Ejemplo n.º 1
0
    def parse_prebound_dylib(self, lc):
        dylib = readstring(self.f)
        nmodules = get_int(self.f)
        linked_modules = readstring(self.f)

        if self.macho.is_little():
            nmodules = little(nmodules, 'I')

        lc.add_data('dylib', dylib)
        lc.add_data('nmodules', nmodules)
        lc.add_data('linked_modules', linked_modules)

        self.macho.add_lc(lc)
Ejemplo n.º 2
0
    def parsePreboundDylib(self, lc):
        dylib = readstring(self._f)
        self._f.read(lc.getSize() - (9 + len(dylib)))

        lc.addData('dylib', dylib)

        self._macho.addLC(lc)
Ejemplo n.º 3
0
    def parse_prebound_dylib(self, lc):
        dylib = readstring(self.f)
        self.f.read(lc.size - (9 + len(dylib)))

        lc.add_data('dylib', dylib)

        self.macho.add_lc(lc)
Ejemplo n.º 4
0
    def parsePreboundDylib(self, lc):
        dylib = readstring(self._f)
        self._f.read(lc.getSize() - (9 + len(dylib)))

        lc.addData('dylib', dylib)

        self._macho.addLC(lc)
Ejemplo n.º 5
0
    def parse_linker_option(self, lc):
        count = get_int(self.f)
        if self.macho.is_little():
            count = little(count, 'I')
        linker_options = []
        start = self.f.tell()
        for i in range(count):
            linker_option = readstring(self.f)
            linker_options.append(linker_option)

        length = self.f.tell() - start
        self.f.read(lc.size - length - 12)

        lc.add_data('count', count)
        lc.add_data('linker_options', linker_options)

        self.macho.add_lc(lc)
Ejemplo n.º 6
0
    def parseLinkerOption(self, lc):
        count = getInt(self._f)
        if self._macho.isLittle():
            count = little(count, 'I')
        linker_options = []
        start = self._f.tell()
        for i in range(count):
            linker_option = readstring(self._f)
            linker_options.append(linker_option)

        length = self._f.tell() - start
        self._f.read(lc.getSize() - length - 12)

        lc.addData('count', count)
        lc.addData('linker_options', linker_options)

        self._macho.addLC(lc)
Ejemplo n.º 7
0
    def parse_linker_option(self, lc):
        count = get_int(self.f)
        if self.macho.is_little():
            count = little(count, 'I')
        linker_options = []
        start = self.f.tell()
        for i in range(count):
            linker_option = readstring(self.f)
            linker_options.append(linker_option)

        length = self.f.tell() - start
        self.f.read(lc.size - length - 12)

        lc.add_data('count', count)
        lc.add_data('linker_options', linker_options)

        self.macho.add_lc(lc)
Ejemplo n.º 8
0
    def parseLinkerOption(self, lc):
        count = getInt(self._f)
        if self._macho.isLittle():
            count = little(count, 'I')
        linker_options = []
        start = self._f.tell()
        for i in range(count):
            linker_option = readstring(self._f)
            linker_options.append(linker_option)

        length = self._f.tell() - start
        self._f.read(lc.getSize() - length - 12)

        lc.addData('count', count)
        lc.addData('linker_options', linker_options)

