The Mac Hacker’s Handbook is out!

The Mac Hacker’s Handbook by Charlie Miller and myself has just been published and is now shipping from Amazon.  I have even spotted it in several bookstores where you can usually find it in the Mac section.  The book is all about Mac OS X-specific vulnerability discovery, reverse-engineering, exploitation, and post-exploitation.

For me, this book is a culmination of over 8 years of personal Mac OS X security research.  I had bought and restored a NeXTSTATION Turbo Color in college and fell in love with the NeXTSTEP and OpenStep operating systems.  When I got a check for my first pen-test, I bought a brand-new iBook 500 Mhz to run OS X 10.0 on and I have used OS X as my primary operating system ever since.

Of course, I started hacking on it immediately.  I wrote a monitor-mode wireless packet capture driver for AirPort (Viha) back when the only documentation on IOKit was the Darwin source code and a series of emails on the darwin mailing lists from an Apple kernel developer.  And that was just the first part of my WEP cracking project for my Crypto class.  I was so stubborn about using my iBook for it that I wrote my own driver, stumbler, and WEP weak RC4 key cracker for it.

There was also very little documentation on shellcode for PowerPC around then.  Palante and LSD had both released PowerPC shellcode for Linux and AIX respectively.  But there was nothing for OS X.  I wrote this in a hotel room in Washington, D.C. a few days after DEFCON 9.  As far as I know I was the first one to publish PowerPC shellcode that filled in the unused bits in the ‘sc’ instruction instead of dynamically overwriting them because self-modifying code is pretty tricky on PowerPC.  That shellcode is what appears encoded in the hex bytes on the cover of the book.

Alright, enough self-indulgent trips down memory lane.  I just presented “Mac OS Xploitation” at SOURCE Boston last week and I’ll be doing a bigger presentation called “Hacking Macs for Fun and Profit” next week at CanSecWest with Charlie Miller.  Stay tuned here for some more Mac tool releases.


  1. Wow, I really wish that I could have made it to either SOURCE or CanSecWest. Keep up the good work!

    I bought your and Charlie’s book over a week ago at a Barnes and Noble bookstore. This is probably one of the finest books I have ever seen, as both a general techie book and hacking book. It’s Hacking the Xbox quality in format/print/design and content. You guys did a fantastic job.

    While a little short for my tastes (I think you could have gone to 600 pages easily on this topic), the terseness does make the book nice, pretty, and portable. Here’s hoping your Bkscn will go to like 25k RTD (i.e. sell a lot)

  2. Thanks! We wrote 400 pages because we (and our publisher) wanted to get the material out sooner rather than later. If there is a second edition, it would be very easy to flesh out the material more in depth and hit 600 pages.

  3. Abdullah says:

    sweet! i’ll get my hands on it this week

  4. fernando couto says:

    will be publish in different languagesv other than english

  5. Enjoying the book but you missed out on a very important feature that Mac OS X is missing. OS level vitualization (FreeBSD Jails/Solaris Zones). As far as I know a, this is not possible in Mac OS X. I would love to hear your perspective as well as Charlies’ from a security standpoint.

    I definitely would advocate porting over FreeBSD Jails to Mac OS X. Not sure if it’s in the works, Apple did hire Ivan Kristic who helped create bitfrost which was/is based on V-Server(Linux Jails), it would be interesting to see.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 5,896 other followers

%d bloggers like this: