CINXE.COM

<!DOCTYPE html> <html lang="en" dir="ltr" xmlns:og="https://ogp.me/ns#"> <head> <link rel="profile" href="https://www.w3.org/1999/xhtml/vocab" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="https://nostarch.com/sites/default/files/favicon.ico" type="image/vnd.microsoft.icon" /> <meta name="description" content="A handbook for Apple infection methods, malicious script analysis, and Mach-O malware." /> <meta name="generator" content="Drupal 7 (http://drupal.org)" /> <link rel="image_src" href="https://nostarch.com/sites/default/files/ArtofMacMalware_v1_frontcover.png" /> <link rel="canonical" href="https://nostarch.com/art-mac-malware-volume-1" /> <link rel="shortlink" href="https://nostarch.com/node/638" /> <meta property="og:type" content="article" /> <meta property="og:url" content="https://nostarch.com/art-mac-malware-volume-1" /> <meta property="og:title" content="The Art of Mac Malware, Volume 1" /> <meta property="og:description" content="A handbook for Apple infection methods, malicious script analysis, and Mach-O malware." /> <meta property="og:updated_time" content="2025-01-16T12:31:35-08:00" /> <meta property="og:image:url" content="https://nostarch.com/sites/default/files/ArtofMacMalware_v1_frontcover.png" /> <meta property="og:image:url" content="https://nostarch.com/sites/default/files/ArtofMacMalware_front.jpg" /> <meta property="og:image:secure_url" content="https://nostarch.com/sites/default/files/ArtofMacMalware_v1_frontcover.png" /> <meta property="og:image:secure_url" content="https://nostarch.com/sites/default/files/ArtofMacMalware_front.jpg" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@nostarch" /> <meta name="twitter:url" content="https://nostarch.com/art-mac-malware-volume-1" /> <meta name="twitter:title" content="The Art of Mac Malware, Volume 1" /> <meta name="twitter:description" content="A handbook for Apple infection methods, malicious script analysis, and Mach-O malware." /> <meta name="twitter:image" content="https://nostarch.com/sites/default/files/ArtofMacMalware_v1_frontcover.png" /> <meta property="product:price:amount" content="49.99" /> <meta property="product:price:currency" content="USD" /> <meta property="product:isbn" content="9781718501942" /> <meta property="article:published_time" content="2021-07-22T12:11:30-07:00" /> <meta property="article:modified_time" content="2025-01-16T12:31:35-08:00" /> <meta property="product:retailer_part_no" content="artofmacmalware-combo" /> <meta property="product:mfr_part_no" content="artofmacmalware-combo" /> <title>The Art of Mac Malware, Volume 1 | No Starch Press</title> <link type="text/css" rel="stylesheet" href="https://nostarch.com/sites/default/files/css/css_lQaZfjVpwP_oGNqdtWCSpJT1EMqXdMiU84ekLLxQnc4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://nostarch.com/sites/default/files/css/css_guSWpwqRBCVb2J7ivC8BaNuaPffCXmbkGB5xDBqKKu8.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://nostarch.com/sites/default/files/css/css_Dw0rmhFX_owMmlf1HH5Y-_BnOHcMlkri1yMjYHD4ffs.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://nostarch.com/sites/default/files/css/css_XJm3Wqia1GUjoI4j54duSLNZVR3Kxhbwy0s3UwuhhHg.css" media="all" />   <script src="//ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script> <script>window.jQuery || document.write("<script src='/sites/all/modules/contrib/jquery_update/replace/jquery/2.2/jquery.min.js'>\x3C/script>")</script> <script src="https://nostarch.com/misc/jquery-extend-3.4.0.js?v=2.2.4"></script> <script src="https://nostarch.com/misc/jquery-html-prefilter-3.5.0-backport.js?v=2.2.4"></script> <script src="https://nostarch.com/misc/jquery.once.js?v=1.2"></script> <script src="https://nostarch.com/misc/drupal.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/jquery_update/js/jquery_browser.js?v=0.0.1"></script> <script src="https://nostarch.com/misc/form-single-submit.js?v=7.103"></script> <script src="https://nostarch.com/sites/all/modules/contrib/ubercart/uc_file/uc_file.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/libraries/colorbox/jquery.colorbox-min.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/colorbox/js/colorbox.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/colorbox/styles/plain/colorbox_style.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/colorbox/js/colorbox_load.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/colorbox/js/colorbox_inline.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/ubercart/uc_cart/uc_cart_block.