ionicons-v5-d 0.15.0-33703bc4
Last updated on 29/06/2024, 05:15:37.

MachO

Parser

class Parser : public LIEF::Parser

The main interface to parse a Mach-O binary.

This class is used to parse both Fat & non-Fat binary. Non-fat binaries are considerated as a fat with only one architecture. This is why MachO::Parser::parse outputs a FatBinary object.

Public Functions

Parser &operator=(const Parser &copy) = delete
Parser(const Parser &copy) = delete
virtual ~Parser() override

Public Static Functions

static std::unique_ptr<FatBinary> parse(const std::string &filename, const ParserConfig &conf = ParserConfig::deep())

Parse a Mach-O file from the path provided by the filename parameter.

The conf parameter can be used to tweak the configuration of the parser

Parameters:
static std::unique_ptr<FatBinary> parse(const std::vector<uint8_t> &data, const ParserConfig &conf = ParserConfig::deep())

Parse a Mach-O file from the raw content provided by the data parameter.

The conf parameter can be used to tweak the configuration of the parser

Parameters:
static std::unique_ptr<FatBinary> parse(std::unique_ptr<BinaryStream> stream, const ParserConfig &conf = ParserConfig::deep())

Parser a Mach-O binary from the provided BinaryStream.

static std::unique_ptr<FatBinary> parse_from_memory(uintptr_t address, const ParserConfig &conf = ParserConfig::deep())

Parse the Mach-O binary from the address given in the first parameter.

static std::unique_ptr<FatBinary> parse_from_memory(uintptr_t address, size_t size, const ParserConfig &conf = ParserConfig::deep())

Parse the Mach-O binary from the address given in the first parameter and the size given in the second parameter.

class BinaryParser : public LIEF::Parser

Class used to parse a single binary (i.e. non-FAT)

See also

MachO::Parser

Warning

This class should not be directly used.

Public Functions

BinaryParser &operator=(const BinaryParser &copy) = delete
BinaryParser(const BinaryParser &copy) = delete
~BinaryParser() override

Public Static Functions

static std::unique_ptr<Binary> parse(const std::string &file)
static std::unique_ptr<Binary> parse(const std::string &file, const ParserConfig &conf)
static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &data, const ParserConfig &conf = ParserConfig::deep())
static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &data, uint64_t fat_offset, const ParserConfig &conf = ParserConfig::deep())
static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream, uint64_t fat_offset, const ParserConfig &conf)

Friends

friend class MachO::Parser
struct ParserConfig

This structure is used to tweak the MachO Parser (MachO::Parser)

Public Functions

ParserConfig &full_dyldinfo(bool flag)

If flag is set to true, Exports, Bindings and Rebases opcodes are parsed.

Warning

Enabling this flag can slow down the parsing

Public Members

bool parse_dyld_exports = true

Parse the Dyld export trie.

bool parse_dyld_bindings = true

Parse the Dyld binding opcodes.

bool parse_dyld_rebases = true

Parse the Dyld rebase opcodes.

bool parse_overlay = true

Whether the overlay data should be parsed.

bool fix_from_memory = false

When parsing Mach-O from memory, this option can be used to undo relocations and symbols bindings.

When activated, this option requires parse_dyld_bindings and parse_dyld_rebases to be enabled.

Public Static Functions

static ParserConfig deep()

Return a parser configuration such as all the objects supported by LIEF are parsed.

static ParserConfig quick()

Return a configuration to parse the most important MachO structures.

FatBinary

class FatBinary

Class which represent a Mach-O (fat) binary This object is also used for representing Mach-O binaries that are NOT FAT

Public Types

using binaries_t = std::vector<std::unique_ptr<Binary>>

Internal containter used to store Binary objects within a Fat Mach-O.

using it_binaries = ref_iterator<binaries_t&, Binary*>

Iterator that outputs Binary&.

using it_const_binaries = const_ref_iterator<const binaries_t&, Binary*>

Iterator that outputs const Binary&.

Public Functions

FatBinary(const FatBinary&) = delete
FatBinary &operator=(const FatBinary&) = delete
virtual ~FatBinary()
inline size_t size() const

Number of MachO::Binary wrapped by this object.

inline bool empty() const

Checks whether this object contains MachO::Binary.

inline it_binaries begin()
inline it_const_binaries begin() const
inline it_binaries end()
inline it_const_binaries end() const
void release_all_binaries()
std::unique_ptr<Binary> pop_back()

Get a pointer to the last MachO::Binary object presents in this Fat Binary. It returns a nullptr if no binary are present.

Binary *at(size_t index)

Get a pointer to the MachO::Binary specified by the index. It returns a nullptr if the binary does not exist at the given index.

const Binary *at(size_t index) const
Binary *back()
const Binary *back() const
Binary *front()
const Binary *front() const
inline Binary *operator[](size_t index)
inline const Binary *operator[](size_t index) const
std::unique_ptr<Binary> take(size_t index)

Extract a MachO::Binary object. Gives ownership to the caller, and remove it from this FatBinary object.

Warning

: this invalidates any previously hold iterator!

std::unique_ptr<Binary> take(Header::CPU_TYPE cpu)

Take the underlying MachO::Binary that matches the given architecture If no binary with the architecture can be found, return a nullptr.

void write(const std::string &filename)

Reconstruct the Fat binary object and write it in filename

Parameters:

filename – Path to write the reconstructed binary

std::vector<uint8_t> raw()

Reconstruct the Fat binary object and return his content as bytes.

Friends

friend class LIEF::Parser
friend std::ostream &operator<<(std::ostream &os, const FatBinary &fatbinary)

Binary

class Binary : public LIEF::Binary

Class which represents a MachO binary.

Public Types

using commands_t = std::vector<std::unique_ptr<LoadCommand>>

Internal container for storing Mach-O LoadCommand.

using it_commands = ref_iterator<commands_t&, LoadCommand*>

Iterator that outputs LoadCommand&.

using it_const_commands = const_ref_iterator<const commands_t&, LoadCommand*>

Iterator that outputs const LoadCommand&.

using symbols_t = std::vector<std::unique_ptr<Symbol>>

Internal container for storing Mach-O Symbol.

using it_symbols = ref_iterator<symbols_t&, Symbol*>

Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&, const Symbol*>

Iterator that outputs const Symbol&.

using it_exported_symbols = filter_iterator<symbols_t&, Symbol*>

Iterator that outputs exported Symbol&.

using it_const_exported_symbols = const_filter_iterator<const symbols_t&, const Symbol*>

Iterator that outputs exported const Symbol&.

using it_imported_symbols = filter_iterator<symbols_t&, Symbol*>

Iterator that outputs imported Symbol&.

using it_const_imported_symbols = const_filter_iterator<const symbols_t&, const Symbol*>

Iterator that outputs imported const Symbol&.

using sections_cache_t = std::vector<Section*>

Internal container for caching Mach-O Section.

using it_sections = ref_iterator<sections_cache_t&>

Iterator that outputs Section&.

using it_const_sections = const_ref_iterator<const sections_cache_t&>

Iterator that outputs const Section&.

using segments_cache_t = std::vector<SegmentCommand*>

Internal container for storing Mach-O SegmentCommand.

using it_segments = ref_iterator<segments_cache_t&>

Iterator that outputs SegmentCommand&.

using it_const_segments = const_ref_iterator<const segments_cache_t&>

Iterator that outputs const SegmentCommand&.

using libraries_cache_t = std::vector<DylibCommand*>

Internal container for storing Mach-O DylibCommand.

using it_libraries = ref_iterator<libraries_cache_t&>

Iterator that outputs DylibCommand&.

using it_const_libraries = const_ref_iterator<const libraries_cache_t&>

Iterator that outputs const DylibCommand&.

using fileset_binaries_t = std::vector<std::unique_ptr<Binary>>

Internal container for storing Mach-O Fileset Binary.

using it_fileset_binaries = ref_iterator<fileset_binaries_t&, Binary*>

Iterator that outputs Binary&.

using it_const_fileset_binaries = const_ref_iterator<const fileset_binaries_t&, Binary*>

Iterator that outputs const Binary&.

using relocations_t = std::set<Relocation*, KeyCmp>

Internal container that store all the relocations found in a Mach-O. The relocations are actually owned by Section & SegmentCommand and these references are used for convenience.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator which outputs const Relocation&.

using it_rpaths = filter_iterator<commands_t&, RPathCommand*>

Iterator which outputs RPathCommand&.

using it_const_rpaths = const_filter_iterator<const commands_t&, const RPathCommand*>

Iterator which outputs const RPathCommand&.

Public Functions

Binary(const Binary&) = delete
Binary &operator=(const Binary&) = delete
inline Header &header()

Return a reference to the MachO::Header.

inline const Header &header() const
inline it_commands commands()

Return an iterator over the MachO LoadCommand present in the binary.

inline it_const_commands commands() const
inline it_fileset_binaries filesets()

Return an iterator over the MachO::Binary associated with the LoadCommand::TYPE::FILESET_ENTRY commands.

inline it_const_fileset_binaries filesets() const
inline it_symbols symbols()

Return binary’s symbols .

inline it_const_symbols symbols() const
inline bool has_symbol(const std::string &name) const

Check if a symbol with the given name exists.

const Symbol *get_symbol(const std::string &name) const

Return Symbol from the given name. If the symbol does not exists, it returns a null pointer.

Symbol *get_symbol(const std::string &name)
inline it_exported_symbols exported_symbols()

Return binary’s exported symbols (iterator over LIEF::MachO::Symbol)

inline it_const_exported_symbols exported_symbols() const
inline it_imported_symbols imported_symbols()

Return binary’s imported symbols (iterator over LIEF::MachO::Symbol)

inline it_const_imported_symbols imported_symbols() const
inline it_libraries libraries()

Return binary imported libraries (MachO::DylibCommand)

inline it_const_libraries libraries() const
inline it_segments segments()

Return an iterator over the SegmentCommand.

inline it_const_segments segments() const
inline it_sections sections()

Return an iterator over the MachO::Section.

inline it_const_sections sections() const
it_relocations relocations()

Return an iterator over the MachO::Relocation.

it_const_relocations relocations() const
virtual void write(const std::string &filename) override

Reconstruct the binary object and write the result in the given filename

Parameters:

filename – Path to write the reconstructed binary

virtual void write(std::ostream &os) override

Reconstruct the binary object and write the result in the given os stream.

Parameters:

os – Output stream to write the reconstructed binary

std::vector<uint8_t> raw()

Reconstruct the binary object and return its content as bytes.

bool has(LoadCommand::TYPE type) const

Check if the current binary has the given MachO::LoadCommand::TYPE.

const LoadCommand *get(LoadCommand::TYPE type) const

Return the LoadCommand associated with the given LoadCommand::TYPE or a nullptr if the command can’t be found.

LoadCommand *get(LoadCommand::TYPE type)
LoadCommand *add(const LoadCommand &command)

Insert a new LoadCommand.

LoadCommand *add(const LoadCommand &command, size_t index)

Insert a new LoadCommand at the specified index

LoadCommand *add(const DylibCommand &library)

Insert the given DylibCommand.

LoadCommand *add(const SegmentCommand &segment)

Add a new LC_SEGMENT command from the given SegmentCommand.

