MachOKit

0.16.1

Star

🔬 A Swift library for parsing MachO files to obtain various information.

binary macho reverse-engineering swift symbols parser

What's New

0.16.1

2024-04-26T15:45:56Z

What's Changed

Set up SPI manifest by @p-x9 in #75
Add support for detecting current CPU type and subtype on host PC by @p-x9 in #76
Fix subscript for DataSequence by @p-x9 in #77

Full Changelog: 0.16.0...0.16.1

MachOKit
a88c6ddd2be85b4973ca94f7b358cc6b2b107e1afce945780cc011163646e8b1

MachOKitC
aaaf61b704dfb440d4ccfc438c55b02a7e57af5fe7d8b58c3016f21e5a0d3d37

MachOKit

Library for parsing MachO files to obtain various information.

In addition to file reading, parsing of images in memory by _dyld_get_image_header is also supported.

Features

parse load commands
symbol list
get all cstrings
rebase operations
binding operations
export tries
...

Usage

Load from memory

For reading from memory, use the MachO structure.

It can be initialized by using the Mach-O Header pointer obtained by _dyld_get_image_header.

guard let mh = _dyld_get_image_header(0) else { return }
let machO = MachOImage(ptr: mh)

Alternatively, it can be initialized using the name.

// /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
guard let machO = MachOImage(name: "Foundation") else { return }

Load from file

For reading from file, use the MachOFile structure.

Reading from a file can be as follows. There is a case of a Fat file and a single MachO file, so a conditional branching process is required.

let path = "Path to MachO file"
let url = URL(string: path)

let file = try MachOKit.loadFromFile(url: url)

switch file {
case .machO(let machOFile): // single MachO file
    print(machOFile)
case .fat(let fatFile): // Fat file
    let machOFiles = try fatFile.machOFiles()
    print(machOFiles)
}

Main properties and methods

Both MachO and MachOFile can use essentially the same properties and methods. The available methods are defined in the following file as the MachORepresentable protocol.

MachORepresentable

Dyld Cache

loading of dyld_shared_cache is also supported.

let path = "/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h"
let url = URL(fileURLWithPath: path)

let cache = try! DyldCache(url: url)

It is also possible to extract machO information contained in dyld _shared _cache. The machO extracted is of type MachOFile. As with reading from a single MachO file, various analyses are possible.

let machOs = cache.machOFiles()
for machO in machOs {
    print(
        String(machO.headerStartOffsetInCache, radix: 16),
        machO.imagePath,
        machO.header.ncmds
    )
}

// 5c000 /usr/lib/libobjc.A.dylib 22
// 98000 /usr/lib/dyld 15
// 131000 /usr/lib/system/libsystem_blocks.dylib 24
// ...

Example Codes

There are a variety of uses, but most show a basic example that prints output to the Test directory.

Load from memory

The following file contains sample code. MachOPrintTests

Load from file

The following file contains sample code. MachOFilePrintTests

Dyld Cache

The following file contains sample code. DyldCachePrintTests

Related Projects

MachOKitSPM Pre-built version of MachOKit
SwiftHook ⚓️ A Swift Library for hooking swift methods and functions.
FishHook Re-implementation of facebook/fishhook with Swift using MachOKit
AntiFishHook A Swift library to deactivate fishhook. (Anti-FishHook)

License

MachOKit is released under the MIT License. See LICENSE

Description

Swift Tools 5.9.0

View More Packages from this Author

Dependencies

None

Last updated: Fri May 03 2024 13:23:13 GMT-0900 (Hawaii-Aleutian Daylight Time)