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/modules/contrib/google_analytics/googleanalytics.js?stn5l0"></script> <script src="https://www.googletagmanager.com/gtag/js?id=UA-5027625-1"></script> <script>window.google_analytics_uacct = "UA-5027625-1";window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments)};gtag("js", new Date());gtag("set", "developer_id.dMDhkMT", true);gtag("config", "UA-5027625-1", {"groups":"default","anonymize_ip":true});gtag("config", "G-51XGZT9Y4H", {"groups":"default","anonymize_ip":true});</script> <script src="https://nostarch.com/sites/all/themes/nostarch/js/bootstrap.min.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/themes/nostarch/js/main.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/themes/nostarch/js/front_grid_height.js?stn5l0"></script> <script>jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"","setHasJsCookie":0,"ajaxPageState":{"theme":"nostarch","theme_token":"i14r5PavcATckd_lIy1raDKnnwLTzfK10NvtPF90Jc8","js":{"sites\/all\/modules\/contrib\/addthis\/addthis.js":1,"sites\/all\/libraries\/shariff\/shariff.min.js":1,"sites\/all\/themes\/contrib\/bootstrap\/js\/bootstrap.js":1,"\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/2.2.4\/jquery.min.js":1,"0":1,"misc\/jquery-extend-3.4.0.js":1,"misc\/jquery-html-prefilter-3.5.0-backport.js":1,"misc\/jquery.once.js":1,"misc\/drupal.js":1,"sites\/all\/modules\/contrib\/jquery_update\/js\/jquery_browser.js":1,"misc\/form-single-submit.js":1,"sites\/all\/modules\/contrib\/ubercart\/uc_file\/uc_file.js":1,"sites\/all\/libraries\/colorbox\/jquery.colorbox-min.js":1,"sites\/all\/modules\/contrib\/colorbox\/js\/colorbox.js":1,"sites\/all\/modules\/contrib\/colorbox\/styles\/plain\/colorbox_style.js":1,"sites\/all\/modules\/contrib\/colorbox\/js\/colorbox_load.js":1,"sites\/all\/modules\/contrib\/colorbox\/js\/colorbox_inline.js":1,"sites\/all\/modules\/contrib\/ubercart\/uc_cart\/uc_cart_block.js":1,"sites\/all\/modules\/contrib\/google_analytics\/googleanalytics.js":1,"https:\/\/www.googletagmanager.com\/gtag\/js?id=UA-5027625-1":1,"1":1,"sites\/all\/themes\/nostarch\/js\/bootstrap.min.js":1,"sites\/all\/themes\/nostarch\/js\/main.js":1,"sites\/all\/themes\/nostarch\/js\/front_grid_height.js":1},"css":{"modules\/system\/system.base.css":1,"modules\/field\/theme\/field.css":1,"sites\/all\/modules\/contrib\/logintoboggan\/logintoboggan.css":1,"modules\/node\/node.css":1,"sites\/all\/modules\/contrib\/uc_fedex\/uc_fedex.css":1,"sites\/all\/modules\/contrib\/ubercart\/uc_file\/uc_file.css":1,"sites\/all\/modules\/contrib\/ubercart\/uc_order\/uc_order.css":1,"sites\/all\/modules\/contrib\/ubercart\/uc_product\/uc_product.css":1,"sites\/all\/modules\/contrib\/ubercart\/uc_store\/uc_store.css":1,"sites\/all\/modules\/contrib\/views\/css\/views.css":1,"sites\/all\/modules\/contrib\/ckeditor\/css\/ckeditor.css":1,"sites\/all\/modules\/contrib\/uc_discounts_alt\/uc_discounts\/uc_discounts.css":1,"sites\/all\/modules\/contrib\/colorbox\/styles\/plain\/colorbox_style.css":1,"sites\/all\/modules\/contrib\/ctools\/css\/ctools.css":1,"sites\/all\/modules\/contrib\/ubercart\/uc_cart\/uc_cart_block.css":1,"sites\/all\/libraries\/shariff\/shariff.complete.css":1,"sites\/all\/themes\/nostarch\/css\/en_styles.css":1,"sites\/all\/themes\/nostarch\/css\/custom.css":1,"sites\/all\/themes\/nostarch\/css\/bootstrap-3-vert-offset.css":1,"sites\/all\/themes\/nostarch\/css\/bootstrap-3-autoclear.css":1,"sites\/all\/themes\/nostarch\/css\/glyphicons.css":1}},"colorbox":{"opacity":"0.85","current":"{current} of {total}","previous":"\u00ab Prev","next":"Next \u00bb","close":"Close","maxWidth":"98%","maxHeight":"98%","fixed":true,"mobiledetect":true,"mobiledevicewidth":"480px","file_public_path":"\/sites\/default\/files","specificPagesDefaultValue":"admin*\nimagebrowser*\nimg_assist*\nimce*\nnode\/add\/*\nnode\/*\/edit\nprint\/*\nprintpdf\/*\nsystem\/ajax\nsystem\/ajax\/*"},"better_exposed_filters":{"views":{"topics":{"displays":{"block":{"filters":[]}}},"related_products":{"displays":{"block":{"filters":[]}}}}},"googleanalytics":{"account":["UA-5027625-1","G-51XGZT9Y4H"],"trackOutbound":1,"trackMailto":1,"trackDownload":1,"trackDownloadExtensions":"7z|aac|arc|arj|asf|asx|avi|bin|csv|doc(x|m)?|dot(x|m)?|exe|flv|gif|gz|gzip|hqx|jar|jpe?g|js|mp(2|3|4|e?g)|mov(ie)?|msi|msp|pdf|phps|png|ppt(x|m)?|pot(x|m)?|pps(x|m)?|ppam|sld(x|m)?|thmx|qtm?|ra(m|r)?|sea|sit|tar|tgz|torrent|txt|wav|wma|wmv|wpd|xls(x|m|b)?