LoadCommand *add_library(const std::string &name)

Insert a new shared library through a LC_LOAD_DYLIB command.

Section *add_section(const Section &section)

Add a new MachO::Section in the __TEXT segment.

Section *add_section(const SegmentCommand &segment, const Section &section)

Add a section in the given MachO::SegmentCommand.

Warning

This method may corrupt the file if the segment is not the first one nor the last one

virtual void remove_section(const std::string &name, bool clear = false) override

Remove the section with the name provided in the first parameter.

Parameters:

  • name – Name of the MachO::Section to remove

  • clear – If true clear the content of the section before removing

void remove_section(const std::string &segname, const std::string &secname, bool clear = false)

Remove the section from the segment with the name given in the first parameter and with the section’s name provided in the second parameter.

Parameters:

  • segname – Name of the MachO::Segment

  • secname – Name of the MachO::Section to remove

  • clear – If true clear the content of the section before removing

bool remove(const LoadCommand &command)

Remove the given LoadCommand.

bool remove(LoadCommand::TYPE type)

Remove all LoadCommand with the given type (MachO::LoadCommand::TYPE)

bool remove_command(size_t index)

Remove the Load Command at the provided index

bool remove_signature()

Remove the LC_SIGNATURE command.

bool extend(const LoadCommand &command, uint64_t size)

Extend the size of the given LoadCommand.

bool extend_segment(const SegmentCommand &segment, size_t size)

Extend the content of the given SegmentCommand.

bool disable_pie()

Remove the PIE flag.

virtual uint64_t imagebase() const override

Return the binary’s imagebase. 0 if not relevant.

uint64_t virtual_size() const

Size of the binary in memory when mapped by the loader (dyld)

std::string loader() const

Return the binary’s loader (e.g. /usr/lib/dyld) or an empty string if the binary does not use a loader/linker.

inline bool has_section(const std::string &name) const

Check if a section with the given name exists.

Section *get_section(const std::string &name)

Return the section from the given name of a nullptr if the section can’t be found.

const Section *get_section(const std::string &name) const

Return the section from the given name or a nullptr if the section can’t be found.

Section *get_section(const std::string &segname, const std::string &secname)

Return the section from the segment with the name given in the first parameter and with the section’s name provided in the second parameter. If the section cannot be found, it returns a nullptr.

const Section *get_section(const std::string &segname, const std::string &secname) const
inline bool has_segment(const std::string &name) const

Check if a segment with the given name exists.

const SegmentCommand *get_segment(const std::string &name) const

Return the segment from the given name.

SegmentCommand *get_segment(const std::string &name)

Return the segment from the given name.

bool remove_symbol(const std::string &name)

Remove the symbol with the given name.

bool remove(const Symbol &sym)

Remove the given symbol.

bool can_remove(const Symbol &sym) const

Check if the given symbol can be safely removed.

bool can_remove_symbol(const std::string &name) const

Check if the MachO::Symbol with the given name can be safely removed.

bool unexport(const std::string &name)

Remove the given MachO::Symbol with the given name from the export table.

bool unexport(const Symbol &sym)

Remove the given symbol from the export table.

Section *section_from_offset(uint64_t offset)

Return the MachO::Section that encompasses the provided offset. If a section can’t be found, it returns a null pointer (nullptr)

const Section *section_from_offset(uint64_t offset) const
Section *section_from_virtual_address(uint64_t virtual_address)

Return the MachO::Section that encompasses the provided virtual address. If a section can’t be found, it returns a null pointer (nullptr)

const Section *section_from_virtual_address(uint64_t virtual_address) const
result<uint64_t> virtual_address_to_offset(uint64_t virtual_address) const

Convert a virtual address to an offset in the file.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const override

Convert the given offset into a virtual address.

Parameters:

  • offset[in] The offset to convert.

  • slide[in] If not 0, it will replace the default base address (if any)

SegmentCommand *segment_from_offset(uint64_t offset)

Return the binary’s SegmentCommand that encompasses the provided offset.

If a SegmentCommand can’t be found it returns a null pointer (nullptr).

const SegmentCommand *segment_from_offset(uint64_t offset) const
size_t segment_index(const SegmentCommand &segment) const

Return the index of the given SegmentCommand.

inline uint64_t fat_offset() const

Return binary’s fat offset. 0 if not relevant.

SegmentCommand *segment_from_virtual_address(uint64_t virtual_address)

Return the binary’s SegmentCommand which encompasses the given virtual address or a nullptr if not found.

const SegmentCommand *segment_from_virtual_address(uint64_t virtual_address) const
range_t va_ranges() const

Return the range of virtual addresses.

range_t off_ranges() const

Return the range of offsets.

bool is_valid_addr(uint64_t address) const

Check if the given address is encompassed in the binary’s virtual addresses range.

virtual void accept(LIEF::Visitor &visitor) const override

Method so that the visitor can visit us.

virtual std::ostream &print(std::ostream &os) const override
virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the content at virtual address address with patch_value.

Parameters:

  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • addr_type[in] Specify if the address should be used as an absolute virtual address or an RVA

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the address with the given value.

Parameters:

  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • size[in] Size of the value in bytes (1, 2, … 8)

  • addr_type[in] Specify if the address should be used as an absolute virtual address or an RVA

virtual span<const uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, Binary::VA_TYPES addr_type = Binary::VA_TYPES::AUTO) const override

Return the content located at virtual address.

virtual uint64_t entrypoint() const override

The binary entrypoint.

inline virtual bool is_pie() const override

Check if the binary is position independent.

inline virtual bool has_nx() const override

Check if the binary uses NX protection.

inline bool has_nx_stack() const

Return True if the heap is flagged as non-executable. False otherwise.

inline bool has_nx_heap() const

Return True if the stack is flagged as non-executable. False otherwise.

inline bool has_entrypoint() const

true if the binary has an entrypoint.

Basically for libraries it will return false

bool has_uuid() const

true if the binary has a MachO::UUIDCommand command.

UUIDCommand *uuid()

Return the MachO::UUIDCommand if present, a nullptr otherwise.

const UUIDCommand *uuid() const
bool has_main_command() const

true if the binary has a MachO::MainCommand command.

MainCommand *main_command()

Return the MachO::MainCommand if present, a nullptr otherwise.

const MainCommand *main_command() const
bool has_dylinker() const

true if the binary has a MachO::DylinkerCommand.

DylinkerCommand *dylinker()

Return the MachO::DylinkerCommand if present, a nullptr otherwise.

const DylinkerCommand *dylinker() const
bool has_dyld_info() const

true if the binary has a MachO::DyldInfo command.

DyldInfo *dyld_info()

Return the MachO::Dyld command if present, a nullptr otherwise.

const DyldInfo *dyld_info() const
bool has_function_starts() const

true if the binary has a MachO::FunctionStarts command.

FunctionStarts *function_starts()

Return the MachO::FunctionStarts command if present, a nullptr otherwise.

const FunctionStarts *function_starts() const
bool has_source_version() const

true if the binary has a MachO::SourceVersion command.

SourceVersion *source_version()

Return the MachO::SourceVersion command if present, a nullptr otherwise.

const SourceVersion *source_version() const
bool has_version_min() const

true if the binary has a MachO::VersionMin command.

VersionMin *version_min()

Return the MachO::VersionMin command if present, a nullptr otherwise.

const VersionMin *version_min() const
bool has_thread_command() const

true if the binary has a MachO::ThreadCommand command.

ThreadCommand *thread_command()

Return the MachO::ThreadCommand command if present, a nullptr otherwise.

const ThreadCommand *thread_command() const
bool has_rpath() const

true if the binary has a MachO::RPathCommand command.

RPathCommand *rpath()

Return the MachO::RPathCommand command if present, a nullptr otherwise.

const RPathCommand *rpath() const
it_rpaths rpaths()

Iterator over all the MachO::RPathCommand commands.

it_const_rpaths rpaths() const
bool has_symbol_command() const

true if the binary has a MachO::SymbolCommand command.

SymbolCommand *symbol_command()

Return the MachO::SymbolCommand if present, a nullptr otherwise.

const SymbolCommand *symbol_command() const
bool has_dynamic_symbol_command() const

true if the binary has a MachO::DynamicSymbolCommand command.

DynamicSymbolCommand *dynamic_symbol_command()

Return the MachO::SymbolCommand if present, a nullptr otherwise.

const DynamicSymbolCommand *dynamic_symbol_command() const
bool has_code_signature() const

true if the binary is signed with LC_CODE_SIGNATURE command

CodeSignature *code_signature()

Return the MachO::CodeSignature if present, a nullptr otherwise.

const CodeSignature *code_signature() const
bool has_code_signature_dir() const

true if the binary is signed with the command DYLIB_CODE_SIGN_DRS

CodeSignatureDir *code_signature_dir()

Return the MachO::CodeSignatureDir if present, a nullptr otherwise.

const CodeSignatureDir *code_signature_dir() const
bool has_data_in_code() const

true if the binary has a MachO::DataInCode command.

DataInCode *data_in_code()

Return the MachO::DataInCode if present, a nullptr otherwise.

const DataInCode *data_in_code() const
bool has_segment_split_info() const

true if the binary has segment split info.

SegmentSplitInfo *segment_split_info()

Return the MachO::SegmentSplitInfo if present, a nullptr otherwise.

const SegmentSplitInfo *segment_split_info() const
bool has_sub_framework() const

true if the binary has a sub framework command.

bool has_encryption_info() const

true if the binary has Encryption Info.

EncryptionInfo *encryption_info()

Return the MachO::DyldEnvironment if present, a nullptr otherwise.

const EncryptionInfo *encryption_info() const
SubFramework *sub_framework()

Return the MachO::SubFramework if present, a nullptr otherwise.

const SubFramework *sub_framework() const
bool has_dyld_environment() const

true if the binary has Dyld envrionment variables.

DyldEnvironment *dyld_environment()

Return the MachO::DyldEnvironment if present, a nullptr otherwise.

const DyldEnvironment *dyld_environment() const
bool has_build_version() const

true if the binary has the BuildVersion command.

BuildVersion *build_version()

Return the MachO::BuildVersion if present, a nullptr otherwise.

const BuildVersion *build_version() const
bool has_dyld_chained_fixups() const

true if the binary has the command LC_DYLD_CHAINED_FIXUPS.

DyldChainedFixups *dyld_chained_fixups()

Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const DyldChainedFixups *dyld_chained_fixups() const
bool has_dyld_exports_trie() const

true if the binary has the command LC_DYLD_CHAINED_FIXUPS.

DyldExportsTrie *dyld_exports_trie()

Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const DyldExportsTrie *dyld_exports_trie() const
bool has_two_level_hints() const

true if the binary has the command LC_TWO_LEVEL_HINTS.

TwoLevelHints *two_level_hints()

Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const TwoLevelHints *two_level_hints() const
bool has_linker_opt_hint() const

true if the binary has the command LC_LINKER_OPTIMIZATION_HINT.

LinkerOptHint *linker_opt_hint()

Return the MachO::LinkerOptHint if present, a nullptr otherwise.

const LinkerOptHint *linker_opt_hint() const
ExportInfo *add_exported_function(uint64_t address, const std::string &name)

Add a symbol in the export trie of the current binary.

