ionicons-v5-d 0.14.0-d7b962d7
Last updated on 01/10/2023, 08:44:24.

MachO

Parser

class Parser : public LIEF::Parser

The main interface to parse a Mach-O binary.

This class is used to parse both Fat & non-Fat binary. Non-fat binaries are considerated as a fat with only one architecture. This is why MachO::Parser::parse outputs a FatBinary object.

Public Functions

Parser &operator=(const Parser &copy) = delete
Parser(const Parser &copy) = delete
virtual ~Parser() override

Public Static Functions

static std::unique_ptr<FatBinary> parse(const std::string &filename, const ParserConfig &conf = ParserConfig::deep())

Parse a Mach-O file from the path provided by the filename parameter.

The conf parameter can be used to tweak the configuration of the parser

Parameters:
static std::unique_ptr<FatBinary> parse(const std::vector<uint8_t> &data, const ParserConfig &conf = ParserConfig::deep())

Parse a Mach-O file from the raw content provided by the data parameter.

The conf parameter can be used to tweak the configuration of the parser

Parameters:
static std::unique_ptr<FatBinary> parse(std::unique_ptr<BinaryStream> stream, const ParserConfig &conf = ParserConfig::deep())

Parser a Mach-O binary from the provided BinaryStream.

static std::unique_ptr<FatBinary> parse_from_memory(uintptr_t address, const ParserConfig &conf = ParserConfig::deep())

Parse the Mach-O binary from the address given in the first parameter.

static std::unique_ptr<FatBinary> parse_from_memory(uintptr_t address, size_t size, const ParserConfig &conf = ParserConfig::deep())

Parse the Mach-O binary from the address given in the first parameter and the size given in the second parameter.

class BinaryParser : public LIEF::Parser

Class used to parse a single binary (i.e. non-FAT)

See also

MachO::Parser

Warning

This class should not be directly used.

Public Functions

BinaryParser &operator=(const BinaryParser &copy) = delete
BinaryParser(const BinaryParser &copy) = delete
~BinaryParser() override

Public Static Functions

static std::unique_ptr<Binary> parse(const std::string &file)
static std::unique_ptr<Binary> parse(const std::string &file, const ParserConfig &conf)
static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &data, const ParserConfig &conf = ParserConfig::deep())
static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &data, uint64_t fat_offset, const ParserConfig &conf = ParserConfig::deep())
static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream, uint64_t fat_offset, const ParserConfig &conf)

Friends

friend class MachO::Parser
struct ParserConfig

This structure is used to tweak the MachO Parser (MachO::Parser)

Public Functions

ParserConfig &full_dyldinfo(bool flag)

If flag is set to true, Exports, Bindings and Rebases opcodes are parsed.

Warning

Enabling this flag can slow down the parsing

Public Members

bool parse_dyld_exports = true

Parse the Dyld export trie.

bool parse_dyld_bindings = true

Parse the Dyld binding opcodes.

bool parse_dyld_rebases = true

Parse the Dyld rebase opcodes.

bool fix_from_memory = false

When parsing Mach-O from memory, this option can be used to undo relocations and symbols bindings.

When activated, this option requires parse_dyld_bindings and parse_dyld_rebases to be enabled.

Public Static Functions

static ParserConfig deep()

Return a parser configuration such as all the objects supported by LIEF are parsed.

static ParserConfig quick()

Return a configuration to parse the most important MachO structures.

FatBinary

class FatBinary

Class which represent a Mach-O (fat) binary This object is also used for representing Mach-O binaries that are NOT FAT

Public Types

using binaries_t = std::vector<std::unique_ptr<Binary>>

Internal containter used to store Binary objects within a Fat Mach-O.

using it_binaries = ref_iterator<binaries_t&, Binary*>

Iterator that outputs Binary&.

using it_const_binaries = const_ref_iterator<const binaries_t&, Binary*>

Iterator that outputs const Binary&.

Public Functions

FatBinary(const FatBinary&) = delete
FatBinary &operator=(const FatBinary&) = delete
virtual ~FatBinary()
size_t size() const

Number of MachO::Binary wrapped by this object.

bool empty() const

Checks whether this object contains MachO::Binary.

it_binaries begin()
it_const_binaries begin() const
it_binaries end()
it_const_binaries end() const
void release_all_binaries()
std::unique_ptr<Binary> pop_back()

Get a pointer to the last MachO::Binary object presents in this Fat Binary. It returns a nullptr if no binary are present.

Binary *at(size_t index)

Get a pointer to the MachO::Binary specified by the index. It returns a nullptr if the binary does not exist at the given index.

const Binary *at(size_t index) const
Binary *back()
const Binary *back() const
Binary *front()
const Binary *front() const
Binary *operator[](size_t index)
const Binary *operator[](size_t index) const
std::unique_ptr<Binary> take(size_t index)

Extract a MachO::Binary object. Gives ownership to the caller, and remove it from this FatBinary object.

Warning

: this invalidates any previously hold iterator!

std::unique_ptr<Binary> take(CPU_TYPES cpu)

Take the underlying MachO::Binary that matches the given architecture If no binary with the architecture can be found, return a nullptr.

void write(const std::string &filename)

Reconstruct the Fat binary object and write it in filename

Parameters:

filename – Path to write the reconstructed binary

std::vector<uint8_t> raw()

Reconstruct the Fat binary object and return his content as bytes.

Friends

friend class LIEF::Parser
friend std::ostream &operator<<(std::ostream &os, const FatBinary &fatbinary)

Binary

class Binary : public LIEF::Binary

Class which represents a MachO binary.

Public Types

using commands_t = std::vector<std::unique_ptr<LoadCommand>>

Internal container for storing Mach-O LoadCommand.

using it_commands = ref_iterator<commands_t&, LoadCommand*>

Iterator that outputs LoadCommand&.

using it_const_commands = const_ref_iterator<const commands_t&, LoadCommand*>

Iterator that outputs const LoadCommand&.

using symbols_t = std::vector<std::unique_ptr<Symbol>>

Internal container for storing Mach-O Symbol.

using it_symbols = ref_iterator<symbols_t&, Symbol*>

Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&, const Symbol*>

Iterator that outputs const Symbol&.

using it_exported_symbols = filter_iterator<symbols_t&, Symbol*>

Iterator that outputs exported Symbol&.

using it_const_exported_symbols = const_filter_iterator<const symbols_t&, const Symbol*>

Iterator that outputs exported const Symbol&.

using it_imported_symbols = filter_iterator<symbols_t&, Symbol*>

Iterator that outputs imported Symbol&.

using it_const_imported_symbols = const_filter_iterator<const symbols_t&, const Symbol*>

Iterator that outputs imported const Symbol&.

using sections_cache_t = std::vector<Section*>

Internal container for caching Mach-O Section.

using it_sections = ref_iterator<sections_cache_t&>

Iterator that outputs Section&.

using it_const_sections = const_ref_iterator<const sections_cache_t&>

Iterator that outputs const Section&.

using segments_cache_t = std::vector<SegmentCommand*>

Internal container for storing Mach-O SegmentCommand.

using it_segments = ref_iterator<segments_cache_t&>

Iterator that outputs SegmentCommand&.

using it_const_segments = const_ref_iterator<const segments_cache_t&>

Iterator that outputs const SegmentCommand&.

using libraries_cache_t = std::vector<DylibCommand*>

Internal container for storing Mach-O DylibCommand.

using it_libraries = ref_iterator<libraries_cache_t&>

Iterator that outputs DylibCommand&.

using it_const_libraries = const_ref_iterator<const libraries_cache_t&>

Iterator that outputs const DylibCommand&.

using fileset_binaries_t = std::vector<std::unique_ptr<Binary>>

Internal container for storing Mach-O Fileset Binary.

using it_fileset_binaries = ref_iterator<fileset_binaries_t&, Binary*>

Iterator that outputs Binary&.

using it_const_fileset_binaries = const_ref_iterator<const fileset_binaries_t&, Binary*>

Iterator that outputs const Binary&.

using relocations_t = std::set<Relocation*, KeyCmp>

Internal container that store all the relocations found in a Mach-O. The relocations are actually owned by Section & SegmentCommand and these references are used for convenience.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator which outputs const Relocation&.

using it_rpaths = filter_iterator<commands_t&, RPathCommand*>

Iterator which outputs RPathCommand&.

using it_const_rpaths = const_filter_iterator<const commands_t&, const RPathCommand*>

Iterator which outputs const RPathCommand&.