|xlt(x|m)|xlam|xml|z|zip","trackColorbox":1},"urlIsAjaxTrusted":{"\/art-mac-malware-volume-1":true},"bootstrap":{"anchorsFix":"0","anchorsSmoothScrolling":"0","formHasError":1,"popoverEnabled":1,"popoverOptions":{"animation":1,"html":0,"placement":"right","selector":"","trigger":"click","triggerAutoclose":1,"title":"","content":"","delay":0,"container":"body"},"tooltipEnabled":1,"tooltipOptions":{"animation":1,"html":0,"placement":"auto left","selector":"","trigger":"hover focus","delay":0,"container":"body"}}});</script> </head> <body class="html not-front not-logged-in two-sidebars page-node page-node- page-node-638 node-type-product uc-product-node"> <div id="skip-link"> <a href="#main-content" class="element-invisible element-focusable">Skip to main content</a> </div> <header id="" class="header" role="banner" class="navbar navbar-default"> <div class="container"> <div class="row"> <nav role="navigation" class="navbar navbar-default visible-xs"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand text-uppercase" href="/"><img src="https://nostarch.com/sites/all/themes/nostarch/logo.png" alt="Home" class="img-responsive"/></a> </div> <div id="navbar" class="navbar-collapse collapse text-center"> <ul class="menu nav navbar-nav"><li class="first leaf"><a href="/catalog.htm" title="Explore our catalog">Catalog</a></li> <li class="leaf"><a href="https://nostarch.com/merchandise-0" title="Merchandise">Merchandise</a></li> <li class="leaf"><a href="/blog" title="The No Starch Press blog">Blog</a></li> <li class="leaf"><a href="https://nostarch.com/early-access-program" title="Media contact">Early Access</a></li> <li class="leaf"><a href="/writeforus" title="Submit a book proposal">Write for Us</a></li> <li class="leaf"><a href="/about" title="About No Starch Press">About Us</a></li> <li class="last leaf"><a href="/contactus" title="Contact Us">Contact Us</a></li> </ul> <div class="region region-navigation"> <section id="block-uc-cart-cart" class="block block-uc-cart clearfix"> <h2 class="block-title"><a href="/cart"><span class="cart-block-icon-empty" title="View your shopping cart."></span></a><span class="cart-block-title-bar" title="Show/hide shopping cart contents.">Shopping cart<span class="cart-block-arrow arrow-down"></span></span></h2> <p class="cart-block-items collapsed uc-cart-empty">There are no products in your shopping cart.</p><table class="cart-block-summary"><tbody><tr><td class="cart-block-summary-items"><span class="num-items">0</span> Items</td><td class="cart-block-summary-total"><label>Total:</label> <span class="uc-price">$0.00</span></td></tr></tbody></table> </section> <section id="block-search-api-page-site-search" class="block block-search-api-page clearfix"> <form action="/art-mac-malware-volume-1" method="post" id="search-api-page-search-form-site-search" accept-charset="UTF-8"><div><div class="form-item form-item-keys-2 form-type-textfield form-group"><input placeholder="Search" class="form-control form-text" type="text" id="edit-keys-2" name="keys_2" value="" size="15" maxlength="128" /> <label class="control-label element-invisible" for="edit-keys-2">Enter your keywords</label> </div><input type="hidden" name="id" value="2" /> <button class="icon glyphicon glyphicon-search btn-primary form-control btn form-submit" type="submit" id="edit-submit-2" name="op" value=""></button> <input type="hidden" name="form_build_id" value="form-Cp9bqCkBpO6I6nM5ydWrBQQ_kzXRlr8VXgFG5Fi0pko" /> <input type="hidden" name="form_id" value="search_api_page_search_form_site_search" /> </div></form> </section> </div> </div> </nav> <div class="navbar-header"> <div class="logo-wrapper col-sm-6 hidden-xs"> <a class="logo navbar-btn pull-left" href="/" title="Home"> <img src="https://nostarch.com/sites/all/themes/nostarch/logo.png" alt="Home" class="img-responsive"/> </a> </div> <div class="logo-wrapper col-sm-6 hidden-xs"> <div class="region region-navigation"> <div class="region region-navigation"> <section id="block-uc-cart-cart" class="block block-uc-cart clearfix"> <h2 class="block-title"><a href="/cart"><span class="cart-block-icon-empty" title="View your shopping cart."></span></a><span class="cart-block-title-bar" title="Show/hide shopping cart contents.">Shopping cart<span class="cart-block-arrow arrow-down"></span></span></h2> <p class="cart-block-items collapsed uc-cart-empty">There are no products in your shopping cart.