        self._macho.addLC(lc)
Ejemplo n.º 9
0
    def parse_codedirectory(self, signature, offset):
        prev = self.f.tell()
        true_offset = signature.offset + offset
        self.f.seek(true_offset)
        magic = get_int(self.f)
        if magic != dictionary.signatures['CODEDIRECTORY']:
            data = {
                'offset': true_offset,
                'magic': hex(magic),
                'expected': hex(dictionary.signatures['CODEDIRECTORY'])
            }
            a = Abnormality(title='BAD MAGIC - CODEDIRECTORY', data=data)
            self.add_abnormality(a)
            self.f.seek(prev)
            return
        # Skip size
        self.f.read(4)
        version = get_int(self.f)
        # Not sure how to parse flags yet...
        flags = get_int(self.f)
        hash_offset = get_int(self.f)
        ident_offset = get_int(self.f)
        n_special_slots = get_int(self.f)
        n_code_slots = get_int(self.f)
        code_limit = get_int(self.f)
        hash_size = int(self.f.read(1).encode('hex'), 16)
        hash_type = dictionary.hashes[int(self.f.read(1).encode('hex'), 16)]
        if version >= 0x20200:
            platform = int(self.f.read(1).encode('hex'), 16)
        else:
            # Skip spare1
            self.f.read(1)
        page_size = int(round(exp(int(self.f.read(1).encode('hex'),
                                      16) * log(2))))
        # Skip spare2
        self.f.read(4)
        if version >= 0x20100:
            scatter_offset = get_int(self.f)
        if version >= 0x20200:
            team_id_offset = get_int(self.f)
            self.f.seek(true_offset + team_id_offset)
            team_id = readstring(self.f)
        self.f.seek(true_offset + ident_offset)
        identity = readstring(self.f)
        codedirectory = CodeDirectory(version=version, flags=flags,
                                      hash_offset=hash_offset,
                                      n_special_slots=n_special_slots,
                                      n_code_slots=n_code_slots,
                                      code_limit=code_limit,
                                      hash_size=hash_size, hash_type=hash_type,
                                      page_size=page_size, identity=identity)
        if version >= 0x20100:
            codedirectory.scatter_offset = scatter_offset
        if version >= 0x20200:
            codedirectory.platform = platform
            codedirectory.team_id_offset = team_id_offset
            codedirectory.team_id = team_id
        self.f.seek(true_offset + hash_offset - n_special_slots * hash_size)
        count = n_special_slots + n_code_slots
        while count > 0:
            hash = self.f.read(hash_size).encode('hex')
            codedirectory.add_hash(hash)
            count -= 1

        signature.codedirectory = codedirectory
        self.f.seek(prev)
Ejemplo n.º 10
0
    def parse_imports_and_strings(self, macho):
        prev = self.f.tell()
        true_offset = macho.offset + macho.strtab.offset

        if macho.has_flag('TWOLEVEL'):
            for i in macho.symtab.gen_syms():
                if i.is_imp():
                    self.f.seek(true_offset + i.index)
                    if ((self.f.tell() > (true_offset +
                                           macho.strtab.size)) or
                            (self.f.tell() > self.file.size)):
                        data = {
                            'offset': self.f.tell(),
                            'strtab_offset': true_offset,
                            'strtab_size': macho.strtab.size,
                            'file_size': self.file.size
                        }
                        a = Abnormality(title='BAD STRING INDEX', data=data)
                        self.add_abnormality(a)
                        continue
                    func = readstring(self.f)
                    if i.dylib == 0:
                        dylib = 'SELF_LIBRARY'
                    elif i.dylib <= len(macho.dylibs):
                        dylib = macho.dylibs[i.dylib - 1]
                    elif i.dylib == 254:
                        dylib = 'DYNAMIC_LOOKUP'
                    elif i.dylib == 255:
                        dylib = 'EXECUTABLE'
                    else:
                        data = {
                            'dylib': i.dylib,
                            'dylib_len': len(macho.dylibs)
                        }
                        a = Abnormality(title='DYLIB OUT OF RANGE', data=data)
                        self.add_abnormality(a)
                        dylib = str(i.dylib) + ' (OUT OF RANGE)'
                    imp = FunctionImport(func=func, dylib=dylib)
                    macho.add_import(imp)
                else:
                    self.f.seek(true_offset + i.index)
                    if ((self.f.tell() > (true_offset +
                                           macho.strtab.size)) or
                            (self.f.tell() > self.file.size)):
                        data = {
                            'offset': self.f.tell(),
                            'strtab_offset': true_offset,
                            'strtab_size': macho.strtab.size,
                            'file_size': self.file.size
                        }
                        a = Abnormality(title='BAD STRING INDEX', data=data)
                        self.add_abnormality(a)
                        continue
                    string = readstring(self.f)
                    if string != '':
                        macho.strtab.add_string(string)
        else:
            for i in macho.symtab.gen_syms():
                if i.is_imp():
                    self.f.seek(true_offset + i.index)
                    if self.f.tell() > (true_offset +
                                         macho.strtab.size):
                        data = {
                            'offset': self.f.tell(),
                            'strtab_offset': true_offset,
                            'strtab_size': macho.strtab.size
                        }
                        a = Abnormality(title='BAD STRING INDEX', data=data)
                        self.add_abnormality(a)
                        continue
                    func = readstring(self.f)
                    imp = FunctionImport(func=func)
                    macho.add_import(imp)
                else:
                    self.f.seek(true_offset + i.index)
                    string = readstring(self.f)
                    if string != '':
                        macho.strtab.add_string(string)