Symbol *add_local_symbol(uint64_t address, const std::string &name)

Add a symbol in LC_SYMTAB command of the current binary.

template<class T>
bool has_command() const
template<class T>
T *command()
template<class T>
const T *command() const
template<class T>
size_t count_commands() const
template<class CMD, class Func>
Binary &for_commands(Func f)
inline LoadCommand *operator[](LoadCommand::TYPE type)
inline const LoadCommand *operator[](LoadCommand::TYPE type) const
virtual LIEF::Binary::functions_t ctor_functions() const override

Return the list of the MachO’s constructors.

LIEF::Binary::functions_t functions() const

Return all the functions found in this MachO.

LIEF::Binary::functions_t unwind_functions() const

Return the functions found in the __unwind_info section.

bool has_filesets() const

true if the binary has a LoadCommand::TYPE::FILESET_ENTRY command

inline const std::string &fileset_name() const

Name associated with the LC_FILESET_ENTRY binary.

~Binary() override
ok_error_t shift(size_t value)

Shift the content located right after the Load commands table. This operation can be used to add a new command.

ok_error_t shift_linkedit(size_t width)

Shift the position on the __LINKEDIT data by width

inline uint64_t memory_base_address() const

If this Mach-O binary has been parsed from memory, it returns the in-memory base address of this binary.

Otherwise, it returns 0

uint32_t page_size() const
inline span<const uint8_t> overlay() const

Public Static Functions

static bool is_exported(const Symbol &symbol)

Check if the given symbol is exported.

static bool is_imported(const Symbol &symbol)

Check if the given symbol is an imported one.

static inline bool classof(const LIEF::Binary *bin)
struct KeyCmp

Public Functions

bool operator()(const Relocation *lhs, const Relocation *rhs) const
struct range_t

Public Members

uint64_t start = 0
uint64_t end = 0

Builder

class Builder

Class used to rebuild a Mach-O file.

Public Functions

Builder() = delete
~Builder()

Public Static Functions

static ok_error_t write(Binary &binary, const std::string &filename)
static ok_error_t write(Binary &binary, const std::string &filename, config_t config)
static ok_error_t write(Binary &binary, std::vector<uint8_t> &out)
static ok_error_t write(Binary &binary, std::vector<uint8_t> &out, config_t config)
static ok_error_t write(Binary &binary, std::ostream &out)
static ok_error_t write(Binary &binary, std::ostream &out, config_t config)
static ok_error_t write(FatBinary &fat, const std::string &filename)
static ok_error_t write(FatBinary &fat, const std::string &filename, config_t config)
static ok_error_t write(FatBinary &fat, std::vector<uint8_t> &out)
static ok_error_t write(FatBinary &fat, std::vector<uint8_t> &out, config_t config)
static ok_error_t write(FatBinary &fat, std::ostream &out)
static ok_error_t write(FatBinary &fat, std::ostream &out, config_t config)
struct config_t

Options to tweak the building process.

Public Members

bool linkedit = true

DylibCommand

class DylibCommand : public LIEF::MachO::LoadCommand

Class which represents a library dependency.

Public Types

using version_t = std::array<uint16_t, 3>

Public Functions

DylibCommand() = default
DylibCommand(const details::dylib_command &cmd)
DylibCommand &operator=(const DylibCommand &copy) = default
DylibCommand(const DylibCommand &copy) = default
~DylibCommand() override = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline const std::string &name() const

Library name.

inline uint32_t timestamp() const

Date and Time when the shared library was built.

inline version_t current_version() const

Current version of the shared library.

inline version_t compatibility_version() const

Compatibility version of the shared library.

inline void name(std::string name)
inline void timestamp(uint32_t timestamp)
inline void current_version(version_t version)
inline void compatibility_version(version_t version)
virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline version_t int2version(uint32_t version)

Helper to convert an integer into a version array.

static inline uint32_t version2int(version_t version)

Helper to convert a version array into an integer.

static DylibCommand weak_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LOAD_WEAK_DYLIB library.

static DylibCommand id_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_ID_DYLIB library.

static DylibCommand load_dylib(const std::string &name, uint32_t timestamp = 2, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LOAD_DYLIB library.

static DylibCommand reexport_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_REEXPORT_DYLIB library.

static DylibCommand load_upward_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LOAD_UPWARD_DYLIB library.

static DylibCommand lazy_load_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)

Factory function to generate a LC_LAZY_LOAD_DYLIB library.

static inline bool classof(const LoadCommand *cmd)

DylinkerCommand

class DylinkerCommand : public LIEF::MachO::LoadCommand

Class that represents the Mach-O linker, also named loader. Most of the time, DylinkerCommand::name() should return /usr/lib/dyld

Public Functions

DylinkerCommand() = default
DylinkerCommand(const details::dylinker_command &cmd)
DylinkerCommand(std::string name)
DylinkerCommand &operator=(const DylinkerCommand &copy) = default
DylinkerCommand(const DylinkerCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~DylinkerCommand() override = default
virtual std::ostream &print(std::ostream &os) const override
inline const std::string &name() const

Path to the linker (or loader)

inline void name(std::string name)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

DynamicSymbolCommand

class DynamicSymbolCommand : public LIEF::MachO::LoadCommand

Class that represents the LC_DYSYMTAB command.

This command completes the LC_SYMTAB (SymbolCommand) to provide a better granularity over the symbols layout.

Public Functions

DynamicSymbolCommand()
DynamicSymbolCommand(const details::dysymtab_command &cmd)
DynamicSymbolCommand &operator=(const DynamicSymbolCommand &copy) = default
DynamicSymbolCommand(const DynamicSymbolCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~DynamicSymbolCommand() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override
inline uint32_t idx_local_symbol() const

Index of the first symbol in the group of local symbols.

inline uint32_t nb_local_symbols() const

Number of symbols in the group of local symbols.

inline uint32_t idx_external_define_symbol() const

Index of the first symbol in the group of defined external symbols.

inline uint32_t nb_external_define_symbols() const

Number of symbols in the group of defined external symbols.

inline uint32_t idx_undefined_symbol() const

Index of the first symbol in the group of undefined external symbols.

inline uint32_t nb_undefined_symbols() const

Number of symbols in the group of undefined external symbols.

inline uint32_t toc_offset() const

Byte offset from the start of the file to the table of contents data.

Table of content is used by legacy Mach-O loader and this field should be set to 0

inline uint32_t nb_toc() const

Number of entries in the table of contents.

Should be set to 0 on recent Mach-O

inline uint32_t module_table_offset() const

Byte offset from the start of the file to the module table data.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t nb_module_table() const

Number of entries in the module table.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t external_reference_symbol_offset() const

Byte offset from the start of the file to the external reference table data.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t nb_external_reference_symbols() const

Number of entries in the external reference table.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t indirect_symbol_offset() const

Byte offset from the start of the file to the indirect symbol table data.

Indirect symbol table is used by the loader to speed-up symbol resolution during the lazy binding process

References:

  • dyld-519.2.1/src/ImageLoaderMachOCompressed.cpp

  • dyld-519.2.1/src/ImageLoaderMachOClassic.cpp

inline uint32_t nb_indirect_symbols() const

Number of entries in the indirect symbol table.

See also

indirect_symbol_offset

inline uint32_t external_relocation_offset() const

Byte offset from the start of the file to the external relocation table data.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t nb_external_relocations() const

Number of entries in the external relocation table.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t local_relocation_offset() const

Byte offset from the start of the file to the local relocation table data.

This field seems unused by recent Mach-O loader and should be set to 0

inline uint32_t nb_local_relocations() const

Number of entries in the local relocation table.

This field seems unused by recent Mach-O loader and should be set to 0

inline void idx_local_symbol(uint32_t value)
inline void nb_local_symbols(uint32_t value)
inline void idx_external_define_symbol(uint32_t value)
inline void nb_external_define_symbols(uint32_t value)
inline void idx_undefined_symbol(uint32_t value)
inline void nb_undefined_symbols(uint32_t value)
inline void toc_offset(uint32_t value)
inline void nb_toc(uint32_t value)
inline void module_table_offset(uint32_t value)
inline void nb_module_table(uint32_t value)
inline void external_reference_symbol_offset(uint32_t value)
inline void nb_external_reference_symbols(uint32_t value)
inline void indirect_symbol_offset(uint32_t value)
inline void nb_indirect_symbols(uint32_t value)
inline void external_relocation_offset(uint32_t value)
inline void nb_external_relocations(uint32_t value)
inline void local_relocation_offset(uint32_t value)
inline void nb_local_relocations(uint32_t value)

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

LoadCommand

class LoadCommand : public LIEF::Object

Based class for the Mach-O load commands.

Subclassed by LIEF::MachO::BuildVersion, LIEF::MachO::CodeSignature, LIEF::MachO::CodeSignatureDir, LIEF::MachO::DataInCode, LIEF::MachO::DyldChainedFixups, LIEF::MachO::DyldEnvironment, LIEF::MachO::DyldExportsTrie, LIEF::MachO::DyldInfo, LIEF::MachO::DylibCommand, LIEF::MachO::DylinkerCommand, LIEF::MachO::DynamicSymbolCommand, LIEF::MachO::EncryptionInfo, LIEF::MachO::FilesetCommand, LIEF::MachO::FunctionStarts, LIEF::MachO::LinkerOptHint, LIEF::MachO::MainCommand, LIEF::MachO::RPathCommand, LIEF::MachO::SegmentCommand, LIEF::MachO::SegmentSplitInfo, LIEF::MachO::SourceVersion, LIEF::MachO::SubFramework, LIEF::MachO::SymbolCommand, LIEF::MachO::ThreadCommand, LIEF::MachO::TwoLevelHints, LIEF::MachO::UUIDCommand, LIEF::MachO::UnknownCommand, LIEF::MachO::VersionMin