Public Functions

Binary(const Binary&) = delete
Binary &operator=(const Binary&) = delete
Header &header()

Return a reference to the MachO::Header.

const Header &header() const
it_commands commands()

Return an iterator over the MachO LoadCommand present in the binary.

it_const_commands commands() const
it_fileset_binaries filesets()

Return an iterator over the MachO::Binary associated with the LOAD_COMMAND_TYPES::LC_FILESET_ENTRY commands.

it_const_fileset_binaries filesets() const
it_symbols symbols()

Return binary’s symbols .

it_const_symbols symbols() const
bool has_symbol(const std::string &name) const

Check if a symbol with the given name exists.

const Symbol *get_symbol(const std::string &name) const

Return Symbol from the given name. If the symbol does not exists, it returns a null pointer.

Symbol *get_symbol(const std::string &name)
it_exported_symbols exported_symbols()

Return binary’s exported symbols (iterator over LIEF::MachO::Symbol)

it_const_exported_symbols exported_symbols() const
it_imported_symbols imported_symbols()

Return binary’s imported symbols (iterator over LIEF::MachO::Symbol)

it_const_imported_symbols imported_symbols() const
it_libraries libraries()

Return binary imported libraries (MachO::DylibCommand)

it_const_libraries libraries() const
it_segments segments()

Return an iterator over the SegmentCommand.

it_const_segments segments() const
it_sections sections()

Return an iterator over the MachO::Section.

it_const_sections sections() const
it_relocations relocations()

Return an iterator over the MachO::Relocation.

it_const_relocations relocations() const
virtual void write(const std::string &filename) override

Reconstruct the binary object and write the result in the given filename

Parameters:

filename – Path to write the reconstructed binary

virtual void write(std::ostream &os) override

Reconstruct the binary object and write the result in the given os stream.

Parameters:

os – Output stream to write the reconstructed binary

std::vector<uint8_t> raw()

Reconstruct the binary object and return its content as bytes.

bool has(LOAD_COMMAND_TYPES type) const

Check if the current binary has the given MachO::LOAD_COMMAND_TYPES.

const LoadCommand *get(LOAD_COMMAND_TYPES type) const

Return the LoadCommand associated with the given LOAD_COMMAND_TYPES or a nullptr if the command can’t be found.

LoadCommand *get(LOAD_COMMAND_TYPES type)
LoadCommand *add(const LoadCommand &command)

Insert a new LoadCommand.

LoadCommand *add(const LoadCommand &command, size_t index)

Insert a new LoadCommand at the specified index

LoadCommand *add(const DylibCommand &library)

Insert the given DylibCommand.

LoadCommand *add(const SegmentCommand &segment)

Add a new LC_SEGMENT command from the given SegmentCommand.

LoadCommand *add_library(const std::string &name)

Insert a new shared library through a LC_LOAD_DYLIB command.

Section *add_section(const Section &section)

Add a new MachO::Section in the __TEXT segment.

Section *add_section(const SegmentCommand &segment, const Section &section)

Add a section in the given MachO::SegmentCommand.

Warning

This method may corrupt the file if the segment is not the first one nor the last one

virtual void remove_section(const std::string &name, bool clear = false) override

Remove the section with the name provided in the first parameter.

Parameters:

  • name – Name of the MachO::Section to remove

  • clear – If true clear the content of the section before removing

void remove_section(const std::string &segname, const std::string &secname, bool clear = false)

Remove the section from the segment with the name given in the first parameter and with the section’s name provided in the second parameter.

Parameters:

  • segname – Name of the MachO::Segment

  • secname – Name of the MachO::Section to remove

  • clear – If true clear the content of the section before removing

bool remove(const LoadCommand &command)

Remove the given LoadCommand.

bool remove(LOAD_COMMAND_TYPES type)

Remove all LoadCommand with the given type (MachO::LOAD_COMMAND_TYPES)

bool remove_command(size_t index)

Remove the Load Command at the provided index

bool remove_signature()

Remove the LC_SIGNATURE command.

bool extend(const LoadCommand &command, uint64_t size)

Extend the size of the given LoadCommand.

bool extend_segment(const SegmentCommand &segment, size_t size)

Extend the content of the given SegmentCommand.

bool disable_pie()

Remove the PIE flag.

virtual uint64_t imagebase() const override

Return the binary’s imagebase. 0 if not relevant.

uint64_t virtual_size() const

Size of the binary in memory when mapped by the loader (dyld)

std::string loader() const

Return the binary’s loader (e.g. /usr/lib/dyld) or an empty string if the binary does not use a loader/linker.

bool has_section(const std::string &name) const

Check if a section with the given name exists.

Section *get_section(const std::string &name)

Return the section from the given name of a nullptr if the section can’t be found.

const Section *get_section(const std::string &name) const

Return the section from the given name or a nullptr if the section can’t be found.

Section *get_section(const std::string &segname, const std::string &secname)

Return the section from the segment with the name given in the first parameter and with the section’s name provided in the second parameter. If the section cannot be found, it returns a nullptr.

const Section *get_section(const std::string &segname, const std::string &secname) const
bool has_segment(const std::string &name) const

Check if a segment with the given name exists.

const SegmentCommand *get_segment(const std::string &name) const

Return the segment from the given name.

SegmentCommand *get_segment(const std::string &name)

Return the segment from the given name.

bool remove_symbol(const std::string &name)

Remove the symbol with the given name.

bool remove(const Symbol &sym)

Remove the given symbol.

bool can_remove(const Symbol &sym) const

Check if the given symbol can be safely removed.

bool can_remove_symbol(const std::string &name) const

Check if the MachO::Symbol with the given name can be safely removed.

bool unexport(const std::string &name)

Remove the given MachO::Symbol with the given name from the export table.

bool unexport(const Symbol &sym)

Remove the given symbol from the export table.

Section *section_from_offset(uint64_t offset)

Return the MachO::Section that encompasses the provided offset. If a section can’t be found, it returns a null pointer (nullptr)

const Section *section_from_offset(uint64_t offset) const
Section *section_from_virtual_address(uint64_t virtual_address)

Return the MachO::Section that encompasses the provided virtual address. If a section can’t be found, it returns a null pointer (nullptr)

const Section *section_from_virtual_address(uint64_t virtual_address) const
result<uint64_t> virtual_address_to_offset(uint64_t virtual_address) const

Convert a virtual address to an offset in the file.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const override

Convert the given offset into a virtual address.

Parameters:

  • offset[in] The offset to convert.

  • slide[in] If not 0, it will replace the default base address (if any)

SegmentCommand *segment_from_offset(uint64_t offset)

Return the binary’s SegmentCommand that encompasses the provided offset.

If a SegmentCommand can’t be found it returns a null pointer (nullptr).

const SegmentCommand *segment_from_offset(uint64_t offset) const
size_t segment_index(const SegmentCommand &segment) const

Return the index of the given SegmentCommand.

uint64_t fat_offset() const

Return binary’s fat offset. 0 if not relevant.

SegmentCommand *segment_from_virtual_address(uint64_t virtual_address)

Return the binary’s SegmentCommand which encompasses the given virtual address or a nullptr if not found.

const SegmentCommand *segment_from_virtual_address(uint64_t virtual_address) const
range_t va_ranges() const

Return the range of virtual addresses.

range_t off_ranges() const

Return the range of offsets.

bool is_valid_addr(uint64_t address) const

Check if the given address is encompassed in the binary’s virtual addresses range.

virtual void accept(LIEF::Visitor &visitor) const override

Method so that the visitor can visit us.

virtual std::ostream &print(std::ostream &os) const override
virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the content at virtual address address with patch_value.

Parameters:

  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • addr_type[in] Specify if the address should be used as an absolute virtual address or an RVA

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the address with the given value.

