- Notifications
You must be signed in to change notification settings - Fork11
🔬 A Swift library for parsing mach-o files to obtain various information.
License
p-x9/MachOKit
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Library for parsing MachO files to obtain various information.
In addition to file reading, parsing of images in memory by_dyld_get_image_header is also supported.
- parse load commands
- symbol list
- get all cstrings
- rebase operations
- binding operations
- export tries
- ...
For reading from memory, use theMachOImage structure.
It can be initialized by using the Mach-O Header pointer obtained by_dyld_get_image_header.
guardlet mh=_dyld_get_image_header(0)else{return}letmachO=MachOImage(ptr: mh)
Alternatively, it can be initialized using the name.
// /System/Library/Frameworks/Foundation.framework/Versions/C/Foundationguardlet machO=MachOImage(name:"Foundation")else{return}
For reading from file, use theMachOFile structure.
Reading from a file can be as follows.There is a case of a Fat file and a single MachO file, so a conditional branching process is required.
letpath="Path to MachO file"leturl=URL(string: path)letfile=tryMachOKit.loadFromFile(url: url)switch file{case.machO(let machOFile): // single MachO fileprint(machOFile)case.fat(let fatFile): // Fat fileletmachOFiles=try fatFile.machOFiles()print(machOFiles)}
BothMachOImage andMachOFile can use essentially the same properties and methods.The available methods are defined in the following file as theMachORepresentable protocol.
Loading ofdyld_shared_cache is also supported.
The available methods are defined in the following file as theDyldCacheRepresentable protocol.
letpath="/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e"leturl=URL(fileURLWithPath: path)letcache=try!DyldCache(url: url)
It is also possible to extract machO information contained indyld_shared_cache.The machO extracted is of typeMachOFile.As with reading from a single MachO file, various analyses are possible.
letmachOs= cache.machOFiles()formachOin machOs{print(String(machO.headerStartOffsetInCache, radix:16), machO.imagePath, machO.header.ncmds)}// 5c000 /usr/lib/libobjc.A.dylib 22// 98000 /usr/lib/dyld 15// 131000 /usr/lib/system/libsystem_blocks.dylib 24// ...
On the Apple platform, the dyld cache is deployed in memory.
varsize=0guardlet ptr=_dyld_get_shared_cache_range(&size)else{return}letcache=try!DyldCacheLoaded(ptr: ptr)
It is also possible to extract machO information contained indyld_shared_cache.The machO extracted is of typeMachOImage.As with reading from a single MachO image, various analyses are possible.
letmachOs= cache.machOImages()formachOin machOs{print(String(Int(bitPattern: machO.ptr), radix:16), machO.path!, machO.header.ncmds)}// 193438000 /usr/lib/libobjc.A.dylib 24// 193489000 /usr/lib/dyld 15// 193513000 /usr/lib/system/libsystem_blocks.dylib 24// ...
There are a variety of uses, but most show a basic example that prints output to the Test directory.
The following file contains sample code.MachOPrintTests
The following file contains sample code.MachOFilePrintTests
The following file contains sample code.DyldCachePrintTests
The following file contains sample code.DyldCacheLoadedPrintTests
- MachOKitSPMPre-built version of MachOKit
- SwiftHook⚓️ A Swift Library for hooking swift methods and functions.
- FishHookRe-implementation offacebook/fishhook with Swift using MachOKit
- AntiFishHookA Swift library to deactivate fishhook. (Anti-FishHook)
- ELFKitElf format
MachOKit is released under the MIT License. SeeLICENSE
About
🔬 A Swift library for parsing mach-o files to obtain various information.