Cyber Shelf

// Comparison

Evasive Malware vs The Mac Hacker's Handbook: Which Should You Read?

Two cybersecurity books on Reverse Engineering, compared honestly: who each is for, what each does best, and which to read first.

Advanced
4/52024
Evasive Malware

A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

Kyle Cucci

Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.

Advanced
3/52009
The Mac Hacker's Handbook

Charlie Miller, Dino Dai Zovi

Charlie Miller and Dino Dai Zovi's 2009 deep dive into the Mac OS X exploit landscape — Mach-O, IPC, sandboxing as it then existed, and the early-Intel-Mac exploitation chains.

Read this if

Malware analysts who finished Practical Malware Analysis and keep getting beaten by samples that detect their sandbox. The current reference on anti-analysis tradecraft, by a respected sandbox-and-detection practitioner.
Reverse engineers and exploit developers who want the historical foundation of Mac exploitation, especially as a stepping stone to The Art of Mac Malware (Wardle). Most useful for the conceptual scaffolding around Mach, Objective-C runtimes, and IPC, which are still load-bearing on modern macOS.

Skip this if

Beginners. Cucci assumes you already know how to set up a sandbox, run static and dynamic analysis, and read assembly; the book picks up where PMA leaves off.
Anyone needing current Apple-silicon, Hardened Runtime, System Integrity Protection, Endpoint Security, or modern sandbox-escape tradecraft. The book is pre-iPhone-era macOS in spirit; 2009 was a different planet.

Key takeaways

  • Anti-VM and anti-sandbox checks now run as the first instructions of most samples; the book catalogues the dominant patterns and how to neutralise them.
  • Modern packers are conceptually simple but operationally demanding; Cucci's framing of unpacking-as-staged-emulation is the cleanest in print.
  • Control-flow obfuscation (opaque predicates, virtualization-based protections) is the analyst's hardest current problem; the chapters on it justify the book on their own.
  • The conceptual material (Mach, IPC, Mach-O, Objective-C dispatch) generalizes to modern macOS; the specific exploits do not.
  • Most of the value is historical archaeology — knowing why the macOS sandbox and SIP exist is far easier after this book.
  • Pair with current Wardle and Apple Platform Security material for any operational use; treat this as background reading.

How they compare

We rate Evasive Malware higher (4/5 against 3/5 for The Mac Hacker's Handbook). For most readers, that means Evasive Malware is the primary pick and The Mac Hacker's Handbook is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Evasive Malware and The Mac Hacker's Handbook both cover Reverse Engineering, so reading them in sequence reinforces the same material from different angles.

Keep reading

Evasive Malware

Alternatives to Evasive MalwareWhat to read after Evasive Malware

The Mac Hacker's Handbook

Alternatives to The Mac Hacker's HandbookWhat to read after The Mac Hacker's Handbook

Related topics

Reverse Engineering