Upload File

mach-o internals

Download Mach-O Internals

If you can't read please download the document

Upload: anthony-shoumikhin

Post on 22-Jun-2015

4.421 views

Category:

Technology


1 download

Report

TRANSCRIPT

  • 1. Mach-O Internals
    • Anthony Shoumikhin
  • 2. http://shoumikh.in

3. Agenda

  • Program linking and loading on Mac OS X

4. Mach-O structure 5. Dynamic linking details 6. Run-time hooking 7. Compiling

  • Converting human-readable text file to Mach-O binary
  • Preprocessing

8. Generating assembler 9. Assembling to object file 10. Compiling

  • clang -c test.c
  • clang -E# Preprocess, but don't compile

11. clang -S# Compile, but don't assemble 12. clang -c# Asseble, but don't link Object file (Mach-O format) 13. Object file

  • Generated by ld
  • Header information

14. Object code 15. Relocation 16. Symbols 17. Debugging info 18. Symbols in object files

  • Calls in code
  • Defined functions

19. Undefined functions References to static data

  • Defined variables

20. Undefined variables 21. Linking

  • Process of resolving of undifined symbols

22. Linking

  • ld just converts Mach-O files of one type to another

23. Executables and dynamic-linked Mach-O have no undefined symbols 24. Dynamic-linked library

  • A complete Mach-O file without startup code

25. Used to be linked against like any other object file during linking by ld, but does not become a part of executable 26. Could be loaded on executable startup or manually in code at any moment 27. Loading

  • Transferring of Mach-O file into process memory

28. Process memory layout Arguments & environment Stack unused memory Heap Uninitialized data Initialized data Text 29. File mapping into memory

  • Code maps readonly

30. Data maps copy-on-write 31. Introducing Mach-O 32. File layout 33. otool CLI exploring

  • man otool

34. -v (verbose) rulez $ otool -h Example.app/Contents/MacOS/Example Example.app/Contents/MacOS/Example(architecture i386): Mach header magic cputype cpusubtypecapsfiletypencmds sizeofcmds flags 0xFEEDFACE 7 3 0x00219 23560x00000085 Example.app/Contents/MacOS/Example (architecture ppc): Mach header magic cputype cpusubtypecapsfiletypencmds sizeofcmds flags 0xFEEDFACE 18 0 0x00217 24120x00000085 35. Mach-O View GUI advantages http://sourceforge.net/projects/machoview 36. Header struct mach_header { uint32_t magic; cpu_type_t cputype; cpu_subtype_t cpusubtype; uint32_t filetype; uint32_t ncmds; uint32_t sizeofcmds; uint32_t flags; }; 37. Load Commands x32 x64 38. Example - LC_SYMTAB struct load_command { uint32_t cmd; uint32_t cmdsize; //custom fields }; 39. Introducing Fat Mach-O

  • Several Mach-O of different target architecture in one
  • struct fat_header

40. { 41. uint32_t magic;//0xCAFEBABE 42. uint32_t nfat_arch; 43. }; 44. struct fat_arch 45. { cpu_type_t cputype; 46. cpu_subtype_t cpusubtype; 47. uint32_t offset; 48. uint32_t size; 49. uint32_t align; 50. }; 51. Let's explore dynamic linking

  • Test bed
  • File test.c

52. void libtest();//from libtest.dylib int main() { libtest();//calls puts() from libSystem.B.dylib return 0; } 53. File libtest.c #include void libtest()//just a simple library function { puts("libtest: calls the original puts()"); } 54. Debugging external call

  • Here is a simple CALL

55. Debugging external call

  • Welcome to __TEXT, __symbol_stub1 - a set of JMP instructions for each imported function

56. Debugging external call

  • Each such instruction performs a jump to the address that is defined in the corresponding cell of the __DATA, __la_symbol_ptr table

57.

