The Art of Mac Malware, Volume 1
The Guide to Analyzing Malicious Software
Patrick Wardle's deep dive on macOS malware analysis: persistence patterns, injection techniques, anti-analysis tricks, and the macOS-specific tooling needed to triage real samples.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Patrick Wardle
- Published
- 2022
- Publisher
- No Starch Press
- Pages
- 328
- Language
- English
Read this if
Malware analysts who need to handle macOS samples and have so far worked Windows-only. The only serious book in print on Mac malware, by the most prominent practitioner in the field.
Skip this if
Analysts who don't see macOS in their pipeline. The platform specifics (Mach-O, code signing, TCC, XPC, launch agents) are non-transferable to other operating systems.
Key takeaways
- Mach-O analysis differs from PE analysis in non-trivial ways; the chapters on entitlements, code signing, and notarization are the practical foundation.
- macOS persistence has its own taxonomy (LaunchAgents, LaunchDaemons, login items, period plists, dylib hijacks); learning it is half the analyst's job.
- Apple's own tooling (Console.app, sample, fs_usage, Endpoint Security framework) is the right starting toolkit for triage; Wardle's framing is the cleanest in print.
Notes
Pair with Wardle's Objective-See tools (BlockBlock, KnockKnock, Lulu) and with the Volume 2 book on detection. Required reading for any blue team that handles Mac endpoints in 2026 (most of them now). The book pre-dates a few Sequoia-era changes; check the Objective-See blog for current refinements.
What to read before
What to read before The Art of Mac Malware, Volume 1 →Intermediate · 2012
Practical Malware Analysis
Still the gold standard textbook for static and dynamic malware analysis on Windows.
Intermediate · 2011
The IDA Pro Book
Chris Eagle's deep manual on IDA Pro, the disassembler that defined a generation of reverse engineering. Useful even with Ghidra in the picture, since most malware-analysis literature still assumes IDA.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
What to read next
What to read after The Art of Mac Malware, Volume 1 →Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Explore similar books
Alternatives to The Art of Mac Malware, Volume 1 →Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
Advanced · 2019
Rootkits and Bootkits
Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.