Parameters:

  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • size[in] Size of the value in bytes (1, 2, … 8)

  • addr_type[in] Specify if the address should be used as an absolute virtual address or an RVA

virtual span<const uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, Binary::VA_TYPES addr_type = Binary::VA_TYPES::AUTO) const override

Return the content located at virtual address.

virtual uint64_t entrypoint() const override

The binary entrypoint.

virtual bool is_pie() const override

Check if the binary is position independent.

virtual bool has_nx() const override

Check if the binary uses NX protection.

bool has_entrypoint() const

true if the binary has an entrypoint.

Basically for libraries it will return false

bool has_uuid() const

true if the binary has a MachO::UUIDCommand command.

UUIDCommand *uuid()

Return the MachO::UUIDCommand if present, a nullptr otherwise.

const UUIDCommand *uuid() const
bool has_main_command() const

true if the binary has a MachO::MainCommand command.

MainCommand *main_command()

Return the MachO::MainCommand if present, a nullptr otherwise.

const MainCommand *main_command() const
bool has_dylinker() const

true if the binary has a MachO::DylinkerCommand.

DylinkerCommand *dylinker()

Return the MachO::DylinkerCommand if present, a nullptr otherwise.

const DylinkerCommand *dylinker() const
bool has_dyld_info() const

true if the binary has a MachO::DyldInfo command.

DyldInfo *dyld_info()

Return the MachO::Dyld command if present, a nullptr otherwise.

const DyldInfo *dyld_info() const
bool has_function_starts() const

true if the binary has a MachO::FunctionStarts command.

FunctionStarts *function_starts()

Return the MachO::FunctionStarts command if present, a nullptr otherwise.

const FunctionStarts *function_starts() const
bool has_source_version() const

true if the binary has a MachO::SourceVersion command.

SourceVersion *source_version()

Return the MachO::SourceVersion command if present, a nullptr otherwise.

const SourceVersion *source_version() const
bool has_version_min() const

true if the binary has a MachO::VersionMin command.

VersionMin *version_min()

Return the MachO::VersionMin command if present, a nullptr otherwise.

const VersionMin *version_min() const
bool has_thread_command() const

true if the binary has a MachO::ThreadCommand command.

ThreadCommand *thread_command()

Return the MachO::ThreadCommand command if present, a nullptr otherwise.

const ThreadCommand *thread_command() const
bool has_rpath() const

true if the binary has a MachO::RPathCommand command.

RPathCommand *rpath()

Return the MachO::RPathCommand command if present, a nullptr otherwise.

const RPathCommand *rpath() const
it_rpaths rpaths()

Iterator over all the MachO::RPathCommand commands.

it_const_rpaths rpaths() const
bool has_symbol_command() const

true if the binary has a MachO::SymbolCommand command.

SymbolCommand *symbol_command()

Return the MachO::SymbolCommand if present, a nullptr otherwise.

const SymbolCommand *symbol_command() const
bool has_dynamic_symbol_command() const

true if the binary has a MachO::DynamicSymbolCommand command.

DynamicSymbolCommand *dynamic_symbol_command()

Return the MachO::SymbolCommand if present, a nullptr otherwise.

const DynamicSymbolCommand *dynamic_symbol_command() const
bool has_code_signature() const

true if the binary is signed with LC_CODE_SIGNATURE command

CodeSignature *code_signature()

Return the MachO::CodeSignature if present, a nullptr otherwise.

const CodeSignature *code_signature() const
bool has_code_signature_dir() const

true if the binary is signed with the command DYLIB_CODE_SIGN_DRS

CodeSignatureDir *code_signature_dir()

Return the MachO::CodeSignatureDir if present, a nullptr otherwise.

const CodeSignatureDir *code_signature_dir() const
bool has_data_in_code() const

true if the binary has a MachO::DataInCode command.

DataInCode *data_in_code()

Return the MachO::DataInCode if present, a nullptr otherwise.

const DataInCode *data_in_code() const
bool has_segment_split_info() const

true if the binary has segment split info.

SegmentSplitInfo *segment_split_info()

Return the MachO::SegmentSplitInfo if present, a nullptr otherwise.

const SegmentSplitInfo *segment_split_info() const
bool has_sub_framework() const

true if the binary has a sub framework command.

bool has_encryption_info() const

true if the binary has Encryption Info.

EncryptionInfo *encryption_info()

Return the MachO::DyldEnvironment if present, a nullptr otherwise.

const EncryptionInfo *encryption_info() const
SubFramework *sub_framework()

Return the MachO::SubFramework if present, a nullptr otherwise.

const SubFramework *sub_framework() const
bool has_dyld_environment() const

true if the binary has Dyld envrionment variables.

DyldEnvironment *dyld_environment()

Return the MachO::DyldEnvironment if present, a nullptr otherwise.

const DyldEnvironment *dyld_environment() const
bool has_build_version() const

true if the binary has the BuildVersion command.

BuildVersion *build_version()

Return the MachO::BuildVersion if present, a nullptr otherwise.

const BuildVersion *build_version() const
bool has_dyld_chained_fixups() const

true if the binary has the command LC_DYLD_CHAINED_FIXUPS.

DyldChainedFixups *dyld_chained_fixups()

Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const DyldChainedFixups *dyld_chained_fixups() const
bool has_dyld_exports_trie() const

true if the binary has the command LC_DYLD_CHAINED_FIXUPS.

DyldExportsTrie *dyld_exports_trie()

Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const DyldExportsTrie *dyld_exports_trie() const
bool has_two_level_hints() const

true if the binary has the command LC_TWO_LEVEL_HINTS.

TwoLevelHints *two_level_hints()

Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const TwoLevelHints *two_level_hints() const
bool has_linker_opt_hint() const

true if the binary has the command LC_LINKER_OPTIMIZATION_HINT.

LinkerOptHint *linker_opt_hint()

Return the MachO::LinkerOptHint if present, a nullptr otherwise.

const LinkerOptHint *linker_opt_hint() const
ExportInfo *add_exported_function(uint64_t address, const std::string &name)

Add a symbol in the export trie of the current binary.

Symbol *add_local_symbol(uint64_t address, const std::string &name)

Add a symbol in LC_SYMTAB command of the current binary.

template<class T>
bool has_command() const
template<class T>
T *command()
template<class T>
const T *command() const
template<class T>
size_t count_commands() const
template<class CMD, class Func>
Binary &for_commands(Func f)
LoadCommand *operator[](LOAD_COMMAND_TYPES type)
const LoadCommand *operator[](LOAD_COMMAND_TYPES type) const
virtual LIEF::Binary::functions_t ctor_functions() const override

Return the list of the MachO’s constructors.

LIEF::Binary::functions_t functions() const

Return all the functions found in this MachO.

LIEF::Binary::functions_t unwind_functions() const

Return the functions found in the __unwind_info section.

bool has_filesets() const

true if the binary has a LOAD_COMMAND_TYPES::LC_FILESET_ENTRY command

inline const std::string &fileset_name() const

Name associated with the LC_FILESET_ENTRY binary.

~Binary() override
ok_error_t shift(size_t value)

Shift the content located right after the Load commands table. This operation can be used to add a new command.

ok_error_t shift_linkedit(size_t width)

Shift the position on the __LINKEDIT data by width

inline uint64_t memory_base_address() const

If this Mach-O binary has been parsed from memory, it returns the in-memory base address of this binary.

Otherwise, it returns 0

uint32_t page_size() const

Public Static Functions

static bool is_exported(const Symbol &symbol)

Check if the given symbol is exported.

static bool is_imported(const Symbol &symbol)

Check if the given symbol is an imported one.

struct KeyCmp

Public Functions

bool operator()(const Relocation *lhs, const Relocation *rhs) const
struct range_t

Public Members

uint64_t start = 0
uint64_t end = 0

Builder

class Builder

Class used to rebuild a Mach-O file.