Public Types

enum class TYPE : uint64_t

Values:

enumerator UNKNOWN = 0
enumerator SEGMENT = 0x00000001u
enumerator SYMTAB = 0x00000002u
enumerator SYMSEG = 0x00000003u
enumerator THREAD = 0x00000004u
enumerator UNIXTHREAD = 0x00000005u
enumerator LOADFVMLIB = 0x00000006u
enumerator IDFVMLIB = 0x00000007u
enumerator IDENT = 0x00000008u
enumerator FVMFILE = 0x00000009u
enumerator PREPAGE = 0x0000000Au
enumerator DYSYMTAB = 0x0000000Bu
enumerator LOAD_DYLIB = 0x0000000Cu
enumerator ID_DYLIB = 0x0000000Du
enumerator LOAD_DYLINKER = 0x0000000Eu
enumerator ID_DYLINKER = 0x0000000Fu
enumerator PREBOUND_DYLIB = 0x00000010u
enumerator ROUTINES = 0x00000011u
enumerator SUB_FRAMEWORK = 0x00000012u
enumerator SUB_UMBRELLA = 0x00000013u
enumerator SUB_CLIENT = 0x00000014u
enumerator SUB_LIBRARY = 0x00000015u
enumerator TWOLEVEL_HINTS = 0x00000016u
enumerator PREBIND_CKSUM = 0x00000017u
enumerator LOAD_WEAK_DYLIB = 0x80000018u
enumerator SEGMENT_64 = 0x00000019u
enumerator ROUTINES_64 = 0x0000001Au
enumerator UUID = 0x0000001Bu
enumerator RPATH = 0x8000001Cu
enumerator CODE_SIGNATURE = 0x0000001Du
enumerator SEGMENT_SPLIT_INFO = 0x0000001Eu
enumerator REEXPORT_DYLIB = 0x8000001Fu
enumerator LAZY_LOAD_DYLIB = 0x00000020u
enumerator ENCRYPTION_INFO = 0x00000021u
enumerator DYLD_INFO = 0x00000022u
enumerator DYLD_INFO_ONLY = 0x80000022u
enumerator LOAD_UPWARD_DYLIB = 0x80000023u
enumerator VERSION_MIN_MACOSX = 0x00000024u
enumerator VERSION_MIN_IPHONEOS = 0x00000025u
enumerator FUNCTION_STARTS = 0x00000026u
enumerator DYLD_ENVIRONMENT = 0x00000027u
enumerator MAIN = 0x80000028u
enumerator DATA_IN_CODE = 0x00000029u
enumerator SOURCE_VERSION = 0x0000002Au
enumerator DYLIB_CODE_SIGN_DRS = 0x0000002Bu
enumerator ENCRYPTION_INFO_64 = 0x0000002Cu
enumerator LINKER_OPTION = 0x0000002Du
enumerator LINKER_OPTIMIZATION_HINT = 0x0000002Eu
enumerator VERSION_MIN_TVOS = 0x0000002Fu
enumerator VERSION_MIN_WATCHOS = 0x00000030u
enumerator NOTE = 0x00000031u
enumerator BUILD_VERSION = 0x00000032u
enumerator DYLD_EXPORTS_TRIE = 0x80000033u
enumerator DYLD_CHAINED_FIXUPS = 0x80000034u
enumerator FILESET_ENTRY = 0x80000035u
enumerator LIEF_UNKNOWN = 0xffee0001u
using raw_t = std::vector<uint8_t>

Public Functions

LoadCommand() = default
LoadCommand(const details::load_command &command)
inline LoadCommand(LoadCommand::TYPE type, uint32_t size)
LoadCommand &operator=(const LoadCommand &copy) = default
LoadCommand(const LoadCommand &copy) = default
void swap(LoadCommand &other) noexcept
inline virtual std::unique_ptr<LoadCommand> clone() const
~LoadCommand() override = default
inline LoadCommand::TYPE command() const

Command type.

inline uint32_t size() const

Size of the command (should be greather than sizeof(load_command))

inline span<const uint8_t> data() const

Raw command.

inline uint64_t command_offset() const

Offset of the command within the Load Command Table

inline void data(raw_t data)
inline void command(LoadCommand::TYPE command)
inline void size(uint32_t size)
inline void command_offset(uint64_t offset)
virtual std::ostream &print(std::ostream &os) const
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool is_linkedit_data(const LoadCommand &cmd)

Friends

inline friend std::ostream &operator<<(std::ostream &os, const LoadCommand &cmd)

MainCommand

class MainCommand : public LIEF::MachO::LoadCommand

Class that represent the LC_MAIN command. This kind of command can be used to determine the entrypoint of an executable.

Public Functions

MainCommand() = default
MainCommand(const details::entry_point_command &cmd)
MainCommand(uint64_t entrypoint, uint64_t stacksize)
MainCommand &operator=(const MainCommand &copy) = default
MainCommand(const MainCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~MainCommand() override = default
inline uint64_t entrypoint() const

Offset of the main function relative to the __TEXT segment.

inline uint64_t stack_size() const

The initial stack size.

inline void entrypoint(uint64_t entrypoint)
inline void stack_size(uint64_t stacksize)
virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Section

class Section : public LIEF::Section

Class that represents a Mach-O section.

Public Types

enum class TYPE : uint64_t

Values:

enumerator REGULAR = 0x00u

Regular section.

enumerator ZEROFILL = 0x01u

Zero fill on demand section.

enumerator CSTRING_LITERALS = 0x02u

Section with literal C strings.

enumerator S_4BYTE_LITERALS = 0x03u

Section with 4 byte literals.

enumerator S_8BYTE_LITERALS = 0x04u

Section with 8 byte literals.

enumerator LITERAL_POINTERS = 0x05u

Section with pointers to literals.

enumerator NON_LAZY_SYMBOL_POINTERS = 0x06u

Section with non-lazy symbol pointers.

enumerator LAZY_SYMBOL_POINTERS = 0x07u

Section with lazy symbol pointers.

enumerator SYMBOL_STUBS = 0x08u

Section with symbol stubs, byte size of stub in the Reserved2 field.

enumerator MOD_INIT_FUNC_POINTERS = 0x09u

Section with only function pointers for initialization.

enumerator MOD_TERM_FUNC_POINTERS = 0x0au

Section with only function pointers for termination.

enumerator COALESCED = 0x0bu

Section contains symbols that are to be coalesced.

enumerator GB_ZEROFILL = 0x0cu

Zero fill on demand section (that can be larger than 4 gigabytes).

enumerator INTERPOSING = 0x0du

Section with only pairs of function pointers for interposing.

enumerator S_16BYTE_LITERALS = 0x0eu

Section with only 16 byte literals.

enumerator DTRACE_DOF = 0x0fu

Section contains DTrace Object Format.

enumerator LAZY_DYLIB_SYMBOL_POINTERS = 0x10u

Section with lazy symbol pointers to lazy loaded dylibs.

enumerator THREAD_LOCAL_REGULAR = 0x11u

Thread local data section.

enumerator THREAD_LOCAL_ZEROFILL = 0x12u

Thread local zerofill section.

enumerator THREAD_LOCAL_VARIABLES = 0x13u

Section with thread local variable structure data.

enumerator THREAD_LOCAL_VARIABLE_POINTERS = 0x14u

Section with pointers to thread local structures.

enumerator THREAD_LOCAL_INIT_FUNCTION_POINTERS = 0x15u

Section with thread local variable initialization pointers to functions.

enumerator INIT_FUNC_OFFSETS = 0x16u

Section with 32-bit offsets to initializer functions.

enum class FLAGS : uint64_t

Values:

enumerator PURE_INSTRUCTIONS = 0x80000000u

Section contains only true machine instructions.

enumerator NO_TOC = 0x40000000u

Section contains coalesced symbols that are not to be in a ranlib table of contents.

enumerator STRIP_STATIC_SYMS = 0x20000000u

Ok to strip static symbols in this section in files with the MY_DYLDLINK flag.

enumerator NO_DEAD_STRIP = 0x10000000u

No dead stripping.

enumerator LIVE_SUPPORT = 0x08000000u

Blocks are live if they reference live blocks.

enumerator SELF_MODIFYING_CODE = 0x04000000u

Used with i386 code stubs written on by dyld.

enumerator DEBUG_INFO = 0x02000000u

A debug section.

enumerator SOME_INSTRUCTIONS = 0x00000400u

Section contains some machine instructions.

enumerator EXT_RELOC = 0x00000200u

Section has external relocation entries.

enumerator LOC_RELOC = 0x00000100u

Section has local relocation entries.

using content_t = std::vector<uint8_t>
using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing Mach-O Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator which outputs const Relocation&.

Public Functions

Section()
Section(const details::section_32 &section_cmd)
Section(const details::section_64 &section_cmd)
Section(std::string name)
Section(std::string name, content_t content)
Section &operator=(Section copy)
Section(const Section &copy)
void swap(Section &other) noexcept
~Section() override
virtual span<const uint8_t> content() const override

section’s content

virtual void content(const content_t &data) override

Update the content of the section.

const std::string &segment_name() const

Return the name of the segment linked to this section.

inline uint64_t address() const

Virtual base address of the section.

inline uint32_t alignment() const

Section alignment as a power of 2.

inline uint32_t relocation_offset() const

Offset of the relocation table. This value should be 0 for executable and libraries as the relocations are managed by the DyldInfo::rebase.

On the other hand, for object files (.o) this value should not be 0

See also

numberof_relocations

See also

relocations

inline uint32_t numberof_relocations() const

Number of relocations associated with this section.

inline FLAGS flags() const

Section’s flags masked with SECTION_FLAGS_MASK (see: Section::FLAGS)

See also

flags

inline TYPE type() const

Type of the section. This value can help to determine the purpose of the section (e.g. MACHO_SECTION_TYPES::MACHO_SECTION_TYPES)

inline uint32_t reserved1() const

According to the official loader.h file, this value is reserved for offset or index

inline uint32_t reserved2() const

According to the official loader.h file, this value is reserved for count or sizeof

inline uint32_t reserved3() const

This value is only present for 64 bits Mach-O files. In that case, the value is reserved.

std::vector<FLAGS> flags_list() const

Return the Section::flags as a list of Section::FLAGS.

See also

flags

inline uint32_t raw_flags() const

Section flags without applying the SECTION_FLAGS_MASK mask.

inline bool has_segment() const

Check if this section is correctly linked with a MachO::SegmentCommand.

inline SegmentCommand *segment()

The segment associated with this section or a nullptr if not present.

inline const SegmentCommand *segment() const
void clear(uint8_t v)

Clear the content of this section by filling its values with the byte provided in parameter.

inline it_relocations relocations()

Return an iterator over the MachO::Relocation associated with this section.

This iterator is likely to be empty of executable and libraries while it should not for object files (.o)

inline it_const_relocations relocations() const
void segment_name(const std::string &name)
inline void address(uint64_t address)
inline void alignment(uint32_t align)
inline void relocation_offset(uint32_t offset)
inline void numberof_relocations(uint32_t nb_reloc)
inline void flags(uint32_t flags)
void flags(std::vector<FLAGS> flags)
inline void type(TYPE type)
inline void reserved1(uint32_t reserved1)
inline void reserved2(uint32_t reserved2)
inline void reserved3(uint32_t reserved3)
bool has(FLAGS flag) const

Check if the section has the given Section::FLAGS flag.

void add(FLAGS flag)

Append a Section::FLAGS to the current section.

void remove(FLAGS flag)

Remove a Section::FLAGS to the current section.

inline Section &operator+=(FLAGS flag)
inline Section &operator-=(FLAGS flag)
virtual void accept(Visitor &visitor) const override

Public Static Attributes

static auto FLAGS_MASK = uint32_t(0xffffff00u)
static auto TYPE_MASK = uint32_t(0xff)

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)

SegmentCommand

class SegmentCommand : public LIEF::MachO::LoadCommand

Class which represents a LoadCommand::TYPE::SEGMENT / LoadCommand::TYPE::SEGMENT_64 command.

