The Art of Mac Malware Vol 2

Created in July 19, 2025

2025   ·   notes   learning   apple

I recently finished reading “The Art of Mac Malware Vol. 2” by Patrick Wardle. If you aren’t familiar with Patrick Wardle’s work, check out his blog, his tools, and the Objective by the Sea conference. In 2022, I was accepted to co-present with Michael Epping. Unfortunately, we only had the budget to send one person, so Michael represented our session, which you can view here.

One thing I struggle with is finding good, in-depth content for the Apple platform. Perhaps this is just an incorrect perception, but it seems there are many resources available for Windows and Android. In contrast, those for Apple are often older and possibly outdated, if they exist at all. I’m generally pretty excited to get my hands on something like this when I find out about it. I had read Patrick’s first version of this book, which focused on analyzing malware and the various tools and techniques. This book focuses on writing your OWN tools to detect malware.

If you aren’t at least familiar with Objective-C, you might have a tough go with this book, as there are many code samples to teach you how to leverage the various resources to accomplish your task. The first part of the book focuses on pulling out specific information about processes, binaries, and network statistics. Many times, you have to reverse an Apple private API to call, as there is no public API to get the information you want. At first, I thought this was odd and was surprised that people would take a dependency like that.

In part two, many of these private APIs are part of Apple’s Endpoint Security Framework. This framework is much easier to work with and is supported. The framework allows you to detect and alert on many of the things you are looking for in part 1. Part three focuses on putting it all together if you were going to write your own security tool. I have no plans to do that, and I’d be surprised if there are that many people who are, but the look ‘under the hood’ on how many of these tools work I found extremely useful and increased my system knowledge about the macOS platform. If you know enough Objective-C to be dangerous and want to follow along, you’ll get even more out of it.