Public Functions

Builder() = delete
~Builder()

Public Static Functions

static ok_error_t write(Binary &binary, const std::string &filename)
static ok_error_t write(Binary &binary, const std::string &filename, config_t config)
static ok_error_t write(Binary &binary, std::vector<uint8_t> &out)
static ok_error_t write(Binary &binary, std::vector<uint8_t> &out, config_t config)
static ok_error_t write(Binary &binary, std::ostream &out)
static ok_error_t write(Binary &binary, std::ostream &out, config_t config)
static ok_error_t write(FatBinary &fat, const std::string &filename)
static ok_error_t write(FatBinary &fat, const std::string &filename, config_t config)
static ok_error_t write(FatBinary &fat, std::vector<uint8_t> &out)
static ok_error_t write(FatBinary &fat, std::vector<uint8_t> &out, config_t config)
static ok_error_t write(FatBinary &fat, std::ostream &out)
static ok_error_t write(FatBinary &fat, std::ostream &out, config_t config)
struct config_t

Options to tweak the building process.

Public Members

bool linkedit = true

DylibCommand

class DylibCommand : public LIEF::MachO::LoadCommand

Class which represents a library dependency.

Public Types

using version_t = std::array<uint16_t, 3>

Public Functions

DylibCommand()
DylibCommand(const details::dylib_command &cmd)
DylibCommand &operator=(const DylibCommand &copy)
DylibCommand(const DylibCommand &copy)
~DylibCommand() override
virtual DylibCommand *clone() const override
const std::string &name() const

Library name.

uint32_t timestamp() const

Date and Time when the shared library was built.

version_t current_version() const

Current version of the shared library.

version_t compatibility_version() const

Compatibility version of the shared library.

void name(const std::string &name)
void timestamp(uint32_t timestamp)
void current_version(version_t currentVersion)
void compatibility_version(version_t compatibilityVersion)
virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static version_t int2version(uint32_t version)

Helper to convert an integer into a version array.

static uint32_t version2int(version_t version)

Helper to convert a version array into an integer.

static DylibCommand weak_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LOAD_WEAK_DYLIB library.

static DylibCommand id_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_ID_DYLIB library.

static DylibCommand load_dylib(const std::string &name, uint32_t timestamp = 2, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LOAD_DYLIB library.

static DylibCommand reexport_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_REEXPORT_DYLIB library.

static DylibCommand load_upward_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LOAD_UPWARD_DYLIB library.

static DylibCommand lazy_load_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LAZY_LOAD_DYLIB library.

static bool classof(const LoadCommand *cmd)

DylinkerCommand

class DylinkerCommand : public LIEF::MachO::LoadCommand

Class that represents the Mach-O linker, also named loader Most of the time, DylinkerCommand::name() returns /usr/lib/dyld

Public Functions

DylinkerCommand()
DylinkerCommand(const details::dylinker_command &cmd)
DylinkerCommand(std::string name)
DylinkerCommand &operator=(const DylinkerCommand &copy)
DylinkerCommand(const DylinkerCommand &copy)
virtual DylinkerCommand *clone() const override
~DylinkerCommand() override
virtual std::ostream &print(std::ostream &os) const override
const std::string &name() const

Path to the linker (or loader)

void name(const std::string &name)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

DynamicSymbolCommand

class DynamicSymbolCommand : public LIEF::MachO::LoadCommand

Class that represents the LC_DYSYMTAB command.

This command completes the LC_SYMTAB (SymbolCommand) to provide a better granularity over the symbols layout.

Public Functions

DynamicSymbolCommand()
DynamicSymbolCommand(const details::dysymtab_command &cmd)
DynamicSymbolCommand &operator=(const DynamicSymbolCommand &copy)
DynamicSymbolCommand(const DynamicSymbolCommand &copy)
virtual DynamicSymbolCommand *clone() const override
~DynamicSymbolCommand() override
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override
uint32_t idx_local_symbol() const

Index of the first symbol in the group of local symbols.

uint32_t nb_local_symbols() const

Number of symbols in the group of local symbols.

uint32_t idx_external_define_symbol() const

Index of the first symbol in the group of defined external symbols.

uint32_t nb_external_define_symbols() const

Number of symbols in the group of defined external symbols.

uint32_t idx_undefined_symbol() const

Index of the first symbol in the group of undefined external symbols.

uint32_t nb_undefined_symbols() const

Number of symbols in the group of undefined external symbols.

uint32_t toc_offset() const

Byte offset from the start of the file to the table of contents data.

Table of content is used by legacy Mach-O loader and this field should be set to 0

uint32_t nb_toc() const

Number of entries in the table of contents.

Should be set to 0 on recent Mach-O

uint32_t module_table_offset() const

Byte offset from the start of the file to the module table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_module_table() const

Number of entries in the module table.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t external_reference_symbol_offset() const

Byte offset from the start of the file to the external reference table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_external_reference_symbols() const

Number of entries in the external reference table.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t indirect_symbol_offset() const

Byte offset from the start of the file to the indirect symbol table data.

Indirect symbol table is used by the loader to speed-up symbol resolution during the lazy binding process

References:

  • dyld-519.2.1/src/ImageLoaderMachOCompressed.cpp

  • dyld-519.2.1/src/ImageLoaderMachOClassic.cpp

uint32_t nb_indirect_symbols() const

Number of entries in the indirect symbol table.

See also

indirect_symbol_offset

uint32_t external_relocation_offset() const

Byte offset from the start of the file to the external relocation table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_external_relocations() const

Number of entries in the external relocation table.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t local_relocation_offset() const

Byte offset from the start of the file to the local relocation table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_local_relocations() const

Number of entries in the local relocation table.

This field seems unused by recent Mach-O loader and should be set to 0

void idx_local_symbol(uint32_t value)
void nb_local_symbols(uint32_t value)
void idx_external_define_symbol(uint32_t value)
void nb_external_define_symbols(uint32_t value)
void idx_undefined_symbol(uint32_t value)
void nb_undefined_symbols(uint32_t value)
void toc_offset(uint32_t value)
void nb_toc(uint32_t value)
void module_table_offset(uint32_t value)
void nb_module_table(uint32_t value)
void external_reference_symbol_offset(uint32_t value)
void nb_external_reference_symbols(uint32_t value)
void indirect_symbol_offset(uint32_t value)
void nb_indirect_symbols(uint32_t value)
void external_relocation_offset(uint32_t value)
void nb_external_relocations(uint32_t value)
void local_relocation_offset(uint32_t value)
void nb_local_relocations(uint32_t value)

Public Static Functions

static bool classof(const LoadCommand *cmd)

LoadCommand

class LoadCommand : public LIEF::Object

Based class for the Mach-O load commands.

Subclassed by LIEF::MachO::BuildVersion, LIEF::MachO::CodeSignature, LIEF::MachO::CodeSignatureDir, LIEF::MachO::DataInCode, LIEF::MachO::DyldChainedFixups, LIEF::MachO::DyldEnvironment, LIEF::MachO::DyldExportsTrie, LIEF::MachO::DyldInfo, LIEF::MachO::DylibCommand, LIEF::MachO::DylinkerCommand, LIEF::MachO::DynamicSymbolCommand, LIEF::MachO::EncryptionInfo, LIEF::MachO::FilesetCommand, LIEF::MachO::FunctionStarts, LIEF::MachO::LinkerOptHint, LIEF::MachO::MainCommand, LIEF::MachO::RPathCommand, LIEF::MachO::SegmentCommand, LIEF::MachO::SegmentSplitInfo, LIEF::MachO::SourceVersion, LIEF::MachO::SubFramework, LIEF::MachO::SymbolCommand, LIEF::MachO::ThreadCommand, LIEF::MachO::TwoLevelHints, LIEF::MachO::UUIDCommand, LIEF::MachO::VersionMin

Public Types

using raw_t = std::vector<uint8_t>

Public Functions

LoadCommand()
LoadCommand(const details::load_command &command)
LoadCommand(LOAD_COMMAND_TYPES type, uint32_t size)
LoadCommand &operator=(LoadCommand copy)
LoadCommand(const LoadCommand &copy)
void swap(LoadCommand &other)
virtual LoadCommand *clone() const
~LoadCommand() override
LOAD_COMMAND_TYPES command() const

Command type.

uint32_t size() const

Size of the command (should be greather than sizeof(load_command))

const raw_t &data() const

Raw command.

uint64_t command_offset() const

Offset of the command within the Load Command Table

void data(const raw_t &data)
void command(LOAD_COMMAND_TYPES command)
void size(uint32_t size)
void command_offset(uint64_t offset)
virtual std::ostream &print(std::ostream &os) const
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool is_linkedit_data(const LoadCommand &cmd)

Friends

friend std::ostream &operator<<(std::ostream &os, const LoadCommand &cmd)

MainCommand

class MainCommand : public LIEF::MachO::LoadCommand

Class that represent the LC_MAIN command. This kind of command can be used to determine the entrypoint of an executable.

