def parse_prebound_dylib(self, lc):
dylib = readstring(self.f)
nmodules = get_int(self.f)
linked_modules = readstring(self.f)
if self.macho.is_little():
nmodules = little(nmodules, 'I')
lc.add_data('dylib', dylib)
lc.add_data('nmodules', nmodules)
lc.add_data('linked_modules', linked_modules)
self.macho.add_lc(lc)
def parsePreboundDylib(self, lc):
dylib = readstring(self._f)
self._f.read(lc.getSize() - (9 + len(dylib)))
lc.addData('dylib', dylib)
self._macho.addLC(lc)
def parse_prebound_dylib(self, lc):
dylib = readstring(self.f)
self.f.read(lc.size - (9 + len(dylib)))
lc.add_data('dylib', dylib)
self.macho.add_lc(lc)
def parsePreboundDylib(self, lc):
dylib = readstring(self._f)
self._f.read(lc.getSize() - (9 + len(dylib)))
lc.addData('dylib', dylib)
self._macho.addLC(lc)
def parse_linker_option(self, lc):
count = get_int(self.f)
if self.macho.is_little():
count = little(count, 'I')
linker_options = []
start = self.f.tell()
for i in range(count):
linker_option = readstring(self.f)
linker_options.append(linker_option)
length = self.f.tell() - start
self.f.read(lc.size - length - 12)
lc.add_data('count', count)
lc.add_data('linker_options', linker_options)
self.macho.add_lc(lc)
def parseLinkerOption(self, lc):
count = getInt(self._f)
if self._macho.isLittle():
count = little(count, 'I')
linker_options = []
start = self._f.tell()
for i in range(count):
linker_option = readstring(self._f)
linker_options.append(linker_option)
length = self._f.tell() - start
self._f.read(lc.getSize() - length - 12)
lc.addData('count', count)
lc.addData('linker_options', linker_options)
self._macho.addLC(lc)
def parse_linker_option(self, lc):
count = get_int(self.f)
if self.macho.is_little():
count = little(count, 'I')
linker_options = []
start = self.f.tell()
for i in range(count):
linker_option = readstring(self.f)
linker_options.append(linker_option)
length = self.f.tell() - start
self.f.read(lc.size - length - 12)
lc.add_data('count', count)
lc.add_data('linker_options', linker_options)
self.macho.add_lc(lc)
def parseLinkerOption(self, lc):
count = getInt(self._f)
if self._macho.isLittle():
count = little(count, 'I')
linker_options = []
start = self._f.tell()
for i in range(count):
linker_option = readstring(self._f)
linker_options.append(linker_option)
length = self._f.tell() - start
self._f.read(lc.getSize() - length - 12)
lc.addData('count', count)
lc.addData('linker_options', linker_options)
self._macho.addLC(lc)
def parse_codedirectory(self, signature, offset):
prev = self.f.tell()
true_offset = signature.offset + offset
self.f.seek(true_offset)
magic = get_int(self.f)
if magic != dictionary.signatures['CODEDIRECTORY']:
data = {
'offset': true_offset,
'magic': hex(magic),
'expected': hex(dictionary.signatures['CODEDIRECTORY'])
}
a = Abnormality(title='BAD MAGIC - CODEDIRECTORY', data=data)
self.add_abnormality(a)
self.f.seek(prev)
return
# Skip size
self.f.read(4)
version = get_int(self.f)
# Not sure how to parse flags yet...
flags = get_int(self.f)
hash_offset = get_int(self.f)
ident_offset = get_int(self.f)
n_special_slots = get_int(self.f)
n_code_slots = get_int(self.f)
code_limit = get_int(self.f)
hash_size = int(self.f.read(1).encode('hex'), 16)
hash_type = dictionary.hashes[int(self.f.read(1).encode('hex'), 16)]
if version >= 0x20200:
platform = int(self.f.read(1).encode('hex'), 16)
else:
# Skip spare1
self.f.read(1)
page_size = int(round(exp(int(self.f.read(1).encode('hex'),
16) * log(2))))
# Skip spare2
self.f.read(4)
if version >= 0x20100:
scatter_offset = get_int(self.f)
if version >= 0x20200:
team_id_offset = get_int(self.f)
self.f.seek(true_offset + team_id_offset)
team_id = readstring(self.f)
self.f.seek(true_offset + ident_offset)
identity = readstring(self.f)
codedirectory = CodeDirectory(version=version, flags=flags,
hash_offset=hash_offset,
n_special_slots=n_special_slots,
n_code_slots=n_code_slots,
code_limit=code_limit,
hash_size=hash_size, hash_type=hash_type,
page_size=page_size, identity=identity)
if version >= 0x20100:
codedirectory.scatter_offset = scatter_offset
if version >= 0x20200:
codedirectory.platform = platform
codedirectory.team_id_offset = team_id_offset
codedirectory.team_id = team_id
self.f.seek(true_offset + hash_offset - n_special_slots * hash_size)
count = n_special_slots + n_code_slots
while count > 0:
hash = self.f.read(hash_size).encode('hex')
