Cyber Shelf

// Comparison

The Art of Mac Malware, Volume 1 vs Rootkits and Bootkits: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced
4/52022
The Art of Mac Malware, Volume 1

The Guide to Analyzing Malicious Software

Patrick Wardle

Patrick Wardle's deep dive on macOS malware analysis: persistence patterns, injection techniques, anti-analysis tricks, and the macOS-specific tooling needed to triage real samples.

Advanced
4/52019
Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats

Alex Matrosov, Eugene Rodionov, Sergey Bratus

Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.

Read this if

Malware analysts who need to handle macOS samples and have so far worked Windows-only. The only serious book in print on Mac malware, by the most prominent practitioner in the field.
Malware analysts who need to handle below-the-OS persistence: kernel rootkits, MBR/UEFI bootkits, hypervisor-based threats. The deep specialist text in this corner of the field.

Skip this if

Analysts who don't see macOS in their pipeline. The platform specifics (Mach-O, code signing, TCC, XPC, launch agents) are non-transferable to other operating systems.
Generalist malware analysts, or anyone whose work doesn't touch firmware-level threats. The book is dense and assumes Windows internals fluency; readers without that background will struggle.

Key takeaways

  • Mach-O analysis differs from PE analysis in non-trivial ways; the chapters on entitlements, code signing, and notarization are the practical foundation.
  • macOS persistence has its own taxonomy (LaunchAgents, LaunchDaemons, login items, period plists, dylib hijacks); learning it is half the analyst's job.
  • Apple's own tooling (Console.app, sample, fs_usage, Endpoint Security framework) is the right starting toolkit for triage; Wardle's framing is the cleanest in print.
  • Bootkits and UEFI rootkits are not theoretical; the book documents real samples (LoJax, MoonBounce, BlackLotus-class) and the techniques that make them detectable.
  • Secure Boot is necessary but not sufficient; the chapters on UEFI variables and SMM trust are required reading for anyone designing platform security.
  • Forensic detection of below-the-OS threats requires platform-specific tooling; the book's coverage of memory-acquisition pitfalls and integrity verification is the practical core.

How they compare

The Art of Mac Malware, Volume 1 and Rootkits and Bootkits are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

The Art of Mac Malware, Volume 1 and Rootkits and Bootkits both cover Malware, Reverse Engineering, so reading them in sequence reinforces the same material from different angles.

Keep reading

The Art of Mac Malware, Volume 1

Alternatives to The Art of Mac Malware, Volume 1What to read after The Art of Mac Malware, Volume 1

Rootkits and Bootkits

Alternatives to Rootkits and BootkitsWhat to read after Rootkits and Bootkits

Related topics

MalwareReverse Engineering