Subclassed by LIEF::MachO::LinkEdit

Public Types

enum class FLAGS : uint64_t

Values:

enumerator HIGHVM = 0x1u

The file contents for this segment are for the high part of the virtual memory space; the low part is zero filled (for stacks in core files).

enumerator FVMLIB = 0x2u

this segment is the VM that is allocated by a fixed VM library, for overlap checking in the link editor.

enumerator NORELOC = 0x4u

This segment has nothing that was relocated in it and nothing relocated to it. It may be safely replaced without relocation.

enumerator PROTECTED_VERSION_1 = 0x8u
enumerator READ_ONLY = 0x10u
enum class VM_PROTECTIONS

Values for segment_command.initprot. From <mach/vm_prot.h>

Values:

enumerator READ = 0x1

Reading data within the segment is allowed.

enumerator WRITE = 0x2

Writing data within the segment is allowed.

enumerator EXECUTE = 0x4

Executing data within the segment is allowed.

using content_t = std::vector<uint8_t>
using sections_t = std::vector<std::unique_ptr<Section>>

Internal container for storing Mach-O Section.

using it_sections = ref_iterator<sections_t&, Section*>

Iterator which outputs Section&.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>

Iterator which outputs const Section&.

using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing Mach-O Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator which outputs const Relocation&.

Public Functions

SegmentCommand()
SegmentCommand(const details::segment_command_32 &cmd)
SegmentCommand(const details::segment_command_64 &cmd)
SegmentCommand &operator=(SegmentCommand other)
SegmentCommand(const SegmentCommand &copy)
SegmentCommand(std::string name, content_t content)
SegmentCommand(std::string name)
void swap(SegmentCommand &other) noexcept
inline virtual std::unique_ptr<LoadCommand> clone() const override
~SegmentCommand() override
inline const std::string &name() const

Name of the segment (e.g. __TEXT)

inline uint64_t virtual_address() const

Absolute virtual base address of the segment.

inline uint64_t virtual_size() const

Virtual size of the segment.

inline uint64_t file_size() const

Size of this segment in the binary file.

inline uint64_t file_offset() const

Offset of the data of this segment in the file.

inline uint32_t max_protection() const

The maximum of protections for this segment (cf. VM_PROTECTIONS)

inline uint32_t init_protection() const

The initial protections of this segment (cf. VM_PROTECTIONS)

inline uint32_t numberof_sections() const

The number of sections associated with this segment.

inline uint32_t flags() const

Flags associated with this segment (cf. SegmentCommand::FLAGS)

inline it_sections sections()

Return an iterator over the MachO::Section linked to this segment.

inline it_const_sections sections() const
inline it_relocations relocations()

Return an iterator over the MachO::Relocation linked to this segment.

For Mach-O executable or library this iterator should be empty as the relocations are managed by the Dyld::rebase_opcodes. On the other hand, for object files (.o) this iterator should not be empty

inline it_const_relocations relocations() const
const Section *get_section(const std::string &name) const

Get the section with the given name.

Section *get_section(const std::string &name)
inline span<const uint8_t> content() const

The raw content of this segment.

inline int8_t index() const

The original index of this segment or -1 if not defined.

inline void name(std::string name)
inline void virtual_address(uint64_t virtual_address)
inline void virtual_size(uint64_t virtual_size)
inline void file_offset(uint64_t file_offset)
inline void file_size(uint64_t file_size)
inline void max_protection(uint32_t max_protection)
inline void init_protection(uint32_t init_protection)
inline void numberof_sections(uint32_t nb_section)
inline void flags(uint32_t flags)
void content(content_t data)
Section &add_section(const Section &section)

Add a new section in this segment.

void remove_all_sections()

Remove all the sections linked to this segment.

bool has(const Section &section) const

Check if the current segment embeds the given section.

bool has_section(const std::string &section_name) const

Check if the current segment embeds the given section name.

virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Symbol

class Symbol : public LIEF::Symbol

Class that represents a Symbol in a Mach-O file.

A Mach-O symbol can come from:

  1. The symbols command (LC_SYMTAB / SymbolCommand)

  2. The Dyld Export trie

  3. The Dyld Symbol bindings

Public Types

enum class CATEGORY : uint32_t

Category of the symbol when the symbol comes from the LC_SYMTAB command. The category is defined according to the LC_DYSYMTAB (DynamicSymbolCommand) command.

Values:

enumerator NONE = 0
enumerator LOCAL
enumerator EXTERNAL
enumerator UNDEFINED
enumerator INDIRECT_ABS
enumerator INDIRECT_LOCAL
enum class ORIGIN : uint32_t

Values:

enumerator UNKNOWN = 0
enumerator DYLD_EXPORT = 1
enumerator DYLD_BIND = 2
enumerator LC_SYMTAB = 3

The symbol comes from the binding opcodes.

enum class TYPE : uint32_t

Values:

enumerator UNDEFINED = 0x0u

The symbol is undefined. It is referenced in a different module.

enumerator ABSOLUTE_SYM = 0x2u

The symbol is absolute. The linker doesn’t update his value.

enumerator SECTION = 0xeu

The symbol is defined in the section number given in nlist_base.n_sect .

enumerator PREBOUND = 0xcu

The symbol is undefined and the image is using a prebound value for the symbol. Set the n_sect field to NO_SECT .

enumerator INDIRECT = 0xau

The symbol is defined to be the same as another symbol. The n_value field is an index into the string table specifying the name of the other symbol. When that symbol is linked, both this and the other symbol point to the same defined type and value.

Public Functions

Symbol() = default
Symbol(const details::nlist_32 &cmd)
Symbol(const details::nlist_64 &cmd)
Symbol &operator=(Symbol other)
Symbol(const Symbol &other)
void swap(Symbol &other) noexcept
~Symbol() override = default
inline uint8_t raw_type() const

Raw value of nlist_xx.n_type

inline TYPE type() const

Type as defined by nlist_xx.n_type & N_TYPE

inline uint8_t numberof_sections() const

It returns the number of sections in which this symbol can be found. If the symbol can’t be found in any section, it returns 0 (NO_SECT)

inline uint16_t description() const

Return information about the symbol (SYMBOL_DESCRIPTIONS)

inline bool has_export_info() const

True if the symbol is associated with an ExportInfo This value is set when the symbol comes from the Dyld Export trie.

inline const ExportInfo *export_info() const

Return the ExportInfo associated with this symbol (or nullptr if not present)

See also

has_export_info

inline ExportInfo *export_info()
inline bool has_binding_info() const

True if the symbol is associated with a BindingInfo This value is set when the symbol comes from the Dyld symbol bindings.

inline const BindingInfo *binding_info() const

Return the BindingInfo associated with this symbol (or nullptr if not present)

See also

has_binding_info

inline BindingInfo *binding_info()
std::string demangled_name() const

Try to demangle the symbol or return an empty string if it is not possible.

inline bool is_external() const

True if the symbol is defined as an external symbol.

inline const DylibCommand *library() const

Return the library in which the symbol is defined. It returns a null pointer if the library can’t be resolved.

inline DylibCommand *library()
inline ORIGIN origin() const

Return the origin of the symbol: from LC_SYMTAB command or from the Dyld information.

inline CATEGORY category() const

Category of the symbol according to the LC_DYSYMTAB command.

inline void raw_type(uint8_t type)
inline void numberof_sections(uint8_t nbsections)
inline void description(uint16_t desc)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static const Symbol &indirect_abs()
static const Symbol &indirect_local()

Public Static Attributes

static uint32_t TYPE_MASK = 0x0e

Same as N_TYPE.

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &symbol)

SymbolCommand

class SymbolCommand : public LIEF::MachO::LoadCommand

Class that represents the LC_SYMTAB command.

Public Functions

SymbolCommand() = default
SymbolCommand(const details::symtab_command &command)
SymbolCommand &operator=(const SymbolCommand &copy) = default
SymbolCommand(const SymbolCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~SymbolCommand() override = default
inline uint32_t symbol_offset() const

Offset from the start of the file to the n_list associated with the command.

inline uint32_t numberof_symbols() const

Number of symbols registered.

inline uint32_t strings_offset() const

Offset from the start of the file to the string table.

inline uint32_t strings_size() const

Size of the size string table.

inline void symbol_offset(uint32_t offset)
inline void numberof_symbols(uint32_t nb)
inline void strings_offset(uint32_t offset)
inline void strings_size(uint32_t size)
inline span<const uint8_t> symbol_table() const
inline span<uint8_t> symbol_table()
inline span<const uint8_t> string_table() const
inline span<uint8_t> string_table()
inline uint32_t original_str_size() const
inline uint32_t original_nb_symbols() const
virtual std::ostream &print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

UUIDCommand

class UUIDCommand : public LIEF::MachO::LoadCommand

Class that represents the UUID command.

Public Functions

UUIDCommand() = default
UUIDCommand(const details::uuid_command &cmd)
UUIDCommand &operator=(const UUIDCommand &copy) = default
UUIDCommand(const UUIDCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~UUIDCommand() override = default
inline const uuid_t &uuid() const

The UUID as a 16-bytes array.

inline void uuid(const uuid_t &uuid)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Dyld Info

class DyldInfo : public LIEF::MachO::LoadCommand

Class that represents the LC_DYLD_INFO and LC_DYLD_INFO_ONLY commands.

Public Types

enum class BINDING_ENCODING_VERSION

Values:

enumerator UNKNOWN = 0
enumerator V1
enumerator V2
enum class REBASE_TYPE : uint64_t

Values:

enumerator POINTER = 1u
enumerator TEXT_ABSOLUTE32 = 2u
enumerator TEXT_PCREL32 = 3u
enumerator THREADED = 102u
enum class REBASE_OPCODES : uint8_t

Values:

enumerator DONE = 0x00u

It’s finished.

enumerator SET_TYPE_IMM = 0x10u

Set type to immediate (lower 4-bits). Used for ordinal numbers from 0-15.

enumerator SET_SEGMENT_AND_OFFSET_ULEB = 0x20u

Set segment’s index to immediate (lower 4-bits) and segment’s offset to following ULEB128 encoding.

enumerator ADD_ADDR_ULEB = 0x30u

Add segment’s offset with the following ULEB128 encoding.

enumerator ADD_ADDR_IMM_SCALED = 0x40u

Add segment’s offset with immediate scaling.

enumerator DO_REBASE_IMM_TIMES = 0x50u

Rebase in the range of [segment's offset; segment's offset + immediate * sizeof(ptr)]

enumerator DO_REBASE_ULEB_TIMES = 0x60u

Same as REBASE_OPCODE_DO_REBASE_IMM_TIMES but immediate is replaced with ULEB128 value.

enumerator DO_REBASE_ADD_ADDR_ULEB = 0x70u

Rebase and increment segment’s offset with following ULEB128 encoding + pointer’s size.

enumerator DO_REBASE_ULEB_TIMES_SKIPPING_ULEB = 0x80u

Rebase and skip several bytes.

enum class BIND_OPCODES : uint8_t

Opcodes used by Dyld info to bind symbols.