  • Procedure Linkage Table
  • Welcome to __TEXT, __stub_helper - a PLT for Mach-O
  • remember which symbol requires the relocation

58. jump to __dyld_stub_binding_helper for actual linking 59. Dynamic linker - dyld

  • dyld changes the corresponding cell in __DATA, __la_symbol_ptr

60. Let's hook 61. Mach-O hook tool

  • github.com/shoumikhin/Mach-O-Hook
  • void * mach_hook_init ( char const * library_filename , void const * library_address );

62. mach_substitutionmach_hook ( void const * handle , char const * function_name , mach_substitutionsubstitution ); 63. voidmach_hook_free (void * handle ); Just download it and run the test project! 64. Mach-O exploring (live demo)

  • $ arch -x86_64 ./test

65. libtest: calls the original puts() 66. ----------------------------- 67. libtest: calls the original puts() 68. HOOKED! 69. ----------------------------- 70. libtest: calls the original puts() 71. Questions

  • More at codeproject.com/members/shoumikhin

Andsec Reversing on Mach-o File

Let Your Mach-O Fly, Black Hat DC 2009

SQL Server Performance Tuning Master Classsqlmaestros.com/resources/PerfTuning_brochure_IP.pdf• Database Structure Internals • Data File Internals • TempD Internals Module 4:

Exercise1:!Flow!Models,!Mach!Number!and!Mach!Wave! · 2015. 2. 23. · Aerodynamic,II,.,Exercise,1:!Mach!Number!and!Mach!Wave! 1!! Exercise1:!Flow!Models,!Mach!Number!and!Mach!Wave!

Mach-o Malware Analysis: Combatting Mac OSX/iOS Malware ...€¦ · Mach-O Viz does this in 2 ways: a) !By detecting network domains, ip addresses, urls & web protocols embedded in

SpamCheetah internals

Slide 1 Misunderstandings About Oracle Internals The Cost of Oracle Logical I/O Calls

Android Internals

trustkit - Black Hat | Home€¦ · Dylibs on iOS 8 • A dynamic library dependency is created in the Mach-O binary in a “load command” structure • Mach-O is the binary file

MACH c/o EUREKA S.p.A. · 2018. 2. 16. · MACH c/o EUREKA S.p.A. Viale dell'Artigianato 30/32 35013 Cittadella PD ITALY tel +39 049 9481800 fax +39 049 9481899 [email protected]

Git internals

F MACH I MACH II FG MACH I / MACH IIA - Duro … · F MACH I MACH IIFG MACH I / MACH IIAA. ... this machine as outlined in Manufacturer’s Safety Data Sheet ... 17257 Vibrator Support

Mach-O Internals · gcc in userland. 27/31. Endian nightmares! Mach-O does not have a uniform endianness like PE (Windows). This makes sense from a historical perspective (both NeXTSTEP

Google I/O: Exploring Chrome Internals

Mach-O Programming Topics

Infecting the Mach-o Object Format By Neil Archibald

Roadsec 2016 Mach-o A New Threat

Mach 1 Mach 1.C Mach 1 - Lightspeed Aviation · Mach 1 Mach 1.C Mach 1.S www .lig htspe eda via tio n.co m 8 0 .3 24 1 USERGUIDE Mach 1 ... Replacing The Disk Battery A disk battery

Mach-O Runtime Architecturemath-atlas.sourceforge.net/devel/assembly/MachORuntime.pdf · “Mach-O File Format Reference” (page 47) describes the layout of the Mach-O file format,

Windows Kernel Internals I/O Architecture

2 3 Pegasus Internals - PUT.AS · December 27-30, 2016 33с3 About me 1 2 3 4 5 6 7 8 9 10 11 12 o Kiev, Ukraine o Staff Security Researcher at Lookout o XNU, Linux and LLVM internals

Solaris Internals

Mac OS X ABI Mach-O File Format Reference - … · Mac OS X ABI Mach-O File Format Reference 7 Figure 1 Mach-O file format basic structure 8 Table 1 The sections of a __TEXT segment

Bsides SP 2015 - Mach-O - A New Threat

DirectFBDirectFB Internals Internals --ThinThings You Need

Google I/O: Exploring Chrome Internals - Huihoo

Twig internals - Maksym MoskvychevTwig internals maksym moskvychev

Infecting the Mach-o Object Format

USENIX 2001, Boston, Ma. Solaris Internals Solaris Internals

linux internals

1200 Reactor Internals - raschig.de - Reactor Internals/Info... · Internals with a majority of these internals belonging to the Hydroprocessing class of internals as well as other

1 UNIX Internals – The New Frontiers Device Drivers and I/O

MySQL Internals Manual - KAMBING.ui.ac.idkambing.ui.ac.id/.../mysql/internals-en.pdf · MySQL Internals Manual - KAMBING.ui.ac.id ... 4

Exchange Internals

Javascript Internals