Mach-O Internals
-
Upload
anthony-shoumikhin -
Category
Technology
-
view
4.425 -
download
1
Transcript of Mach-O Internals
- 1. Mach-O Internals
- Anthony Shoumikhin
- 2. http://shoumikh.in
3. Agenda
- Program linking and loading on Mac OS X
4. Mach-O structure 5. Dynamic linking details 6. Run-time hooking 7. Compiling
- Converting human-readable text file to Mach-O binary
- Preprocessing
8. Generating assembler 9. Assembling to object file 10. Compiling
- clang -c test.c
- clang -E# Preprocess, but don't compile
11. clang -S# Compile, but don't assemble 12. clang -c# Asseble, but don't link Object file (Mach-O format) 13. Object file
- Generated by ld
- Header information
14. Object code 15. Relocation 16. Symbols 17. Debugging info 18. Symbols in object files
- Calls in code
- Defined functions
19. Undefined functions References to static data
- Defined variables
20. Undefined variables 21. Linking
- Process of resolving of undifined symbols
22. Linking
- ld just converts Mach-O files of one type to another
23. Executables and dynamic-linked Mach-O have no undefined symbols 24. Dynamic-linked library
- A complete Mach-O file without startup code
25. Used to be linked against like any other object file during linking by ld, but does not become a part of executable 26. Could be loaded on executable startup or manually in code at any moment 27. Loading
- Transferring of Mach-O file into process memory
28. Process memory layout Arguments & environment Stack unused memory Heap Uninitialized data Initialized data Text 29. File mapping into memory
- Code maps readonly
30. Data maps copy-on-write 31. Introducing Mach-O 32. File layout 33. otool CLI exploring
- man otool
34. -v (verbose) rulez $ otool -h Example.app/Contents/MacOS/Example Example.app/Contents/MacOS/Example(architecture i386): Mach header magic cputype cpusubtypecapsfiletypencmds sizeofcmds flags 0xFEEDFACE 7 3 0x00219 23560x00000085 Example.app/Contents/MacOS/Example (architecture ppc): Mach header magic cputype cpusubtypecapsfiletypencmds sizeofcmds flags 0xFEEDFACE 18 0 0x00217 24120x00000085 35. Mach-O View GUI advantages http://sourceforge.net/projects/machoview 36. Header struct mach_header { uint32_t magic; cpu_type_t cputype; cpu_subtype_t cpusubtype; uint32_t filetype; uint32_t ncmds; uint32_t sizeofcmds; uint32_t flags; }; 37. Load Commands x32 x64 38. Example - LC_SYMTAB struct load_command { uint32_t cmd; uint32_t cmdsize; //custom fields }; 39. Introducing Fat Mach-O
- Several Mach-O of different target architecture in one
- struct fat_header
40. { 41. uint32_t magic;//0xCAFEBABE 42. uint32_t nfat_arch; 43. }; 44. struct fat_arch 45. { cpu_type_t cputype; 46. cpu_subtype_t cpusubtype; 47. uint32_t offset; 48. uint32_t size; 49. uint32_t align; 50. }; 51. Let's explore dynamic linking
- Test bed
- File test.c
52. void libtest();//from libtest.dylib int main() { libtest();//calls puts() from libSystem.B.dylib return 0; } 53. File libtest.c #include void libtest()//just a simple library function { puts("libtest: calls the original puts()"); } 54. Debugging external call
- Here is a simple CALL
55. Debugging external call
- Welcome to __TEXT, __symbol_stub1 - a set of JMP instructions for each imported function
56. Debugging external call
- Each such instruction performs a jump to the address that is defined in the corresponding cell of the __DATA, __la_symbol_ptr table
57.
- Procedure Linkage Table
- Welcome to __TEXT, __stub_helper - a PLT for Mach-O
- remember which symbol requires the relocation
58. jump to __dyld_stub_binding_helper for actual linking 59. Dynamic linker - dyld
- dyld changes the corresponding cell in __DATA, __la_symbol_ptr
60. Let's hook 61. Mach-O hook tool
- github.com/shoumikhin/Mach-O-Hook
- void * mach_hook_init ( char const * library_filename , void const * library_address );
62. mach_substitutionmach_hook ( void const * handle , char const * function_name , mach_substitutionsubstitution ); 63. voidmach_hook_free (void * handle ); Just download it and run the test project! 64. Mach-O exploring (live demo)
- $ arch -x86_64 ./test
65. libtest: calls the original puts() 66. ----------------------------- 67. libtest: calls the original puts() 68. HOOKED! 69. ----------------------------- 70. libtest: calls the original puts() 71. Questions
- More at codeproject.com/members/shoumikhin