During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).
SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.
What we basically want to achieve is having a stable base for registering certain known-to-be vulnerable RPC calls in modules to detect exploits and thus be able to collect malware.