Gray Hat Python

The book Gray Hat Python is as cool a book as I've ever read. Instead of showing how Windows works from the ground up, the author, Justin Seitz, shows how to investigate and manipulate programs and components. The book provides the details only when they are relevant to the problem at hand.

Here are the purposes of the X86 registers:
EAX - the Accumulator stores return values from function calls and is used for calculations
EDX - the Data register is used in conjunction with EAX
ECX - the Count register is used in looping operations
ESI - the Source Index register is used in data operations
EDI - the Destination Index is also used in data operations
EBP - the stack base pointer
ESP - the stack pointer
EBX - has no specific purpose
DR0 thru DR7 are the hardware debug registers

Hardware breakpoints use Interrupt 1 and software breakpoints use Interrupt 3. Stepping through instructions is accomplished with Interrupt 1.

The book provides knowledge of Windows security and how it is overcome and then goes on to provide the means to overcome malware with important tips like why it is important to use hardware breakpoints instead of soft breakpoints.

Here's a surprising example:

from ctypes import *
msvcrt = cdll.msvcrt
message = "1. Hello, World\n"
msvcrt.printf("Testing %s", message)

hello = c_char_p("2. Hello world")
print hello
print hello.value

c_char_p("2. Hello world")
2. Hello world
Testing 1. Hello, World

The book is a very interesting way to learn some Python, Windows OS and APIs and X86 Assembler and how these pieces fit together to provide or circumvent computer security. Nothing I've seen makes Windows come alive like this.