codedirectory.add_hash(hash)
count -= 1
signature.codedirectory = codedirectory
self.f.seek(prev)
def parse_imports_and_strings(self, macho):
prev = self.f.tell()
true_offset = macho.offset + macho.strtab.offset
if macho.has_flag('TWOLEVEL'):
for i in macho.symtab.gen_syms():
if i.is_imp():
self.f.seek(true_offset + i.index)
if ((self.f.tell() > (true_offset +
macho.strtab.size)) or
(self.f.tell() > self.file.size)):
data = {
'offset': self.f.tell(),
'strtab_offset': true_offset,
'strtab_size': macho.strtab.size,
'file_size': self.file.size
}
a = Abnormality(title='BAD STRING INDEX', data=data)
self.add_abnormality(a)
continue
func = readstring(self.f)
if i.dylib == 0:
dylib = 'SELF_LIBRARY'
elif i.dylib <= len(macho.dylibs):
dylib = macho.dylibs[i.dylib - 1]
elif i.dylib == 254:
dylib = 'DYNAMIC_LOOKUP'
elif i.dylib == 255:
dylib = 'EXECUTABLE'
else:
data = {
'dylib': i.dylib,
'dylib_len': len(macho.dylibs)
}
a = Abnormality(title='DYLIB OUT OF RANGE', data=data)
self.add_abnormality(a)
dylib = str(i.dylib) + ' (OUT OF RANGE)'
imp = FunctionImport(func=func, dylib=dylib)
macho.add_import(imp)
else:
self.f.seek(true_offset + i.index)
if ((self.f.tell() > (true_offset +
macho.strtab.size)) or
(self.f.tell() > self.file.size)):
data = {
'offset': self.f.tell(),
'strtab_offset': true_offset,
'strtab_size': macho.strtab.size,
'file_size': self.file.size
}
a = Abnormality(title='BAD STRING INDEX', data=data)
self.add_abnormality(a)
continue
string = readstring(self.f)
if string != '':
macho.strtab.add_string(string)
else:
for i in macho.symtab.gen_syms():
if i.is_imp():
self.f.seek(true_offset + i.index)
if self.f.tell() > (true_offset +
macho.strtab.size):
data = {
'offset': self.f.tell(),
'strtab_offset': true_offset,
'strtab_size': macho.strtab.size
}
a = Abnormality(title='BAD STRING INDEX', data=data)
self.add_abnormality(a)
continue
func = readstring(self.f)
imp = FunctionImport(func=func)
macho.add_import(imp)
else:
self.f.seek(true_offset + i.index)
string = readstring(self.f)
if string != '':
macho.strtab.add_string(string)
self.f.seek(prev)
def parseImportsAndStrings(self, macho):
prev = self._f.tell()
true_offset = macho.getOffset() + macho.getStrTab().getOffset()
# blacklist = ('dyld_', '_OBJC_', '.objc_', '___stack_chk_')
if macho.hasFlag('TWOLEVEL'):
for i in macho.getSymTab().genSyms():
if i.isImp():
self._f.seek(true_offset + i.getIndex())
if ((self._f.tell() > (true_offset +
macho.getStrTab().getSize())) or
(self._f.tell() > self._file.getSize())):
data = {
'offset': self._f.tell(),
'strtab_offset': true_offset,
'strtab_size': macho.getStrTab().getSize(),
'file_size': self._file.getSize()
}
a = Abnormality(title='BAD STRING INDEX', data=data)
self.addAbnormality(a)
continue
func = readstring(self._f)
# if func.startswith(blacklist):
# continue
if i.getDylib() == 0:
dylib = 'SELF_LIBRARY'
elif i.getDylib() <= len(macho.getDylibs()):
dylib = macho.getDylibs()[i.getDylib() - 1]
elif i.getDylib() == 254:
dylib = 'DYNAMIC_LOOKUP'
elif i.getDylib() == 255:
dylib = 'EXECUTABLE'
else:
data = {
'dylib': i.getDylib(),
'dylib_len': len(macho.getDylibs())
}
a = Abnormality(title='DYLIB OUT OF RANGE', data=data)
self.addAbnormality(a)
dylib = str(i.getDylib()) + ' (OUT OF RANGE)'
imp = FunctionImport(func=func, dylib=dylib)
macho.addImport(imp)
else:
self._f.seek(true_offset + i.getIndex())
if ((self._f.tell() > (true_offset +
macho.getStrTab().getSize())) or
(self._f.tell() > self._file.getSize())):
data = {
'offset': self._f.tell(),
'strtab_offset': true_offset,
'strtab_size': macho.getStrTab().getSize(),
'file_size': self._file.getSize()
}
a = Abnormality(title='BAD STRING INDEX', data=data)
self.addAbnormality(a)
continue
string = readstring(self._f)
if string != '':
macho.getStrTab().addString(string)
else:
for i in macho.getSymTab().genSyms():
if i.isImp():
self._f.seek(true_offset + i.getIndex())
if self._f.tell() > (true_offset +
macho.getStrTab().getSize()):
data = {
'offset': self._f.tell(),
'strtab_offset': true_offset,
'strtab_size': macho.getStrTab().getSize()
}
a = Abnormality(title='BAD STRING INDEX', data=data)
self.addAbnormality(a)
continue
func = readstring(self._f)
imp = FunctionImport(func=func)
macho.addImport(imp)
else:
self._f.seek(true_offset + i.getIndex())
string = readstring(self._f)
if string != '':
macho.getStrTab().addString(string)
self._f.seek(prev)