</p><table class="cart-block-summary"><tbody><tr><td class="cart-block-summary-items"><span class="num-items">0</span> Items</td><td class="cart-block-summary-total"><label>Total:</label> <span class="uc-price">$0.00</span></td></tr></tbody></table> </section> <section id="block-search-api-page-site-search" class="block block-search-api-page clearfix"> <form action="/art-mac-malware-volume-1" method="post" id="search-api-page-search-form-site-search" accept-charset="UTF-8"><div><div class="form-item form-item-keys-2 form-type-textfield form-group"><input placeholder="Search" class="form-control form-text" type="text" id="edit-keys-2" name="keys_2" value="" size="15" maxlength="128" /> <label class="control-label element-invisible" for="edit-keys-2">Enter your keywords</label> </div><input type="hidden" name="id" value="2" /> <button class="icon glyphicon glyphicon-search btn-primary form-control btn form-submit" type="submit" id="edit-submit-2" name="op" value=""></button> <input type="hidden" name="form_build_id" value="form-Cp9bqCkBpO6I6nM5ydWrBQQ_kzXRlr8VXgFG5Fi0pko" /> <input type="hidden" name="form_id" value="search_api_page_search_form_site_search" /> </div></form> </section> </div> </div> </div> </div> </div> </div> <div class="container"> <div class="row"> <div class="navbar-collapse collapse"> <nav role="navigation"> <ul class="menu nav navbar-nav"><ul class="menu nav navbar-nav"><li class="first leaf"><a href="/catalog.htm" title="Explore our catalog">Catalog</a></li> <li class="leaf"><a href="https://nostarch.com/merchandise-0" title="Merchandise">Merchandise</a></li> <li class="leaf"><a href="/blog" title="The No Starch Press blog">Blog</a></li> <li class="leaf"><a href="https://nostarch.com/early-access-program" title="Media contact">Early Access</a></li> <li class="leaf"><a href="/writeforus" title="Submit a book proposal">Write for Us</a></li> <li class="leaf"><a href="/about" title="About No Starch Press">About Us</a></li> <li class="last leaf"><a href="/contactus" title="Contact Us">Contact Us</a></li> </ul></ul> </nav> </div> </div> </div> </header> <div class="main-container container"> <header role="banner" id="page-header"> </header>  <div class="row"> <aside class="col-sm-3" role="complementary"> <div class="region region-sidebar-first well"> <section id="block-views-topics-block" class="block block-views clearfix"> <button class="btn btn-primary btn-block visible-xs vert-offset-top-2" data-toggle="collapse" data-target="#topics"><span class="glyphicon glyphicon-menu-down pull-left"></span> <span class="btn-text">Topics</span><span class="glyphicon glyphicon-menu-down pull-right"></span></button> <h2 class="block-title hidden-xs">Topics</h2> <div id="topics" class="view-content collapse dont-collapse animateCollapse"> <div class="view view-topics view-id-topics view-display-id-block view-dom-id-5f46beb464bcec0fa581cc97533402e3"> <div class="view-content"> <div class="item-list"> <ul> <li class="views-row views-row-1 views-row-odd views-row-first"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/art-photography-design">Art & Design</a></span> </div></li> <li class="views-row views-row-2 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/general-computing">General Computing</a></span> </div></li> <li class="views-row views-row-3 views-row-odd"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/security">Hacking & Computer Security</a></span> </div></li> <li class="views-row views-row-4 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/hardware-and-diy">Hardware / DIY</a></span> </div></li> <li class="views-row views-row-5 views-row-odd"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/kids">Kids</a></span> </div></li> <li class="views-row views-row-6 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/lego">LEGO庐</a></span> </div></li> <li class="views-row views-row-7 views-row-odd"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/linux-bsd-unix">Linux & BSD</a></span> </div></li> <li class="views-row views-row-8 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/manga">Manga</a></span> </div></li> <li class="views-row views-row-9 views-row-odd"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/programming">Programming</a></span> </div></li> <li class="views-row views-row-10 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/python">Python</a></span> </div></li> <li class="views-row views-row-11 views-row-odd"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/rforall">R for All</a></span> </div></li> <li class="views-row views-row-12 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/science-math">Science & Math</a></span> </div></li> <li class="views-row views-row-13 views-row-odd"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/scratch">Scratch</a></span> </div></li> <li class="views-row views-row-14 views-row-even"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/system-administration">System Administration</a></span> </div></li> <li class="views-row views-row-15 views-row-odd views-row-last"> <div class="views-field views-field-name"> <span class="field-content"><a href="/catalog/early-access">Early Access</a></span> </div></li> </ul></div> </div> <div class="view-footer"> <style> <![CDATA[/* ><!]]