Let’s make it work for you
From £6,725 + VAT
Interested in this course? Speak to one of our learning experts
Overview
This five-day expert led course provides an in-depth exploration of Apple operating systems, aligned with Jonathan Levin’s OS Internals trilogy. It focuses on Darwin 25, macOS “26” (Tahoe), and iOS “26”, combining theoretical insight with extensive hands-on exercises. Participants will gain a deep understanding of system internals, reverse engineering techniques, and security mechanisms across Apple platforms. The course incorporates proprietary tools, undocumented behaviours, and real-world analysis techniques used by professionals in reverse engineering and security research.
Learners will benefit from direct exposure to low level system components, gaining the ability to analyse binaries, interact with kernel interfaces, and investigate malware behaviour across macOS and iOS environments.
Prerequisites
Participants should meet the following requirements:
- User level knowledge of macOS
- Experience with user mode programming
- Familiarity with x86_64 and or ARM64 architectures strongly recommended
- Access to a Mac device and optionally a jailbroken iOS device
Target audience
This course is designed for professionals seeking advanced technical expertise in Apple operating systems:
- Reverse engineers
- Security researchers
- Malware analysts
- Forensics experts specialising in macOS and iOS
It is also suitable for individuals aiming to develop deep system level knowledge and modern reverse engineering capabilities.
Learning Objectives
By the end of this course, participants will be able to:
- Understand binary linking and loading mechanisms in Apple systems
- Reverse engineer and analyse Mach O binaries
- Deconstruct Objective C and Swift binaries
- Utilise documented and undocumented APIs for tracing and debugging
- Interface with and hook kernel system calls
- Identify and analyse macOS and iOS malware techniques
- Evaluate kernel, kext, and daemon attack surfaces
Course Outline
Module 1 Architectural overview
- Overview of macOS and iOS architecture
- Analysis of Apple system design and documentation gaps
- Exploration of iOS derivatives including tvOS and watchOS
- Tour of private frameworks and system components
- Introduction to the Darwin environment
- XNU kernel structure and functionality
- Hardware architecture including Intel and Apple Silicon platforms
- Use of sysctl and MobileGestalt for system interrogation
- Review of prerequisite knowledge
Module 2 What is in an IPSW
- Structure and contents of IPSW and macOS OTA packages
- Disk images and Apple encrypted archive formats
- Understanding im4p and DER encoding
- iBoot internals and bootloader behaviour
- Coprocessor firmware and RTKit architecture
- Introduction to SPTM and TXM in modern Darwin systems
- End to end boot sequence walkthrough
Exercise: hands on IPSW unpacking and exploration
Module 3 Binaries
- Mach O binary structure and format
- Fat binaries and multi architecture support
- File types including executables, bundles, dylibs, and kexts
- Load commands and segment structures
- Code signing and encryption mechanisms
- Dynamic library dependency resolution
- Static analysis using system tools
Exercises:
- Binary analysis using disarm tools
- Examination of user mode malware samples
- Techniques for bypassing iOS code encryption
Module 4 Advanced Mach O and DYLD
- Internals of the dynamic loader
- Binding, linking, and opcode processing
- Chained fixups and rebase mechanisms
- Runtime structures and callback handling
- Techniques for extending and modifying loader behaviour
Module 5 Processes and threads internals
- Darwin process and thread architecture
- Stack layout and memory organisation
- Memory allocation systems including libmalloc and zone allocators
- Modern allocator enhancements in recent Darwin versions
- Grand Central Dispatch and concurrency model
- Blocks and dispatch queue behaviour
Exercise: memory inspection using custom tools
Module 6 Debugging and tracing techniques
- System auditing and monitoring frameworks
- Endpoint Security Framework and file system events
- Memory and performance analysis tools
- System call tracing and latency analysis
- Logging systems and diagnostic tools
- DTrace usage in macOS
- Debugging with LLDB and debugserver
- Library interposing techniques
- Process corpse analysis
Exercises:
- Creating custom debugging filters
- Monitoring system activity using debugging tools
- Analysing process behaviour in real time
Module 7 Launchd and XPC
- macOS and iOS startup mechanisms
- LaunchAgents and LaunchDaemons configuration
- Persistence techniques used by malware
- Reverse engineering launchd
- Introduction to Mach ports and bootstrap services
- XPC communication and messaging
- Undocumented APIs and data formats
Exercises:
- Enumerating system services and endpoints
- Creating and managing launch services
Module 8 Mach primitives and IPC
- Core Mach concepts including tasks, threads, and ports
- Virtual memory management in Mach
- Mach Interface Generator and interface definitions
- Inter process communication mechanisms
- Source level exploration of kernel behaviour
Exercises:
- Enumerating system tasks and threads
- Decompiling Mach interfaces
- Implementing remote thread injection techniques
Module 9 Security
- macOS and iOS security architecture overview
- Mandatory access control frameworks
- Kernel authorisation and policy enforcement
- Advanced code signing mechanisms
- Sandboxing and containerisation models
- Gatekeeper and quarantine enforcement
- Entitlements and application permissions
- AppleMobileFileIntegrity and trust validation
- Analysis of amfid and related components
- System Integrity Protection mechanisms
- Jailbreaking techniques and detection methods
- Malware analysis across Apple platforms
- Case study of advanced mobile surveillance techniques
Hands-on learning
The course includes a combination of instructor led sessions, guided demonstrations, and practical exercises. Each module reinforces theoretical concepts through hands on labs. Participants are encouraged to bring malware samples or request specific binaries or subsystems for analysis.
Exams and assessments
There is no formal exam included as part of this course.
Suggested reading
macOS and iOS Internals by Jonathan Levin
OS Internals Volume I User Mode by Jonathan Levin
Cyber Security learning paths
Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.
Offensive Cyber Operations learning paths
Want to boost your career in the world of Offensive Cyber Operations? View QA's learning pathway below, specially designed to give you the skills to succeed.
Frequently asked questions
How can I create an account on myQA.com?
There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.
If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".
If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.
Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.
How do QA’s virtual classroom courses work?
Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.
We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.
How do QA’s online courses work?
QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course.
Once you have purchased the Online course and have completed your registration, you will receive the necessary details to enable you to immediately access it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.
All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.
When will I receive my joining instructions?
Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.
When will I receive my certificate?
Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.
Let's talk
A member of the team will contact you within 4 working hours after submitting the form.