        self.f.seek(prev)
Ejemplo n.º 11
0
    def parseImportsAndStrings(self, macho):
        prev = self._f.tell()
        true_offset = macho.getOffset() + macho.getStrTab().getOffset()

        # blacklist = ('dyld_', '_OBJC_', '.objc_', '___stack_chk_')

        if macho.hasFlag('TWOLEVEL'):
            for i in macho.getSymTab().genSyms():
                if i.isImp():
                    self._f.seek(true_offset + i.getIndex())
                    if ((self._f.tell() > (true_offset +
                                           macho.getStrTab().getSize())) or
                            (self._f.tell() > self._file.getSize())):
                        data = {
                            'offset': self._f.tell(),
                            'strtab_offset': true_offset,
                            'strtab_size': macho.getStrTab().getSize(),
                            'file_size': self._file.getSize()
                        }
                        a = Abnormality(title='BAD STRING INDEX', data=data)
                        self.addAbnormality(a)
                        continue
                    func = readstring(self._f)
                    # if func.startswith(blacklist):
                    #    continue
                    if i.getDylib() == 0:
                        dylib = 'SELF_LIBRARY'
                    elif i.getDylib() <= len(macho.getDylibs()):
                        dylib = macho.getDylibs()[i.getDylib() - 1]
                    elif i.getDylib() == 254:
                        dylib = 'DYNAMIC_LOOKUP'
                    elif i.getDylib() == 255:
                        dylib = 'EXECUTABLE'
                    else:
                        data = {
                            'dylib': i.getDylib(),
                            'dylib_len': len(macho.getDylibs())
                        }
                        a = Abnormality(title='DYLIB OUT OF RANGE', data=data)
                        self.addAbnormality(a)
                        dylib = str(i.getDylib()) + ' (OUT OF RANGE)'
                    imp = FunctionImport(func=func, dylib=dylib)
                    macho.addImport(imp)
                else:
                    self._f.seek(true_offset + i.getIndex())
                    if ((self._f.tell() > (true_offset +
                                           macho.getStrTab().getSize())) or
                            (self._f.tell() > self._file.getSize())):
                        data = {
                            'offset': self._f.tell(),
                            'strtab_offset': true_offset,
                            'strtab_size': macho.getStrTab().getSize(),
                            'file_size': self._file.getSize()
                        }
                        a = Abnormality(title='BAD STRING INDEX', data=data)
                        self.addAbnormality(a)
                        continue
                    string = readstring(self._f)
                    if string != '':
                        macho.getStrTab().addString(string)
        else:
            for i in macho.getSymTab().genSyms():
                if i.isImp():
                    self._f.seek(true_offset + i.getIndex())
                    if self._f.tell() > (true_offset +
                                         macho.getStrTab().getSize()):
                        data = {
                            'offset': self._f.tell(),
                            'strtab_offset': true_offset,
                            'strtab_size': macho.getStrTab().getSize()
                        }
                        a = Abnormality(title='BAD STRING INDEX', data=data)
                        self.addAbnormality(a)
                        continue
                    func = readstring(self._f)
                    imp = FunctionImport(func=func)
                    macho.addImport(imp)
                else:
                    self._f.seek(true_offset + i.getIndex())
                    string = readstring(self._f)
                    if string != '':
                        macho.getStrTab().addString(string)

        self._f.seek(prev)