>*/ </style> </div> </div> </div> </section><section id="block-block-12" class="block block-block clearfix"> <div class="rounded_border_block"><span style="font-family:Arial,Helvetica,sans-serif"><strong><span style="font-size:12px"><span style="color:#c0392b"><a href="https://nostarch.com/about_ebooks.htm">FREE ebook edition with every print book purchased from nostarch.com!</a></span></span></strong></span></div> <p class="rtecenter"><span style="font-size:22px">+</span></p> <div class="rounded_border_block"><span style="font-family:Arial,Helvetica,sans-serif"><strong><span style="font-size:12px"><a href="https://nostarch.com/early-access-program"><span style="color:#c0392b">EARLY ACCESS lets you read full chapters months before a title's release date!</span></a></span></strong></span></div> </section> <section id="block-nostarch-custom-login-block" class="block block-nostarch-customclearfix"> <h2 class="block-title">User login</h2> <ul> <li><a href="/user">Log in</a></a></li> <li><a href="/user/register">Create account</a></a></li> </ul> </section> <section id="block-block-78" class="block block-block clearfix"> <script data-account="eeqOpWOUyZ" src="https://cdn.userway.org/widget.js"></script> </section> </div> </aside>  <section class="col-sm-6" style=""> <a id="main-content"></a> <div class="region region-content"> <section id="block-system-main" class="block block-system clearfix"> <div class="ds-1col node node-product view-mode-full clearfix"> <div class=""> <div class="field field-name-field-image-cache field-type-image field-label-hidden"><div class="field-items"><div class="field-item even"><div class="product-image"><div class="main-product-image"><a href="https://nostarch.com/sites/default/files/styles/uc_product_full/public/ArtofMacMalware_v1_frontcover.png?itok=DjVi1Zzx" title="The Art of Mac Malware, Volume 1 Cover" class="colorbox" rel="uc_image_0"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/uc_product/public/ArtofMacMalware_v1_frontcover.png?itok=_lGfRg82" alt="The Art of Mac Malware, Volume 1 Cover" title="The Art of Mac Malware, Volume 1 Cover" /></a></div></div></div></div></div><div class="field field-name-entity-title field-type-ds field-label-hidden"><div class="field-items"><div class="field-item even"><h1 class="page-header">The Art of Mac Malware, Volume 1</h1></div></div></div><div class="field field-name-field-subtitle field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">The Guide to Analyzing Malicious Software</div></div></div><div class="field field-name-field-author field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">by Patrick Wardle</div></div></div><div class="field field-name-released-date field-type-ds field-label-hidden"><div class="field-items"><div class="field-item even">June 2022, 328 pp.</div></div></div><div class="field field-name-field-isbn13 field-type-text field-label-inline clearfix clearfix"><div class="field-label">ISBN-13: </div><div class="field-items"><div class="field-item even">9781718501942</div></div></div><div class="field field-name-field-special field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Lay-flat binding</div></div></div><div class="add-to-cart"><form action="/art-mac-malware-volume-1" method="post" id="uc-product-add-to-cart-form-638" accept-charset="UTF-8"><div><div id="uc_product_add_to_cart_form-638-attributes" class="attributes"><div class="attribute attribute-1 odd"><div class="form-item form-item-attributes-1 form-type-radios form-group"><div id="edit-attributes-1" class="form-radios"><div class="form-item form-item-attributes-1 form-type-radio radio"> <label class="control-label" for="edit-attributes-1-3"><input type="radio" id="edit-attributes-1-3" name="attributes[1]" value="3" checked="checked" class="form-radio" />Print Book and FREE Ebook, $49.99</label> </div><div class="form-item form-item-attributes-1 form-type-radio radio"> <label class="control-label" for="edit-attributes-1-2"><input type="radio" id="edit-attributes-1-2" name="attributes[1]" value="2" class="form-radio" />Ebook (PDF, Mobi, and ePub), $39.99</label> </div></div></div></div></div><input type="hidden" name="qty" value="1" /> <input type="hidden" name="form_build_id" value="form-SfFereNJqlsU710td-7WnKTYSHQdGv9nHQfa-jSvHoo" /> <input type="hidden" name="form_id" value="uc_product_add_to_cart_form_638" /> <div class="form-actions form-wrapper form-group" id="edit-actions"><button class="node-add-to-cart btn btn-success form-submit icon-before" type="submit" id="edit-submit-638" name="op" value="Add to cart"><span class="icon glyphicon glyphicon-plus" aria-hidden="true"></span> Add to cart</button> </div></div></form></div><div class="field field-name-product-menu field-type-ds field-label-hidden"><div class="field-items"><div class="field-item even"><div class="menu-wrapper"><ul class="menu nav"><li><a href="#content">Contents</a></li><li><a href="#reviews">Reviews</a></li><li><a href="#updates">Updates</a></li></ul></div></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a class="btn btn-success downloadbutton" href="/download/samples/501942c02_samplechapter.pdf" style="font-weight: 400;" target="_blank">Download Chapter 2: PERSISTENCE</a><br /> <strong>Look Inside!</strong></p> <div class="lookinside"><a class="colorbox" href="/images/ArtofMacMalware_back.png"><img alt="The Art of Mac Malware back cover" src="/images/ArtofMacMalware_back.png" style="border:1px solid; height:102px; margin:5px" title="The Art of Mac Malware back cover" /></a><a class="colorbox" href="/images/ArtMacMalware_spreads.png"><img alt="The Art of Mac Malware interior spread" src="/images/ArtMacMalware_spreads.png" style="border:1px solid; height:102px; margin:5px" title="The Art of Mac Malware interior spread" /></a><a class="colorbox" href="/images/ArtMacMalware_spreads2.png"><img alt="The Art of Mac Malware interior spread" src="/images/ArtMacMalware_spreads2.png" style="border:1px solid; height:102px; margin:5px" title="The Art of Mac Malware interior spread" /></a><a class="colorbox" href="/images/ArtMacMalware_spreads3.png"><img alt="The Art of Mac Malware interior spread" src="/images/ArtMacMalware_spreads3.png" style="border:1px solid; height:102px; margin:5px" title="The Art of Mac Malware interior spread" /></a><a class="colorbox" href="/images/ArtMacMalware_spreads4.png"><img alt="The Art of Mac Malware interior spread" src="/images/ArtMacMalware_spreads4.png" style="border:1px solid; height:102px; margin:5px" title="The Art of Mac Malware interior spread" /></a><a class="colorbox" href="/images/ArtMacMalware_spreads5.png"><img alt="The Art of Mac Malware interior spread" src="/images/ArtMacMalware_spreads5.png" style="border:1px solid; height:102px; margin:5px" title="The Art of Mac Malware interior spread" /></a></div> <p>Defenders must fully understand how malicious software works if they hope to stay ahead of the increasingly sophisticated threats facing Apple products today. <em>The Art of Mac Malware, Volume 1: The Guide to Analyzing Malicious Software</em> is a comprehensive handbook to cracking open these malicious programs and seeing what鈥檚 inside. Discover the secrets of nation state backdoors, destructive ransomware, and subversive cryptocurrency miners as you uncover their infection methods, persistence strategies, and insidious capabilities. Then work with and extend foundational reverse-engineering tools to extract and decrypt embedded strings, unpack protected Mach-O malware, and even reconstruct binary code. Next, using a debugger, you鈥檒l execute the malware, instruction by instruction, to discover exactly how it operates. In the book鈥檚 final section, you鈥檒l put these lessons into practice by analyzing a complex Mac malware specimen on your own. You鈥檒l learn to:</p> <ul> <li>Recognize common infections vectors, persistence mechanisms, and payloads leveraged by Mac malware</li> <li>Triage unknown samples in order to quickly classify them as benign or malicious</li> <li>Work with static analysis tools, including disassemblers, in order to study malicious scripts and compiled binaries</li> <li>Leverage dynamical analysis tools, such as monitoring tools and debuggers, to gain further insight into sophisticated threats</li> <li>Quickly identify and bypass anti-analysis techniques aimed at thwarting your analysis attempts</li> </ul> <p>A former NSA hacker and current leader in the field of macOS threat analysis, <strong>Patrick Wardle</strong> uses real-world examples pulled from his original research. <em>The Art of Mac Malware, Volume 1: The Guide to Analyzing Malicious Software</em> is the definitive resource to battling these ever more prevalent and insidious Apple-focused threats.