macOS Malware Analysis Tools
Static Analysis

file – Display the type of a file (Mach-O, FAT, other types).

strings – Extracts strings from a file.

diff – Differentiate between files

nm – Extracts symbol table (function imports, exports).

codesign  – Extracts code signing certification status and more.

spctl – Checks if a certification of a file is revoked and more.

curl – Download and send files via HTTP.

xattr – Check if and which attributes file contains (such as Quarantine flag for GateKeeper checks).

otool – Examine binary files, extract assembly instructions, view the segments, sections, and more.

JTool – A better variation of otool.

What’s your Sign – Checks code-signing certification status, display hashes, and more.

Dynamic Analysis

ProcessMonitor – Monitors processes activities.

FileMonitor – Monitors file system events.

AppMon – Automated framework for monitoring and tampering system API calls based on Frida.

Wireshark – Network analysis tool.

tcpdump – Network analysis tool.

MiTMProxyAn interactive SSL/TLS-capable intercepting HTTP proxy (great for HTTPS inspection).

NetworkMiner – Sniffer and PCAP parser.

Fiddler – The free web debugging proxy for any browser, system, or platform.

FSMonitor – Monitors file system events (read, write, etc.).

Netiquette – Monitors for network connections.

LuLu – Checks for network suspicious activity and display them.

TaskExplorer – Visually explore all running processes.

ReiKey – Dynamically intercepts and detects keylogging activity.

BlockBlock – Dynamically intercepts persistent actions on the system.

Reverse Engineering

LLDB – GDB-like macOS debugger.

IDA Free/Pro – Disassembler and debugger.

Hopper (Demo/Pro) – Disassembler and debugger.

radare2 – Free and open source disassembler and debugger.

Cutter – GUI for radare2.

Binary Ninja – A New Type of Reversing Platform.

Unpacking & Deobfuscation

FLOSS – Automatically extract obfuscated strings from malware.

NoMoreXor – Tool to help guess files 256 byte XOR key by using frequency analysis.


iPakk – MacOSX Mach-O (PPC) packer.

muncho – MacOSX Mach-O (Intel) packer.

oneKpaq – MacOSX Mach-O (Intel) packer.


dcfldd – Hard drive forensics acquisition tool.

Autopsy – Hard drive forensics analysis tool.

mac_apt – Hard drive forensics analysis tool.

OSXPMem – Memory forensics acquisition tool.

Volatility – Memory forensics analysis framework.

Rekall – Memory Forensic Framework.

FOG Project – A free open-source network computer cloning and management solution.


KnockKnock – Scans for persistency objects and uploads them to VirusTotal.

KextViewr – Display all loaded texts, along with their signing status, full path, VirusTotal detection ratios, and more.

Dylib Hijack Scanner – Scan for potentially Dylib-Hijackable applications around the system.

Cuckoo Sandbox – Free and open-source automated malware analysis sandbox.