Public Functions

MainCommand()
MainCommand(const details::entry_point_command &cmd)
MainCommand(uint64_t entrypoint, uint64_t stacksize)
MainCommand &operator=(const MainCommand &copy)
MainCommand(const MainCommand &copy)
virtual MainCommand *clone() const override
~MainCommand() override
uint64_t entrypoint() const

Offset of the main function relative to the __TEXT segment.

uint64_t stack_size() const

The initial stack size (if not 0)

void entrypoint(uint64_t entrypoint)
void stack_size(uint64_t stacksize)
virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Section

class Section : public LIEF::Section

Class that represents a Mach-O section.

Public Types

using content_t = std::vector<uint8_t>
using flag_list_t = std::set<MACHO_SECTION_FLAGS>
using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing Mach-O Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator which outputs const Relocation&.

Public Functions

Section()
Section(const details::section_32 &section_cmd)
Section(const details::section_64 &section_cmd)
Section(std::string name)
Section(std::string name, content_t content)
Section &operator=(Section copy)
Section(const Section &copy)
void swap(Section &other)
~Section() override
virtual span<const uint8_t> content() const override

section’s content

virtual void content(const content_t &data) override

Update the content of the section.

const std::string &segment_name() const

Return the name of the segment linked to this section.

uint64_t address() const

Virtual base address of the section.

uint32_t alignment() const

Section alignment as a power of 2.

uint32_t relocation_offset() const

Offset of the relocation table. This value should be 0 for executable and libraries as the relocations are managed by the DyldInfo::rebase.

Other the other hand, for object files (.o) this value should not be 0

See also

numberof_relocations

See also

relocations

uint32_t numberof_relocations() const

Number of relocations associated with this section.

uint32_t flags() const

Section’s flags masked with SECTION_FLAGS_MASK (see: MACHO_SECTION_FLAGS)

See also

flags

MACHO_SECTION_TYPES type() const

Type of the section. This value can help to determine the purpose of the section (e.g. MACHO_SECTION_TYPES::MACHO_SECTION_TYPES)

uint32_t reserved1() const

According to the official loader.h file, this value is reserved for offset or index

uint32_t reserved2() const

According to the official loader.h file, this value is reserved for count or sizeof

uint32_t reserved3() const

This value is only present for 64 bits Mach-O files. In that case, the value is reserved.

flag_list_t flags_list() const

Return the Section::flags as an std::set of MACHO_SECTION_FLAGS.

See also

flags

uint32_t raw_flags() const

Section flags without applying the SECTION_FLAGS_MASK mask.

bool has_segment() const

Check if this section is correctly linked with a MachO::SegmentCommand.

SegmentCommand *segment()

The segment associated with this section or a nullptr if not present.

const SegmentCommand *segment() const
void clear(uint8_t v)

Clear the content of this section by filling its values with the byte provided in parameter.

it_relocations relocations()

Return an iterator over the MachO::Relocation associated with this section.

This iterator is likely to be empty of executable and libraries while it should not for object files (.o)

it_const_relocations relocations() const
void segment_name(const std::string &name)
void address(uint64_t address)
void alignment(uint32_t align)
void relocation_offset(uint32_t relocOffset)
void numberof_relocations(uint32_t nbReloc)
void flags(uint32_t flags)
void flags(flag_list_t flags)
void type(MACHO_SECTION_TYPES type)
void reserved1(uint32_t reserved1)
void reserved2(uint32_t reserved2)
void reserved3(uint32_t reserved3)
bool has(MACHO_SECTION_FLAGS flag) const

Check if the section has the given MACHO_SECTION_FLAGS flag.

void add(MACHO_SECTION_FLAGS flag)

Append a MACHO_SECTION_FLAGS to the current section.

void remove(MACHO_SECTION_FLAGS flag)

Remove a MACHO_SECTION_FLAGS to the current section.

Section &operator+=(MACHO_SECTION_FLAGS flag)
Section &operator-=(MACHO_SECTION_FLAGS flag)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)

SegmentCommand

class SegmentCommand : public LIEF::MachO::LoadCommand

Class which represents a LOAD_COMMAND_TYPES::LC_SEGMENT / LOAD_COMMAND_TYPES::LC_SEGMENT_64 command.

Subclassed by LIEF::MachO::LinkEdit

Public Types

using content_t = std::vector<uint8_t>
using sections_t = std::vector<std::unique_ptr<Section>>

Internal container for storing Mach-O Section.

using it_sections = ref_iterator<sections_t&, Section*>

Iterator which outputs Section&.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>

Iterator which outputs const Section&.

using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing Mach-O Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator which outputs const Relocation&.

Public Functions

SegmentCommand()
SegmentCommand(const details::segment_command_32 &cmd)
SegmentCommand(const details::segment_command_64 &cmd)
SegmentCommand &operator=(SegmentCommand other)
SegmentCommand(const SegmentCommand &copy)
SegmentCommand(std::string name, content_t content)
SegmentCommand(std::string name)
void swap(SegmentCommand &other)
virtual SegmentCommand *clone() const override
~SegmentCommand() override
const std::string &name() const

Name of the segment (e.g. __TEXT)

uint64_t virtual_address() const

Absolute virtual base address of the segment.

uint64_t virtual_size() const

Virtual size of the segment.

uint64_t file_size() const

Size of this segment in the binary file.

uint64_t file_offset() const

Offset of the data of this segment in the file.

uint32_t max_protection() const

The maximum of protections for this segment (cf. VM_PROTECTIONS)

uint32_t init_protection() const

The initial protections of this segment (cf. VM_PROTECTIONS)

uint32_t numberof_sections() const

The number of sections associated with this segment.

uint32_t flags() const

Flags associated with this segment (cf. MACHO_SEGMENTS_FLAGS)

it_sections sections()

Return an iterator over the MachO::Section linked to this segment.

it_const_sections sections() const
it_relocations relocations()

Return an iterator over the MachO::Relocation linked to this segment.

For Mach-O executable or library this iterator should be empty as the relocations are managed by the Dyld::rebase_opcodes. On the other hand, for object files (.o) this iterator should not be empty

it_const_relocations relocations() const
const Section *get_section(const std::string &name) const

Get the section with the given name.

Section *get_section(const std::string &name)
inline span<const uint8_t> content() const

The raw content of this segment.

inline int8_t index() const

The original index of this segment.

void name(const std::string &name)
void virtual_address(uint64_t virtual_address)
void virtual_size(uint64_t virtual_size)
void file_offset(uint64_t file_offset)
void file_size(uint64_t file_size)
void max_protection(uint32_t max_protection)
void init_protection(uint32_t init_protection)
void numberof_sections(uint32_t nb_section)
void flags(uint32_t flags)
void content(content_t data)
Section &add_section(const Section &section)

Add a new section in this segment.

void remove_all_sections()

Remove all the sections linked to this segment.

bool has(const Section &section) const

Check if the current segment embeds the given section.

bool has_section(const std::string &section_name) const

Check if the current segment embeds the given section name.

virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Symbol

class Symbol : public LIEF::Symbol

Class that represents a Symbol in a Mach-O file.

A Mach-O symbol can come from:

  1. The symbols command (LC_SYMTAB / SymbolCommand)

  2. The Dyld Export trie

  3. The Dyld Symbol bindings

Public Types

enum class CATEGORY

Category of the symbol when the symbol comes from the LC_SYMTAB command. The category is defined according to the LC_DYSYMTAB (DynamicSymbolCommand) command.

Values:

enumerator NONE = 0
enumerator LOCAL
enumerator EXTERNAL
enumerator UNDEFINED
enumerator INDIRECT_ABS
enumerator INDIRECT_LOCAL

Public Functions

Symbol()
Symbol(const details::nlist_32 &cmd)
Symbol(const details::nlist_64 &cmd)
Symbol &operator=(Symbol other)
Symbol(const Symbol &other)
void swap(Symbol &other)
~Symbol() override
uint8_t type() const
uint8_t numberof_sections() const

It returns the number of sections in which this symbol can be found. If the symbol can’t be found in any section, it returns 0 (NO_SECT)

uint16_t description() const

Return information about the symbol (SYMBOL_DESCRIPTIONS)

bool has_export_info() const

True if the symbol is associated with an ExportInfo This value is set when the symbol comes from the Dyld Export trie.

const ExportInfo *export_info() const

Return the ExportInfo associated with this symbol (or nullptr if not present)

See also

has_export_info

ExportInfo *export_info()
bool has_binding_info() const

True if the symbol is associated with a BindingInfo This value is set when the symbol comes from the Dyld symbol bindings.

const BindingInfo *binding_info() const

Return the BindingInfo associated with this symbol (or nullptr if not present)

See also

has_binding_info

BindingInfo *binding_info()
std::string demangled_name() const

Try to demangle the symbol or return an empty string if it is not possible.

bool is_external() const

True if the symbol is defined as an external symbol.

This function check if the flag N_LIST_TYPES::N_UNDF is set

inline const DylibCommand *library() const

Return the library in which the symbol is defined. It returns a null pointer if the library can’t be resolved.

inline DylibCommand *library()
SYMBOL_ORIGINS origin() const

Return the origin of the symbol: from LC_SYMTAB command or from the Dyld information.

inline CATEGORY category() const

Category of the symbol according to the LC_DYSYMTAB command.

void type(uint8_t type)
void numberof_sections(uint8_t nbsections)
void description(uint16_t desc)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static const Symbol &indirect_abs()
static const Symbol &indirect_local()

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &symbol)

SymbolCommand

class SymbolCommand : public LIEF::MachO::LoadCommand

Class that represents the LC_SYMTAB command.

Public Functions

SymbolCommand()
SymbolCommand(const details::symtab_command &command)
SymbolCommand &operator=(const SymbolCommand &copy)
SymbolCommand(const SymbolCommand &copy)
virtual SymbolCommand *clone() const override
~SymbolCommand() override
uint32_t symbol_offset() const

Offset from the start of the file to the n_list associated with the command.

uint32_t numberof_symbols() const

Number of symbols registered.

uint32_t strings_offset() const

Offset from the start of the file to the string table.

uint32_t strings_size() const

Size of the size string table.

void symbol_offset(uint32_t offset)
void numberof_symbols(uint32_t nb)
void strings_offset(uint32_t offset)
void strings_size(uint32_t size)
inline span<const uint8_t> symbol_table() const
inline span<uint8_t> symbol_table()
inline span<const uint8_t> string_table() const
inline span<uint8_t> string_table()
inline uint32_t original_str_size() const
inline uint32_t original_nb_symbols() const
virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

UUIDCommand

class UUIDCommand : public LIEF::MachO::LoadCommand

Class that represents the UUID command.

Public Functions

UUIDCommand()
UUIDCommand(const details::uuid_command &cmd)
UUIDCommand &operator=(const UUIDCommand &copy)
UUIDCommand(const UUIDCommand &copy)
virtual UUIDCommand *clone() const override
~UUIDCommand() override
uuid_t uuid() const

The UUID as a 16-bytes array.

void uuid(const uuid_t &uuid)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Dyld Info

class DyldInfo : public LIEF::MachO::LoadCommand

Class that represents the LC_DYLD_INFO and LC_DYLD_INFO_ONLY commands.

Public Types

enum class BINDING_ENCODING_VERSION

Values:

enumerator UNKNOWN = 0
enumerator V1
enumerator V2
using info_t = std::pair<uint32_t, uint32_t>

Tuple of offset and size

using binding_info_t = std::vector<std::unique_ptr<DyldBindingInfo>>

Internal container for storing DyldBindingInfo.

using it_binding_info = ref_iterator<binding_info_t&, DyldBindingInfo*>

Iterator which outputs DyldBindingInfo&.

using it_const_binding_info = const_ref_iterator<const binding_info_t&, DyldBindingInfo*>

Iterator which outputs const DyldBindingInfo&.

using export_info_t = std::vector<std::unique_ptr<ExportInfo>>

Internal container for storing ExportInfo.

using it_export_info = ref_iterator<export_info_t&, ExportInfo*>

Iterator which outputs const ExportInfo&.

using it_const_export_info = const_ref_iterator<const export_info_t&, ExportInfo*>

Iterator which outputs const ExportInfo&.

Public Functions

DyldInfo()
DyldInfo(const details::dyld_info_command &dyld_info_cmd)
DyldInfo &operator=(DyldInfo other)
DyldInfo(const DyldInfo &copy)
void swap(DyldInfo &other)
virtual DyldInfo *clone() const override
~DyldInfo() override
const info_t &rebase() const

Rebase information

Dyld rebases an image whenever dyld loads it at an address different from its preferred address. The rebase information is a stream of byte sized opcodes for which symbolic names start with REBASE_OPCODE_. Conceptually the rebase information is a table of tuples: <seg-index, seg-offset, type> The opcodes are a compressed way to encode the table by only encoding when a column changes. In addition simple patterns like “every n’th offset for m times” can be encoded in a few bytes.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> rebase_opcodes() const

Return Rebase’s opcodes as raw data.

span<uint8_t> rebase_opcodes()
void rebase_opcodes(buffer_t raw)

Set new opcodes.

std::string show_rebases_opcodes() const

Return the rebase opcodes in a humman-readable way.

const info_t &bind() const

Bind information

Dyld binds an image during the loading process, if the image requires any pointers to be initialized to symbols in other images. The rebase information is a stream of byte sized opcodes for which symbolic names start with BIND_OPCODE_. Conceptually the bind information is a table of tuples: <seg-index, seg-offset, type, symbol-library-ordinal, symbol-name, addend> The opcodes are a compressed way to encode the table by only encoding when a column changes. In addition simple patterns like for runs of pointers initialzed to the same value can be encoded in a few bytes.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> bind_opcodes() const

Return Binding’s opcodes as raw data.

span<uint8_t> bind_opcodes()
void bind_opcodes(buffer_t raw)

Set new opcodes.

std::string show_bind_opcodes() const

Return the bind opcodes in a humman-readable way.

const info_t &weak_bind() const

Weak Bind information

Some C++ programs require dyld to unique symbols so that all images in the process use the same copy of some code/data. This step is done after binding. The content of the weak_bind info is an opcode stream like the bind_info. But it is sorted alphabetically by symbol name. This enables dyld to walk all images with weak binding information in order and look for collisions. If there are no collisions, dyld does no updating. That means that some fixups are also encoded in the bind_info. For instance, all calls to “operator new” are first bound to libstdc++.dylib using the information in bind_info. Then if some image overrides operator new that is detected when the weak_bind information is processed and the call to operator new is then rebound.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> weak_bind_opcodes() const

Return Weak Binding’s opcodes as raw data.

span<uint8_t> weak_bind_opcodes()
void weak_bind_opcodes(buffer_t raw)

Set new opcodes.

std::string show_weak_bind_opcodes() const

Return the bind opcodes in a humman-readable way.

const info_t &lazy_bind() const

Lazy Bind information

Some uses of external symbols do not need to be bound immediately. Instead they can be lazily bound on first use. The lazy_bind are contains a stream of BIND opcodes to bind all lazy symbols. Normal use is that dyld ignores the lazy_bind section when loading an image. Instead the static linker arranged for the lazy pointer to initially point to a helper function which pushes the offset into the lazy_bind area for the symbol needing to be bound, then jumps to dyld which simply adds the offset to lazy_bind_off to get the information on what to bind.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> lazy_bind_opcodes() const

Return Lazy Binding’s opcodes as raw data.

span<uint8_t> lazy_bind_opcodes()
void lazy_bind_opcodes(buffer_t raw)

Set new opcodes.

std::string show_lazy_bind_opcodes() const

Return the lazy opcodes in a humman-readable way.

it_binding_info bindings()

Iterator over BindingInfo entries.

it_const_binding_info bindings() const
const info_t &export_info() const

Export information

The symbols exported by a dylib are encoded in a trie. This is a compact representation that factors out common prefixes. It also reduces LINKEDIT pages in RAM because it encodes all information (name, address, flags) in one small, contiguous range. The export area is a stream of nodes. The first node sequentially is the start node for the trie.