Values:

enumerator DONE = 0x00u

It’s finished.

enumerator SET_DYLIB_ORDINAL_IMM = 0x10u

Set ordinal to immediate (lower 4-bits). Used for ordinal numbers from 0-15.

enumerator SET_DYLIB_ORDINAL_ULEB = 0x20u

Set ordinal to following ULEB128 encoding. Used for ordinal numbers from 16+.

enumerator SET_DYLIB_SPECIAL_IMM = 0x30u

Set ordinal, with 0 or negative number as immediate. the value is sign extended.

enumerator SET_SYMBOL_TRAILING_FLAGS_IMM = 0x40u

Set the following symbol (NULL-terminated char*).

enumerator SET_TYPE_IMM = 0x50u

Set the type to immediate (lower 4-bits). See BIND_TYPES.

enumerator SET_ADDEND_SLEB = 0x60u

Set the addend field to the following SLEB128 encoding.

enumerator SET_SEGMENT_AND_OFFSET_ULEB = 0x70u

Set Segment to immediate value, and address to the following SLEB128 encoding.

enumerator ADD_ADDR_ULEB = 0x80u

Set the address field to the following SLEB128 encoding.

enumerator DO_BIND = 0x90u

Perform binding of current table row.

enumerator DO_BIND_ADD_ADDR_ULEB = 0xA0u

Perform binding, also add following ULEB128 as address.

enumerator DO_BIND_ADD_ADDR_IMM_SCALED = 0xB0u

Perform binding, also add immediate (lower 4-bits) using scaling.

enumerator DO_BIND_ULEB_TIMES_SKIPPING_ULEB = 0xC0u

Perform binding for several symbols (as following ULEB128), and skip several bytes.

enumerator THREADED = 0xD0u
enumerator THREADED_APPLY = 0xD0u | 0x01u
enumerator THREADED_SET_BIND_ORDINAL_TABLE_SIZE_ULEB = 0xD0u | 0x00u
enum class BIND_SUBOPCODE_THREADED : uint8_t

Values:

enumerator SET_BIND_ORDINAL_TABLE_SIZE_ULEB = 0x00u
enumerator APPLY = 0x01u
enum BIND_SYMBOL_FLAGS

Values:

enumerator WEAK_IMPORT = 0x1u
enumerator NON_WEAK_DEFINITION = 0x8u
using info_t = std::pair<uint32_t, uint32_t>

Tuple of offset and size

using binding_info_t = std::vector<std::unique_ptr<DyldBindingInfo>>

Internal container for storing DyldBindingInfo.

using it_binding_info = ref_iterator<binding_info_t&, DyldBindingInfo*>

Iterator which outputs DyldBindingInfo&.

using it_const_binding_info = const_ref_iterator<const binding_info_t&, DyldBindingInfo*>

Iterator which outputs const DyldBindingInfo&.

using export_info_t = std::vector<std::unique_ptr<ExportInfo>>

Internal container for storing ExportInfo.

using it_export_info = ref_iterator<export_info_t&, ExportInfo*>

Iterator which outputs const ExportInfo&.

using it_const_export_info = const_ref_iterator<const export_info_t&, ExportInfo*>

Iterator which outputs const ExportInfo&.

Public Functions

DyldInfo()
DyldInfo(const details::dyld_info_command &dyld_info_cmd)
DyldInfo &operator=(DyldInfo other)
DyldInfo(const DyldInfo &copy)
void swap(DyldInfo &other) noexcept
inline virtual std::unique_ptr<LoadCommand> clone() const override
~DyldInfo() override
inline const info_t &rebase() const

Rebase information

Dyld rebases an image whenever dyld loads it at an address different from its preferred address. The rebase information is a stream of byte sized opcodes for which symbolic names start with REBASE_OPCODE_. Conceptually the rebase information is a table of tuples: <seg-index, seg-offset, type> The opcodes are a compressed way to encode the table by only encoding when a column changes. In addition simple patterns like “every n’th offset for m times” can be encoded in a few bytes.

See also

/usr/include/mach-o/loader.h

inline span<const uint8_t> rebase_opcodes() const

Return Rebase’s opcodes as raw data.

inline span<uint8_t> rebase_opcodes()
void rebase_opcodes(buffer_t raw)

Set new opcodes.

std::string show_rebases_opcodes() const

Return the rebase opcodes in a humman-readable way.

inline const info_t &bind() const

Bind information

Dyld binds an image during the loading process, if the image requires any pointers to be initialized to symbols in other images. The rebase information is a stream of byte sized opcodes for which symbolic names start with BIND_OPCODE_. Conceptually the bind information is a table of tuples: <seg-index, seg-offset, type, symbol-library-ordinal, symbol-name, addend> The opcodes are a compressed way to encode the table by only encoding when a column changes. In addition simple patterns like for runs of pointers initialzed to the same value can be encoded in a few bytes.

See also

/usr/include/mach-o/loader.h

inline span<const uint8_t> bind_opcodes() const

Return Binding’s opcodes as raw data.

inline span<uint8_t> bind_opcodes()
void bind_opcodes(buffer_t raw)

Set new opcodes.

std::string show_bind_opcodes() const

Return the bind opcodes in a humman-readable way.

inline const info_t &weak_bind() const

Weak Bind information

Some C++ programs require dyld to unique symbols so that all images in the process use the same copy of some code/data. This step is done after binding. The content of the weak_bind info is an opcode stream like the bind_info. But it is sorted alphabetically by symbol name. This enables dyld to walk all images with weak binding information in order and look for collisions. If there are no collisions, dyld does no updating. That means that some fixups are also encoded in the bind_info. For instance, all calls to “operator new” are first bound to libstdc++.dylib using the information in bind_info. Then if some image overrides operator new that is detected when the weak_bind information is processed and the call to operator new is then rebound.

See also

/usr/include/mach-o/loader.h

inline span<const uint8_t> weak_bind_opcodes() const

Return Weak Binding’s opcodes as raw data.

inline span<uint8_t> weak_bind_opcodes()
void weak_bind_opcodes(buffer_t raw)

Set new opcodes.

std::string show_weak_bind_opcodes() const

Return the bind opcodes in a humman-readable way.

inline const info_t &lazy_bind() const

Lazy Bind information

Some uses of external symbols do not need to be bound immediately. Instead they can be lazily bound on first use. The lazy_bind are contains a stream of BIND opcodes to bind all lazy symbols. Normal use is that dyld ignores the lazy_bind section when loading an image. Instead the static linker arranged for the lazy pointer to initially point to a helper function which pushes the offset into the lazy_bind area for the symbol needing to be bound, then jumps to dyld which simply adds the offset to lazy_bind_off to get the information on what to bind.

See also

/usr/include/mach-o/loader.h

inline span<const uint8_t> lazy_bind_opcodes() const

Return Lazy Binding’s opcodes as raw data.

inline span<uint8_t> lazy_bind_opcodes()
void lazy_bind_opcodes(buffer_t raw)

Set new opcodes.

std::string show_lazy_bind_opcodes() const

Return the lazy opcodes in a humman-readable way.

inline it_binding_info bindings()

Iterator over BindingInfo entries.

inline it_const_binding_info bindings() const
inline const info_t &export_info() const

Export information

The symbols exported by a dylib are encoded in a trie. This is a compact representation that factors out common prefixes. It also reduces LINKEDIT pages in RAM because it encodes all information (name, address, flags) in one small, contiguous range. The export area is a stream of nodes. The first node sequentially is the start node for the trie.

Nodes for a symbol start with a byte that is the length of the exported symbol information for the string so far. If there is no exported symbol, the byte is zero. If there is exported info, it follows the length byte. The exported info normally consists of a flags and offset both encoded in uleb128. The offset is location of the content named by the symbol. It is the offset from the mach_header for the image.

After the initial byte and optional exported symbol information is a byte of how many edges (0-255) that this node has leaving it, followed by each edge. Each edge is a zero terminated cstring of the addition chars in the symbol, followed by a uleb128 offset for the node that edge points to.

See also

/usr/include/mach-o/loader.h

inline it_export_info exports()

Iterator over ExportInfo entries.

inline it_const_export_info exports() const
inline span<const uint8_t> export_trie() const

Return Export’s trie as raw data.

inline span<uint8_t> export_trie()
void export_trie(buffer_t raw)

Set new trie.

std::string show_export_trie() const

Return the export trie in a humman-readable way.

inline void rebase(const info_t &info)
inline void bind(const info_t &info)
inline void weak_bind(const info_t &info)
inline void lazy_bind(const info_t &info)
inline void export_info(const info_t &info)
inline void set_rebase_offset(uint32_t offset)
inline void set_rebase_size(uint32_t size)
inline void set_bind_offset(uint32_t offset)
inline void set_bind_size(uint32_t size)
inline void set_weak_bind_offset(uint32_t offset)
inline void set_weak_bind_size(uint32_t size)
inline void set_lazy_bind_offset(uint32_t offset)
inline void set_lazy_bind_size(uint32_t size)
inline void set_export_offset(uint32_t offset)
inline void set_export_size(uint32_t size)
void add(std::unique_ptr<ExportInfo> info)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Public Static Attributes

static auto OPCODE_MASK = uint32_t(0xF0)
static auto IMMEDIATE_MASK = uint32_t(0x0F)

Function starts

class FunctionStarts : public LIEF::MachO::LoadCommand

Class which represents the LC_FUNCTION_STARTS command.

This command is an array of ULEB128 encoded values

Public Functions

FunctionStarts() = default
FunctionStarts(const details::linkedit_data_command &cmd)
FunctionStarts &operator=(const FunctionStarts &copy) = default
FunctionStarts(const FunctionStarts &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t data_offset() const

Offset in the __LINKEDIT SegmentCommand where start functions are located.

inline uint32_t data_size() const

Size of the functions list in the binary.

inline const std::vector<uint64_t> &functions() const

Addresses of every function entry point in the executable.

This allows functions to exist for which there are no entries in the symbol table.

Warning

The address is relative to the __TEXT segment

inline std::vector<uint64_t> &functions()
inline void add_function(uint64_t address)

Add a new function.

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline void functions(std::vector<uint64_t> funcs)
inline span<const uint8_t> content() const
inline span<uint8_t> content()
~FunctionStarts() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Source Version

class SourceVersion : public LIEF::MachO::LoadCommand

Class that represents the MachO LoadCommand::TYPE::SOURCE_VERSION This command is used to provide the version of the sources used to build the binary.

Public Types

using version_t = std::array<uint32_t, 5>

Version is an array of 5 integers.

Public Functions

SourceVersion() = default
SourceVersion(const details::source_version_command &version_cmd)
SourceVersion &operator=(const SourceVersion &copy) = default
SourceVersion(const SourceVersion &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~SourceVersion() override = default
inline const version_t &version() const

Return the version as an array.

inline void version(const version_t &version)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Version Min

class VersionMin : public LIEF::MachO::LoadCommand

Class that wraps the LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, … commands.

Public Types

using version_t = std::array<uint32_t, 3>

Version is an array of 3 integers.

Public Functions

VersionMin() = default
VersionMin(const details::version_min_command &version_cmd)
VersionMin &operator=(const VersionMin &copy) = default
VersionMin(const VersionMin &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~VersionMin() override = default
inline const version_t &version() const

Return the version as an array.

inline void version(const version_t &version)
inline const version_t &sdk() const

Return the sdk version as an array.

inline void sdk(const version_t &sdk)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Relocation

class Relocation : public LIEF::Relocation

Class that represents a Mach-O relocation.