</p> <p><strong><span style="color:#e74c3c">Find Volume 2,聽<em>Detecting Malicious Software</em>,</span> <a href="https://nostarch.com/art-mac-malware-v2">here</a>.</strong></p> </div></div></div><div class="field field-name-field-author-bio field-type-text-long field-label-abovec"><div class="field-label">Author Bio </div><div class="field-items"><div class="field-item even"><p><b>Patrick Wardle</b> is the creator of the Mac security website and tool suite Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing free open-source security tools to protect Mac users.</p> </div></div></div><div class="field field-name-field-toc field-type-text-long field-label-abovec" id="content"><div class="field-label">Table of contents </div><div class="field-items"><div class="field-item even"><p><b>Introduction</b></p> <p><b>Part I: Malware Basics</b><br /> Chapter 1: Infection Vectors<br /> Chapter 2: Persistence<br /> Chapter 3: Capabilities</p> <p><b>Part II: Malware Analysis</b><br /> Chapter 4: Non-binary Analysis<br /> Chapter 5: Binary Triage<br /> Chapter 6: Disassembly and Decompilation<br /> Chapter 7: Dynamic Analysis Tools<br /> Chapter 9: Anti-Analysis</p> <p><b>Part III: Analyzing EvilQuest</b><br /> Chapter 10: Infection, Triage, and Anti-Analysis<br /> Chapter 11: Persistence and Capabilities</p> </div></div></div><div class="field field-name-field-reviews field-type-text-long field-label-abovec" id="reviews"><div class="field-label">Reviews </div><div class="field-items"><div class="field-item even"><p>"[<em>The Art of Mac Malware</em>] serves as a valuable resource for anyone looking to level up their skills to stay on top of the latest macOS threats. Patrick's approachable, educating writing style and extensive knowledge in this field made him the ideal author to write this book."<br /> <strong>鈥擬aria Markstedter, @Fox0x01, <em>Forbes</em> Person Of The Year In Cybersecurity</strong></p> <p>"Mac doesn鈥檛 face the same level of malware threat that Windows users experience. However, it is possible to create malware for macOS and the excellent book,聽<em>The Art of Mac Malware</em>, goes into a lot of detail."<br /> <strong>鈥擲ecurity Boulevard</strong></p> <p>"Awesome job keeping readers hooked."<br /> <strong>鈥擳ony Lambert, @ForensicITGuy</strong></p> <p>"An awesome researcher writing for my favorite publisher . . . If you鈥檙e interested in Mac malware, I highly recommend!"<br /> <strong>鈥擣rancisco Donoso, @Francisckrs</strong></p> <p>Read Karsten Kisser's German-language review in <a href="https://www.heise.de/select/ix/2023/2/2234109311358274250" target="_blank">Heise Magazine</a>.</p> </div></div></div><div class="field field-name-field-updates field-type-text-long field-label-abovec" id="updates"><div class="field-label">Updates </div><div class="field-items"><div class="field-item even"><p>View the <a href="/download/ArtOfMacMalware_errata_p2.pdf" target="_blank" style="text-decoration:underline;"><u><b>latest errata</b></u></a>.</p> </div></div></div> </div> </div> </section> <section id="block-shariff-shariff-block" class="block block-shariff clearfix"> <div class="shariff" data-services="["facebook","print","twitter"]" data-theme="colored" data-orientation="horizontal" data-twitter-via="nostarch" data-lang="en"></div> </section> </div> </section> <aside class="col-sm-3" role="complementary"> <div class="region region-sidebar-second"> <section id="block-system-navigation" class="block block-system block-menu clearfix"> <h2 class="block-title">Navigation</h2> <ul class="menu nav"><li class="first last leaf"><a href="/user" title="">My account</a></li> </ul> </section> <section id="block-block-52" class="block block-block clearfix"> <p><a href="/mailchimp/subscribe">Want sweet deals? <br />Sign up for our newsletter.</a></p> </section> <section id="block-views-related-products-block" class="block block-views clearfix"> <h2 class="block-title">You might also like...