Nodes for a symbol start with a byte that is the length of the exported symbol information for the string so far. If there is no exported symbol, the byte is zero. If there is exported info, it follows the length byte. The exported info normally consists of a flags and offset both encoded in uleb128. The offset is location of the content named by the symbol. It is the offset from the mach_header for the image.

After the initial byte and optional exported symbol information is a byte of how many edges (0-255) that this node has leaving it, followed by each edge. Each edge is a zero terminated cstring of the addition chars in the symbol, followed by a uleb128 offset for the node that edge points to.

See also

/usr/include/mach-o/loader.h

it_export_info exports()

Iterator over ExportInfo entries.

it_const_export_info exports() const
span<const uint8_t> export_trie() const

Return Export’s trie as raw data.

span<uint8_t> export_trie()
void export_trie(buffer_t raw)

Set new trie.

std::string show_export_trie() const

Return the export trie in a humman-readable way.

void rebase(const info_t &info)
void bind(const info_t &info)
void weak_bind(const info_t &info)
void lazy_bind(const info_t &info)
void export_info(const info_t &info)
void set_rebase_offset(uint32_t offset)
void set_rebase_size(uint32_t size)
void set_bind_offset(uint32_t offset)
void set_bind_size(uint32_t size)
void set_weak_bind_offset(uint32_t offset)
void set_weak_bind_size(uint32_t size)
void set_lazy_bind_offset(uint32_t offset)
void set_lazy_bind_size(uint32_t size)
void set_export_offset(uint32_t offset)
void set_export_size(uint32_t size)
void add(std::unique_ptr<ExportInfo> info)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Function starts

class FunctionStarts : public LIEF::MachO::LoadCommand

Class which represents the LC_FUNCTION_STARTS command.

This command is an array of ULEB128 encoded values

Public Functions

FunctionStarts()
FunctionStarts(const details::linkedit_data_command &cmd)
FunctionStarts &operator=(const FunctionStarts &copy)
FunctionStarts(const FunctionStarts &copy)
virtual FunctionStarts *clone() const override
uint32_t data_offset() const

Offset in the __LINKEDIT SegmentCommand where start functions are located.

uint32_t data_size() const

Size of the functions list in the binary.

const std::vector<uint64_t> &functions() const

Addresses of every function entry point in the executable.

This allows functions to exist for which there are no entries in the symbol table.

Warning

The address is relative to the __TEXT segment

std::vector<uint64_t> &functions()
void add_function(uint64_t address)

Add a new function.

void data_offset(uint32_t offset)
void data_size(uint32_t size)
void functions(const std::vector<uint64_t> &funcs)
inline span<const uint8_t> content() const
inline span<uint8_t> content()
~FunctionStarts() override
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Source Version

class SourceVersion : public LIEF::MachO::LoadCommand

Class that represents the MachO LOAD_COMMAND_TYPES::LC_SOURCE_VERSION This command is used to provide the version of the sources used to build the binary.

Public Types

using version_t = std::array<uint32_t, 5>

Version is an array of 5 integers.

Public Functions

SourceVersion()
SourceVersion(const details::source_version_command &version_cmd)
SourceVersion &operator=(const SourceVersion &copy)
SourceVersion(const SourceVersion &copy)
virtual SourceVersion *clone() const override
~SourceVersion() override
const SourceVersion::version_t &version() const

Return the version as an array.

void version(const SourceVersion::version_t &version)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Version Min

class VersionMin : public LIEF::MachO::LoadCommand

Class that wraps the LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, … commands.

Public Types

using version_t = std::array<uint32_t, 3>

Version is an array of 3 integers.

Public Functions

VersionMin()
VersionMin(const details::version_min_command &version_cmd)
VersionMin &operator=(const VersionMin &copy)
VersionMin(const VersionMin &copy)
virtual VersionMin *clone() const override
~VersionMin() override
const version_t &version() const

Return the version as an array.

void version(const version_t &version)
const version_t &sdk() const

Return the sdk version as an array.

void sdk(const version_t &sdk)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static bool classof(const LoadCommand *cmd)

Relocation

class Relocation : public LIEF::Relocation

Class that represents a Mach-O relocation.

See also

:

Subclassed by LIEF::MachO::RelocationDyld, LIEF::MachO::RelocationFixup, LIEF::MachO::RelocationObject

Public Functions

Relocation()
Relocation(uint64_t address, uint8_t type)
Relocation &operator=(const Relocation &other)
Relocation(const Relocation &other)
void swap(Relocation &other)
~Relocation() override
virtual Relocation *clone() const = 0
virtual bool is_pc_relative() const = 0

Indicates whether the item containing the address to be relocated is part of a CPU instruction that uses PC-relative addressing.

For addresses contained in PC-relative instructions, the CPU adds the address of the instruction to the address contained in the instruction.

virtual uint8_t type() const

Type of the relocation according to the Relocation::architecture and/or the Relocation::origin.

See:

CPU_TYPES architecture() const

Achitecture targeted by this relocation.

virtual RELOCATION_ORIGINS origin() const = 0

Origin of the relocation.

bool has_symbol() const

true if the relocation has a symbol associated with

Symbol *symbol()

Symbol associated with the relocation, if any, otherwise a nullptr.

const Symbol *symbol() const
bool has_section() const

true if the relocation has a section associated with

Section *section()

Section associated with the relocation, if any, otherwise a nullptr.

const Section *section() const
bool has_segment() const

true if the relocation has a SegmentCommand associated with

SegmentCommand *segment()

SegmentCommand associated with the relocation, if any, otherwise a nullptr.

const SegmentCommand *segment() const
virtual void pc_relative(bool val) = 0
virtual void type(uint8_t type)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)

Relocation Object

class RelocationObject : public LIEF::MachO::Relocation

Class that represents a relocation presents in the MachO object file (.o). Usually, this kind of relocation is found in the MachO::Section.

See also

RelocationDyld

Public Functions

RelocationObject()
RelocationObject(const details::relocation_info &relocinfo)
RelocationObject(const details::scattered_relocation_info &scattered_relocinfo)
RelocationObject &operator=(RelocationObject other)
RelocationObject(const RelocationObject &other)
void swap(RelocationObject &other)
~RelocationObject() override
virtual RelocationObject *clone() const override
virtual bool is_pc_relative() const override

Whether the relocation is PC relative.

virtual size_t size() const override

Size of the relocation.

virtual uint64_t address() const override

Address where the relocation is applied This address is relative to the start of the section where the relocation takes place.

bool is_scattered() const

true if the relocation is a scattered one

int32_t value() const

For scattered relocations: The address of the relocatable expression for the item in the file that needs to be updated if the address is changed.

For relocatable expressions with the difference of two section addresses, the address from which to subtract (in mathematical terms, the minuend) is contained in the first relocation entry and the address to subtract (the subtrahend) is contained in the second relocation entry.

virtual RELOCATION_ORIGINS origin() const override

Origin of the relocation. For this object it should be RELOCATION_ORIGINS::ORIGIN_RELOC_TABLE)

virtual void pc_relative(bool val) override
virtual void size(size_t size) override
void value(int32_t value)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override
Relocation()
Relocation(uint64_t address, uint8_t type)
Relocation(const Relocation &other)

Public Static Functions

static bool classof(const Relocation &r)

Relocation Dyld

class RelocationDyld : public LIEF::MachO::Relocation

Class that represents a relocation found in the DyldInfo structure.