See also

:

Subclassed by LIEF::MachO::RelocationDyld, LIEF::MachO::RelocationFixup, LIEF::MachO::RelocationObject

Public Types

enum class ORIGIN

Values:

enumerator UNKNOWN = 0
enumerator DYLDINFO = 1
enumerator RELOC_TABLE = 2
enumerator CHAINED_FIXUPS = 3

Public Functions

Relocation() = default
Relocation(uint64_t address, uint8_t type)
Relocation &operator=(const Relocation &other)
Relocation(const Relocation &other)
void swap(Relocation &other) noexcept
~Relocation() override = default
virtual std::unique_ptr<Relocation> clone() const = 0
virtual bool is_pc_relative() const = 0

Indicates whether the item containing the address to be relocated is part of a CPU instruction that uses PC-relative addressing.

For addresses contained in PC-relative instructions, the CPU adds the address of the instruction to the address contained in the instruction.

inline virtual uint8_t type() const

Type of the relocation according to the Relocation::architecture and/or the Relocation::origin.

See:

inline Header::CPU_TYPE architecture() const

Achitecture targeted by this relocation.

virtual ORIGIN origin() const = 0

Origin of the relocation.

inline bool has_symbol() const

true if the relocation has a symbol associated with

inline Symbol *symbol()

Symbol associated with the relocation, if any, otherwise a nullptr.

inline const Symbol *symbol() const
inline bool has_section() const

true if the relocation has a section associated with

inline Section *section()

Section associated with the relocation, if any, otherwise a nullptr.

inline const Section *section() const
inline bool has_segment() const

true if the relocation has a SegmentCommand associated with

inline SegmentCommand *segment()

SegmentCommand associated with the relocation, if any, otherwise a nullptr.

inline const SegmentCommand *segment() const
virtual void pc_relative(bool val) = 0
virtual void type(uint8_t type)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const

Public Static Attributes

static auto R_SCATTERED = uint32_t(0x80000000)
static auto R_ABS = uint32_t(0)

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)

Relocation Object

class RelocationObject : public LIEF::MachO::Relocation

Class that represents a relocation presents in the MachO object file (.o). Usually, this kind of relocation is found in the MachO::Section.

See also

RelocationDyld

Public Functions

RelocationObject() = default
RelocationObject(const details::relocation_info &relocinfo)
RelocationObject(const details::scattered_relocation_info &scattered_relocinfo)
RelocationObject &operator=(const RelocationObject &other) = default
RelocationObject(const RelocationObject &other) = default
void swap(RelocationObject &other) noexcept
~RelocationObject() override = default
inline virtual std::unique_ptr<Relocation> clone() const override
inline virtual bool is_pc_relative() const override

Whether the relocation is PC relative.

virtual size_t size() const override

Size of the relocation.

virtual uint64_t address() const override

Address where the relocation is applied This address is relative to the start of the section where the relocation takes place.

inline bool is_scattered() const

true if the relocation is a scattered one

int32_t value() const

For scattered relocations: The address of the relocatable expression for the item in the file that needs to be updated if the address is changed.

For relocatable expressions with the difference of two section addresses, the address from which to subtract (in mathematical terms, the minuend) is contained in the first relocation entry and the address to subtract (the subtrahend) is contained in the second relocation entry.

inline virtual ORIGIN origin() const override

Origin of the relocation. For this object it should be Relocation::ORIGIN::RELOC_TABLE)

inline virtual void pc_relative(bool val) override
virtual void size(size_t size) override
void value(int32_t value)
virtual void accept(Visitor &visitor) const override
inline virtual std::ostream &print(std::ostream &os) const override
Relocation() = default
Relocation(uint64_t address, uint8_t type)
Relocation(const Relocation &other)

Public Static Functions

static inline bool classof(const Relocation &r)

Relocation Dyld

class RelocationDyld : public LIEF::MachO::Relocation

Class that represents a relocation found in the DyldInfo structure.

While this class does not have an associated structure in the Mach-O format specification, it provides a convenient interface for the Dyld::rebase

Public Functions

RelocationDyld() = default
RelocationDyld &operator=(const RelocationDyld&) = default
RelocationDyld(const RelocationDyld&) = default
~RelocationDyld() override = default
inline virtual std::unique_ptr<Relocation> clone() const override
virtual bool is_pc_relative() const override

Indicates whether the item containing the address to be relocated is part of a CPU instruction that uses PC-relative addressing.

For addresses contained in PC-relative instructions, the CPU adds the address of the instruction to the address contained in the instruction.

inline virtual ORIGIN origin() const override

Origin of the relocation. For this concrete object, it should be Relocation::ORIGIN::DYLDINFO.

virtual void pc_relative(bool val) override
bool operator<(const RelocationDyld &rhs) const
inline bool operator>=(const RelocationDyld &rhs) const
bool operator>(const RelocationDyld &rhs) const
inline bool operator<=(const RelocationDyld &rhs) const
virtual void accept(Visitor &visitor) const override
inline virtual std::ostream &print(std::ostream &os) const override
Relocation() = default
Relocation(uint64_t address, uint8_t type)
Relocation(const Relocation &other)

Public Static Functions

static inline bool classof(const Relocation &r)

Relocation Fixup

class RelocationFixup : public LIEF::MachO::Relocation

Class that represents a rebase relocation found in the LC_DYLD_CHAINED_FIXUPS command.

This class extends LIEF::Relocation in which LIEF::Relocation::address is set to the absolute virtual address where the relocation must take place (e.g. 0x10000d270).

On the other hand, RelocationFixup::target contains the value that should be set at LIEF::Relocation::address if the imagebase is LIEF::Binary::imagebase (e.g. 0x1000073a8).

If the Mach-O loader chooses another base address (like 0x7ff100000), it must set 0x10000d270 to 0x7ff1073a8.

Public Functions

RelocationFixup() = delete
RelocationFixup(DYLD_CHAINED_PTR_FORMAT fmt, uint64_t imagebase)
RelocationFixup &operator=(const RelocationFixup&)
RelocationFixup(const RelocationFixup&)
RelocationFixup &operator=(RelocationFixup&&) noexcept = default
RelocationFixup(RelocationFixup&&) noexcept = default
~RelocationFixup() override
inline virtual std::unique_ptr<Relocation> clone() const override
inline virtual bool is_pc_relative() const override

Not relevant for this kind of relocation.

inline virtual ORIGIN origin() const override

Origin of the relocation. For this concrete object, it should be Relocation::ORIGIN::CHAINED_FIXUPS.

inline DYLD_CHAINED_PTR_FORMAT ptr_format() const
uint64_t target() const

The value that should be set at the address pointed by LIEF::Relocation::address if the imagebase chosen by the loader is LIEF::Binary::imagebase. Otherwise: target() - LIEF::Binary::imagebase() + new_imagebase.

void target(uint64_t target)
inline virtual void pc_relative(bool) override

Not relevant for this kind of relocation.

inline uint32_t offset() const
inline void offset(uint32_t offset)
inline virtual uint64_t address() const override

The address of this relocation is bound to its offset.

inline virtual void address(uint64_t address) override

Changing the address means changing the offset.

virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Members

details::dyld_chained_ptr_arm64e_rebase *arm64_rebase_ = nullptr
details::dyld_chained_ptr_arm64e_auth_rebase *arm64_auth_rebase_
details::dyld_chained_ptr_64_rebase *p64_rebase_
details::dyld_chained_ptr_32_rebase *p32_rebase_

Public Static Functions

static inline bool classof(const Relocation &r)

Dyld Binding Info

class DyldBindingInfo : public LIEF::MachO::BindingInfo

This class represents a symbol binding operation associated with the LC_DYLD_INFO bytecode.

It does not represent a structure that exists in the Mach-O format specifications but it provides a view on an entry of the Dyld binding opcodes.

See also

: BindingInfo

Public Types

enum class CLASS : uint64_t

Values:

enumerator WEAK = 1u
enumerator LAZY = 2u
enumerator STANDARD = 3u
enumerator THREADED = 100u
enum class TYPE : uint64_t

Values:

enumerator POINTER = 1u
enumerator TEXT_ABSOLUTE32 = 2u
enumerator TEXT_PCREL32 = 3u

Public Functions

DyldBindingInfo() = default
DyldBindingInfo(CLASS cls, TYPE type, uint64_t address, int64_t addend = 0, int32_t oridnal = 0, bool is_weak = false, bool is_non_weak_definition = false, uint64_t offset = 0)
DyldBindingInfo &operator=(const DyldBindingInfo &other) = default
DyldBindingInfo(const DyldBindingInfo &other) = default
DyldBindingInfo(DyldBindingInfo&&) noexcept = default
void swap(DyldBindingInfo &other) noexcept
inline CLASS binding_class() const

Class of the binding (weak, lazy, …)

inline void binding_class(CLASS bind_class)
inline TYPE binding_type() const

Type of the binding. Most of the times it’s TYPE::POINTER.

inline void binding_type(TYPE type)
inline bool is_non_weak_definition() const
inline void set_non_weak_definition(bool val)
inline uint64_t original_offset() const

Original relative offset of the binding opcodes.

inline virtual BindingInfo::TYPES type() const override

The type of the binding. This type provides the origin of the binding (LC_DYLD_INFO or LC_DYLD_CHAINED_FIXUPS)

~DyldBindingInfo() override = default
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const BindingInfo *info)

Friends

inline friend std::ostream &operator<<(std::ostream &os, const DyldBindingInfo &info)

Chained Binding Info

class ChainedBindingInfo : public LIEF::MachO::BindingInfo

This class represents a symbol binding operation associated with the LC_DYLD_CHAINED_FIXUPS command.

This class does not represent a structure that exists in the Mach-O format specifications but it provides a view on an entry.

See also

: BindingInfo

Public Functions

ChainedBindingInfo() = delete
explicit ChainedBindingInfo(DYLD_CHAINED_FORMAT fmt, bool is_weak)
ChainedBindingInfo &operator=(ChainedBindingInfo other)
ChainedBindingInfo(const ChainedBindingInfo &other)
ChainedBindingInfo(ChainedBindingInfo&&) noexcept
void swap(ChainedBindingInfo &other) noexcept
inline DYLD_CHAINED_FORMAT format() const

Format of the imports.

inline DYLD_CHAINED_PTR_FORMAT ptr_format() const

Format of the pointer.

inline uint32_t offset() const

Original offset in the chain of this binding.

inline void offset(uint32_t offset)
inline virtual uint64_t address() const override

Address of the binding.

inline virtual void address(uint64_t address) override
uint64_t sign_extended_addend() const
inline virtual BindingInfo::TYPES type() const override

The type of the binding. This type provides the origin of the binding (LC_DYLD_INFO or LC_DYLD_CHAINED_FIXUPS)

inline ~ChainedBindingInfo() override
virtual void accept(Visitor &visitor) const override

Public Members

details::dyld_chained_ptr_arm64e_bind *arm64_bind_ = nullptr
details::dyld_chained_ptr_arm64e_auth_bind *arm64_auth_bind_
details::dyld_chained_ptr_arm64e_bind24 *arm64_bind24_
details::dyld_chained_ptr_arm64e_auth_bind24 *arm64_auth_bind24_
details::dyld_chained_ptr_64_bind *p64_bind_
details::dyld_chained_ptr_32_bind *p32_bind_

Public Static Functions

static inline bool classof(const BindingInfo *info)

Friends

inline friend std::ostream &operator<<(std::ostream &os, const ChainedBindingInfo &info)

Export Info

class ExportInfo : public LIEF::Object

Class that provides an interface over the Dyld export info.