</h2> <div class="view view-related-products view-id-related_products view-display-id-block auto-clear view-dom-id-b95027ea3aefd84b33413b0cbe973f11"> <div class="view-content"> <div class="views-row views-row-1 views-row-odd views-row-first col-xs-6 col-sm-6 col-md-12"> <div class="views-field views-field-field-image-cache"> <div class="field-content"><a href="/practical-linux-forensics"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/product/public/PracticalLinuxForensincs_cover.png?itok=ORmcftQP" width="90" height="119" alt="Practical Linux Forensics Cover" title="Practical Linux Forensics Cover" /></a></div> </div> </div> <div class="views-row views-row-2 views-row-even col-xs-6 col-sm-6 col-md-12"> <div class="views-field views-field-field-image-cache"> <div class="field-content"><a href="/art-mac-malware-v2"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/product/public/ArtMacMalwarev2_frontcover.png?itok=lu7lBKkY" width="90" height="119" alt="The Art of Mac Malware, Volume 2 cover" title="The Art of Mac Malware, Volume 2 cover" /></a></div> </div> </div> <div class="views-row views-row-3 views-row-odd col-xs-6 col-sm-6 col-md-12"> <div class="views-field views-field-field-image-cache"> <div class="field-content"><a href="/pentesting"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/product/public/pentest_cover-web.png?itok=PyM5MTMK" width="90" height="119" alt="Penetration Testing: A Hands-on Introduction to Hacking" title="Penetration Testing: A Hands-on Introduction to Hacking" /></a></div> </div> </div> <div class="views-row views-row-4 views-row-even col-xs-6 col-sm-6 col-md-12"> <div class="views-field views-field-field-image-cache"> <div class="field-content"><a href="/black-hat-bash"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/product/public/9781718503748.png?itok=xn5l2N9u" width="90" height="121" alt="Black Hat Bash cover" title="Black Hat Bash cover" /></a></div> </div> </div> <div class="views-row views-row-5 views-row-odd col-xs-6 col-sm-6 col-md-12"> <div class="views-field views-field-field-image-cache"> <div class="field-content"><a href="/purple-teaming"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/product/public/PracticalPurpleTeaming_placeholder.png?itok=UtYmUuCu" width="90" height="119" alt="Practical Purple Teaming placeholder cover" title="Practical Purple Teaming placeholder cover" /></a></div> </div> </div> <div class="views-row views-row-6 views-row-even views-row-last col-xs-6 col-sm-6 col-md-12"> <div class="views-field views-field-field-image-cache"> <div class="field-content"><a href="/gamehacking"><img class="img-responsive" src="https://nostarch.com/sites/default/files/styles/product/public/gameHacking_cover-front.png?itok=JyRUESR6" width="90" height="119" alt="Game Hacking" title="Game Hacking" /></a></div> </div> </div> </div> </div> </section> </div> </aside>  </div> </div> <footer class="footer container"> <div class="region region-footer"> <section id="block-block-16" class="block block-block clearfix"> <div id="footer-links"> <br> <a class="footer-links" href="/about.htm">About Us</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/Jobs.htm">Jobs!</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/distribution.htm">Sales and Distribution</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/rights">Rights</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/media.htm">Media</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/academic.htm">Academic Requests</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/conferences.htm">Conferences</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/orderfaq.htm">FAQ</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/contactus">Contact Us</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/writeforus">Write for Us</a>  <span class="footer-divider">|</span>  <a class="footer-links" href="/privacypolicy.htm">Privacy</a> </div> </section> <section id="block-nostarch-custom-custom-footer-copyright" class="block block-nostarch-custom clearfix"> <div class="block-block"> <p>Copyright 2025. No Starch Press, Inc</p> </div> </section> </div> </footer> <script src="https://nostarch.com/sites/all/modules/contrib/addthis/addthis.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/libraries/shariff/shariff.min.js?stn5l0"></script> <script src="https://nostarch.com/sites/all/themes/contrib/bootstrap/js/bootstrap.js?stn5l0"></script>  <script> !function(w,d){if(!w.rdt){var p=w.rdt=function(){p.sendEvent?p.sendEvent.apply(p,arguments):p.callQueue.push(arguments)};p.callQueue=[];var t=d.createElement("script");t.src="https://www.redditstatic.com/ads/pixel.js",t.async=!0;var s=d.getElementsByTagName("script")[0];s.parentNode.insertBefore(t,s)}}(window,document);rdt('init','t2_6acpsf9y');rdt('track', 'PageVisit'); </script>   <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'92a19ba14c939cb0',t:'MTc0MzYxMDM0OC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body> </html>