While this class does not have an associated structure in the Mach-O format specification, it provides a convenient interface for the Dyld::rebase

Public Functions

RelocationDyld()
RelocationDyld &operator=(const RelocationDyld&)
RelocationDyld(const RelocationDyld&)
~RelocationDyld() override
virtual Relocation *clone() const override
virtual bool is_pc_relative() const override

Indicates whether the item containing the address to be relocated is part of a CPU instruction that uses PC-relative addressing.

For addresses contained in PC-relative instructions, the CPU adds the address of the instruction to the address contained in the instruction.

virtual RELOCATION_ORIGINS origin() const override

Origin of the relocation. For this concrete object, it should be RELOCATION_ORIGINS::ORIGIN_DYLDINFO.

virtual void pc_relative(bool val) override
bool operator<(const RelocationDyld &rhs) const
bool operator>=(const RelocationDyld &rhs) const
bool operator>(const RelocationDyld &rhs) const
bool operator<=(const RelocationDyld &rhs) const
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override
Relocation()
Relocation(uint64_t address, uint8_t type)
Relocation(const Relocation &other)

Public Static Functions

static bool classof(const Relocation &r)

Relocation Fixup

class RelocationFixup : public LIEF::MachO::Relocation

Class that represents a rebase relocation found in the LC_DYLD_CHAINED_FIXUPS command.

This class extends LIEF::Relocation in which LIEF::Relocation::address is set to the absolute virtual address where the relocation must take place (e.g. 0x10000d270).

On the other hand, RelocationFixup::target contains the value that should be set at LIEF::Relocation::address if the imagebase is LIEF::Binary::imagebase (e.g. 0x1000073a8).

If the Mach-O loader chooses another base address (like 0x7ff100000), it must set 0x10000d270 to 0x7ff1073a8.

Public Functions

RelocationFixup() = delete
RelocationFixup(DYLD_CHAINED_PTR_FORMAT fmt, uint64_t imagebase)
RelocationFixup &operator=(const RelocationFixup&)
RelocationFixup(const RelocationFixup&)
RelocationFixup &operator=(RelocationFixup&&)
RelocationFixup(RelocationFixup&&)
~RelocationFixup() override
virtual Relocation *clone() const override
virtual bool is_pc_relative() const override

Not relevant for this kind of relocation.

virtual RELOCATION_ORIGINS origin() const override

Origin of the relocation. For this concrete object, it should be RELOCATION_ORIGINS::ORIGIN_CHAINED_FIXUPS.

inline DYLD_CHAINED_PTR_FORMAT ptr_format() const
uint64_t target() const

The value that should be set at LIEF::Relocation::address if the imagebase is LIEF::Binary::imagebase. Otherwise, it should be: target() - LIEF::Binary::imagebase() + new_imagebase.

void target(uint64_t target)
virtual void pc_relative(bool) override

Not relevant for this kind of relocation.

inline uint32_t offset() const
inline void offset(uint32_t offset)
virtual uint64_t address() const override

The address of this relocation is bound to its offset.

virtual void address(uint64_t address) override

Changing the address means changing the offset.

virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Members

details::dyld_chained_ptr_arm64e_rebase *arm64_rebase_ = nullptr
details::dyld_chained_ptr_arm64e_auth_rebase *arm64_auth_rebase_
details::dyld_chained_ptr_64_rebase *p64_rebase_
details::dyld_chained_ptr_32_rebase *p32_rebase_

Public Static Functions

static bool classof(const Relocation &r)

Dyld Binding Info

class DyldBindingInfo : public LIEF::MachO::BindingInfo

This class represents a symbol binding operation associated with the LC_DYLD_INFO bytecode.

It does not represent a structure that exists in the Mach-O format specifications but it provides a view on an entry of the Dyld binding opcodes.

See also

: BindingInfo

Public Functions

DyldBindingInfo()
DyldBindingInfo(BINDING_CLASS cls, BIND_TYPES type, uint64_t address, int64_t addend = 0, int32_t oridnal = 0, bool is_weak = false, bool is_non_weak_definition = false, uint64_t offset = 0)
DyldBindingInfo &operator=(DyldBindingInfo other)
DyldBindingInfo(const DyldBindingInfo &other)
DyldBindingInfo(DyldBindingInfo&&)
void swap(DyldBindingInfo &other)
BINDING_CLASS binding_class() const

Class of the binding (weak, lazy, …)

void binding_class(BINDING_CLASS bind_class)
BIND_TYPES binding_type() const

Type of the binding. Most of the times it’s BIND_TYPES::BIND_TYPE_POINTER.

void binding_type(BIND_TYPES type)
inline bool is_non_weak_definition() const
inline void set_non_weak_definition(bool val)
uint64_t original_offset() const

Original relative offset of the binding opcodes.

inline virtual BindingInfo::TYPES type() const override

The type of the binding. This type provides the origin of the binding (LC_DYLD_INFO or LC_DYLD_CHAINED_FIXUPS)

~DyldBindingInfo() override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool classof(const BindingInfo &info)

Friends

friend std::ostream &operator<<(std::ostream &os, const DyldBindingInfo &binding_info)

Chained Binding Info

class ChainedBindingInfo : public LIEF::MachO::BindingInfo

This class represents a symbol binding operation associated with the LC_DYLD_CHAINED_FIXUPS command.

This class does not represent a structure that exists in the Mach-O format specifications but it provides a view on an entry.

See also

: BindingInfo

Public Functions

ChainedBindingInfo() = delete
explicit ChainedBindingInfo(DYLD_CHAINED_FORMAT fmt, bool is_weak)
ChainedBindingInfo &operator=(ChainedBindingInfo other)
ChainedBindingInfo(const ChainedBindingInfo &other)
ChainedBindingInfo(ChainedBindingInfo&&)
void swap(ChainedBindingInfo &other)
inline DYLD_CHAINED_FORMAT format() const

Format of the imports.

inline DYLD_CHAINED_PTR_FORMAT ptr_format() const

Format of the pointer.

inline uint32_t offset() const

Original offset in the chain of this binding.

inline void offset(uint32_t offset)
virtual uint64_t address() const override

Address of the binding.

virtual void address(uint64_t address) override
uint64_t sign_extended_addend() const
inline virtual BindingInfo::TYPES type() const override

The type of the binding. This type provides the origin of the binding (LC_DYLD_INFO or LC_DYLD_CHAINED_FIXUPS)

~ChainedBindingInfo() override
virtual void accept(Visitor &visitor) const override

Public Members

details::dyld_chained_ptr_arm64e_bind *arm64_bind_ = nullptr
details::dyld_chained_ptr_arm64e_auth_bind *arm64_auth_bind_
details::dyld_chained_ptr_arm64e_bind24 *arm64_bind24_
details::dyld_chained_ptr_arm64e_auth_bind24 *arm64_auth_bind24_
details::dyld_chained_ptr_64_bind *p64_bind_
details::dyld_chained_ptr_32_bind *p32_bind_

Public Static Functions

static bool classof(const BindingInfo &info)

Friends

friend std::ostream &operator<<(std::ostream &os, const ChainedBindingInfo &info)

Export Info

class ExportInfo : public LIEF::Object

Class that provides an interface over the Dyld export info.

This class does not represent a structure that exists in the Mach-O format specification but provides a view on an entry of the Dyld export trie.

Public Types

using flag_list_t = std::vector<EXPORT_SYMBOL_FLAGS>

Public Functions

ExportInfo()
ExportInfo(uint64_t address, uint64_t flags, uint64_t offset = 0)
ExportInfo &operator=(ExportInfo copy)
ExportInfo(const ExportInfo &copy)
void swap(ExportInfo &other)
uint64_t node_offset() const

Original offset in the export Trie.

uint64_t flags() const

Some information (EXPORT_SYMBOL_FLAGS) about the export (like weak export, reexport, …)

void flags(uint64_t flags)
flag_list_t flags_list() const

The export flags() as a list.

bool has(EXPORT_SYMBOL_FLAGS flag) const

Check if the current entry contains the provided EXPORT_SYMBOL_FLAGS.

EXPORT_SYMBOL_KINDS kind() const

The export’s kind (regular, thread local, absolute, …)

uint64_t other()