tracing - Linux ptrace(2), *OS mach APIs, including working samples of my code injection for Linux/Android and Darwin.
  • Plenty of examples of jtrace here.
• Chapter 11: Runtimes:
  • Darwin's Objective-C
  • Swift 5-6.
  • Android's ART.
  Again, some overlap with M-I/10 and A-II/7, but different take (primarily, reversing perspective), and brand new discussion on Swift.
• Chapter 12: Post Mortem:
  • Signal handling
  • Core dumping
  • Crash reporting (Darwin)
  • Tombstones (Android).
• Chapter 13: Beyond user mode:
  • A primer into kernel mode (Syscalls, Part II)
  • Life in EL1
  • life in GL1 (Darwin)
  • Page table mgmt (on ARM64)
  • a bit on hypervisors (EL2) and secure monitors (EL3) - wait for A-III for more
• Chapter 14: Reversing: Many applied case studies demonstrating reverse engineering, primarily with disarm
• Appendix A: the missing manual page of disarm.
• Appendix B: the missing manual page of jtrace.

So, what about overlap with MOXiI and AI?

There is some. It's unavoidable for two reasons:

• I don't know if people read my other books, so I can't refer to them. That would be giving new readers an incomplete reference, or, worse, citing me all the time and having people think I'm pushing my other books.
• I take a different perspective in this book, less "how it works" and obscure interfaces that nobody but vulnerability researchers care about, and more "here's how you can see for yourself". For example, the XPC discussion sums up M-I/14 in a page, then jumps to tracing XPC, which is what most people would care about most.

I would put the overlap at less than 40% for Darwin, and probably 20-25 for Android. And in the Darwin case there is discussion of stuff that either changed since I sealed MOXiI (kernel virtual memory management, I'm looking at you), or didn't exist then (DYLD chained fixups, launch constraints)

You can think of this is as "* Internals, Volume 0". From here you can move on to either Android Internals, or *OS Internals. I believe that , over all, this would complement both series, and also firmly tie them together with the pure theory OS books of Stallings, Tannenbaum, and other titans. Kind of like "Applied Operating Systems". Each chatper includes ample review questions^*, and I really hope it will be used as academic material.

But wait, what about Android Vols. III & IV, forever delayed

Not forever. ETA S0n. Very S0n. Let's not forget I have a real job and (*gasp!*) a real life, too. Yes, Vol II took me seven years, Vol III and IV weren't even planned at first, but I did end up rewriting I, finishing II (thank you, COVID), and (now that this is done), I aim to finally be done with III & IV before end of this year (and everyone can stay healthy this time around). Not much to go.

I got a question for you that I'm not seeing here!

So email me. J@