This class does not represent a structure that exists in the Mach-O format specification but provides a view on an entry of the Dyld export trie.

Public Types

enum class KIND : uint64_t

Values:

enumerator REGULAR = 0x00u
enumerator THREAD_LOCAL_KIND = 0x01u
enumerator ABSOLUTE_KIND = 0x02u
enum class FLAGS : uint64_t

Values:

enumerator WEAK_DEFINITION = 0x04u
enumerator REEXPORT = 0x08u
enumerator STUB_AND_RESOLVER = 0x10u
using flag_list_t = std::vector<FLAGS>

Public Functions

ExportInfo() = default
inline ExportInfo(uint64_t address, uint64_t flags, uint64_t offset = 0)
ExportInfo &operator=(ExportInfo copy)
ExportInfo(const ExportInfo &copy)
void swap(ExportInfo &other) noexcept
inline uint64_t node_offset() const

Original offset in the export Trie.

inline uint64_t flags() const

Some information (ExportInfo::FLAGS) about the export. (like weak export, reexport, …)

inline void flags(uint64_t flags)
flag_list_t flags_list() const

The export flags() as a list.

bool has(FLAGS flag) const

Check if the current entry contains the provided ExportInfo::FLAGS.

inline KIND kind() const

The export’s kind (regular, thread local, absolute, …)

inline uint64_t other() const
inline uint64_t address() const

The address of the export.

inline void address(uint64_t addr)
inline bool has_symbol() const

Check if a symbol is associated with this export.

inline const Symbol *symbol() const

MachO::Symbol associated with this export or a nullptr if no symbol.

inline Symbol *symbol()
inline Symbol *alias()

If the export is a ExportInfo::FLAGS::REEXPORT, this returns the (optional) MachO::Symbol.

inline const Symbol *alias() const
inline DylibCommand *alias_library()

If the export is a ExportInfo::FLAGS::REEXPORT, this returns the (optional) library (MachO::DylibCommand)

inline const DylibCommand *alias_library() const
~ExportInfo() override = default
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ExportInfo &export_info)

Thread Command

class ThreadCommand : public LIEF::MachO::LoadCommand

Class that represents the LC_THREAD / LC_UNIXTHREAD commands and that can be used to get the binary entrypoint when the LC_MAIN (MainCommand) is not present.

Generally speaking, this command aims at defining the original state of the main thread which includes the registers’ values

Public Functions

ThreadCommand() = default
ThreadCommand(const details::thread_command &cmd, Header::CPU_TYPE arch = Header::CPU_TYPE::ANY)
ThreadCommand(uint32_t flavor, uint32_t count, Header::CPU_TYPE arch = Header::CPU_TYPE::ANY)
ThreadCommand &operator=(const ThreadCommand &copy) = default
ThreadCommand(const ThreadCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~ThreadCommand() override = default
inline uint32_t flavor() const

Integer that defines a special flavor for the thread.

The meaning of this value depends on the architecture(). The list of the values can be found in the XNU kernel files:

  • xnu/osfmk/mach/arm/thread_status.h for the ARM/AArch64 architectures

  • xnu/osfmk/mach/i386/thread_status.h for the x86/x86-64 architectures

inline uint32_t count() const

Size of the thread state data with 32-bits alignment.

This value should match state().size()

inline Header::CPU_TYPE architecture() const

The CPU architecture that is targeted by this ThreadCommand.

inline span<const uint8_t> state() const

The actual thread state as a vector of bytes. Depending on the architecture(), these data can be casted into x86_thread_state_t, x86_thread_state64_t, …

inline span<uint8_t> state()
uint64_t pc() const

Return the initial Program Counter regardless of the underlying architecture. This value, when non null, can be used to determine the binary’s entrypoint.

Underneath, it works by looking for the PC register value in the state() data

inline void state(std::vector<uint8_t> state)
inline void flavor(uint32_t flavor)
inline void count(uint32_t count)
inline void architecture(Header::CPU_TYPE arch)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

RPath Command

class RPathCommand : public LIEF::MachO::LoadCommand

Class that represents the LC_RPATH command.

This command is used to add path for searching libraries associated with the @rpath prefix.

Public Functions

RPathCommand() = default
RPathCommand(const details::rpath_command &rpathCmd)
RPathCommand &operator=(const RPathCommand &copy) = default
RPathCommand(const RPathCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~RPathCommand() override = default
inline const std::string &path() const

The rpath value as a string.

inline void path(std::string path)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Code Signature

class CodeSignature : public LIEF::MachO::LoadCommand

Public Functions

CodeSignature() = default
CodeSignature(const details::linkedit_data_command &cmd)
CodeSignature &operator=(const CodeSignature &copy) = default
CodeSignature(const CodeSignature &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t data_offset() const

Offset in the binary where the signature starts.

inline uint32_t data_size() const

Size of the raw signature.

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline span<uint8_t> content()
inline span<const uint8_t> content() const
~CodeSignature() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Data In Code

class DataInCode : public LIEF::MachO::LoadCommand

Interface of the LC_DATA_IN_CODE command This command is used to list slices of code sections that contain data. The slices information are stored as an array of DataCodeEntry.

See also

DataCodeEntry

Public Types

using entries_t = std::vector<DataCodeEntry>
using it_const_entries = const_ref_iterator<const entries_t&>
using it_entries = ref_iterator<entries_t&>

Public Functions

DataInCode() = default
DataInCode(const details::linkedit_data_command &cmd)
DataInCode &operator=(const DataInCode&) = default
DataInCode(const DataInCode&) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t data_offset() const

Start of the array of the DataCodeEntry entries.

inline uint32_t data_size() const

Size of the raw array (size = sizeof(DataCodeEntry) * nb_elements)

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline DataInCode &add(DataCodeEntry entry)

Add a new entry.

inline it_const_entries entries() const

Iterator over the DataCodeEntry.

inline it_entries entries()
inline span<uint8_t> content()
inline span<const uint8_t> content() const
~DataInCode() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Data Code Entry

class DataCodeEntry : public LIEF::Object

Interface over an entry in the DataInCode command.

Public Types

enum class TYPES

Values:

enumerator UNKNOWN = 0
enumerator DATA = 1
enumerator JUMP_TABLE_8 = 2
enumerator JUMP_TABLE_16 = 3
enumerator JUMP_TABLE_32 = 4
enumerator ABS_JUMP_TABLE_32 = 5

Public Functions

DataCodeEntry() = default
inline DataCodeEntry(uint32_t off, uint16_t length, TYPES type)
DataCodeEntry(const details::data_in_code_entry &entry)
DataCodeEntry &operator=(const DataCodeEntry&) = default
DataCodeEntry(const DataCodeEntry&) = default
inline uint32_t offset() const

Offset of the data.

inline uint16_t length() const

Length of the data.

inline TYPES type() const
inline void offset(uint32_t off)
inline void length(uint16_t length)
inline void type(TYPES type)
~DataCodeEntry() override = default
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const DataCodeEntry &entry)

Segment Split Info

class SegmentSplitInfo : public LIEF::MachO::LoadCommand

Class that represents the LoadCommand::TYPE::SEGMENT_SPLIT_INFO command.

Public Functions

SegmentSplitInfo() = default
SegmentSplitInfo(const details::linkedit_data_command &cmd)
SegmentSplitInfo &operator=(const SegmentSplitInfo &copy) = default
SegmentSplitInfo(const SegmentSplitInfo &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t data_offset() const
inline uint32_t data_size() const
inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline span<uint8_t> content()
inline span<const uint8_t> content() const
~SegmentSplitInfo() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Sub-Framework

class SubFramework : public LIEF::MachO::LoadCommand

Class that represents the SubFramework command. Accodring to the Mach-O loader.h documentation:

A dynamically linked shared library may be a subframework of an umbrella framework. If so it will be linked with “-umbrella umbrella_name” where Where “umbrella_name” is the name of the umbrella framework. A subframework can only be linked against by its umbrella framework or other subframeworks that are part of the same umbrella framework. Otherwise the static link editor produces an error and states to link against the umbrella framework. The name of the umbrella framework for subframeworks is recorded in the following structure.

Public Functions

SubFramework() = default
SubFramework(const details::sub_framework_command &cmd)
SubFramework &operator=(const SubFramework &copy) = default
SubFramework(const SubFramework &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline const std::string &umbrella() const

Name of the umbrella framework.

inline void umbrella(std::string u)
~SubFramework() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Dyld Environment

class DyldEnvironment : public LIEF::MachO::LoadCommand

Class that represents a LC_DYLD_ENVIRONMENT command which is used by the Mach-O linker/loader to initialize an environment variable.

Public Functions

DyldEnvironment() = default
DyldEnvironment(const details::dylinker_command &cmd)
DyldEnvironment &operator=(const DyldEnvironment &copy) = default
DyldEnvironment(const DyldEnvironment &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~DyldEnvironment() override = default
virtual std::ostream &print(std::ostream &os) const override
inline const std::string &value() const

The actual environment variable.

inline void value(std::string value)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Encryption Info

class EncryptionInfo : public LIEF::MachO::LoadCommand

Class that represents the LC_ENCRYPTION_INFO / LC_ENCRYPTION_INFO_64 commands.

The encryption info is usually present in Mach-O executables that target iOS to encrypt some sections of the binary

Public Functions

EncryptionInfo() = default
EncryptionInfo(const details::encryption_info_command &cmd)
EncryptionInfo &operator=(const EncryptionInfo &copy) = default
EncryptionInfo(const EncryptionInfo &copy) = default
~EncryptionInfo() override = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t crypt_offset() const

The beginning of the encrypted area.

inline uint32_t crypt_size() const

The size of the encrypted area.

inline uint32_t crypt_id() const

The encryption system. 0 means no encrypted.

inline void crypt_offset(uint32_t offset)
inline void crypt_size(uint32_t size)
inline void crypt_id(uint32_t id)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Build Version

class BuildVersion : public LIEF::MachO::LoadCommand

Public Types

enum class PLATFORMS

Values:

enumerator UNKNOWN = 0
enumerator MACOS = 1
enumerator IOS = 2
enumerator TVOS = 3
enumerator WATCHOS = 4
using version_t = std::array<uint32_t, 3>

Version is an array of 3 integers.

using tools_list_t = std::vector<BuildToolVersion>

Public Functions

BuildVersion() = default
BuildVersion(const details::build_version_command &version_cmd)
BuildVersion(const PLATFORMS platform, const version_t &minos, const version_t &sdk, const tools_list_t &tools)
BuildVersion &operator=(const BuildVersion &copy) = default
BuildVersion(const BuildVersion &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline version_t minos() const
inline void minos(version_t version)
inline version_t sdk() const
inline void sdk(version_t version)
inline PLATFORMS platform() const
inline void platform(PLATFORMS plat)
inline const tools_list_t &tools() const
~BuildVersion() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Build Tool Version

class BuildToolVersion : public LIEF::Object

Class that represents a tool’s version that was involved in the build of the binary.

Public Types

enum class TOOLS

Values:

enumerator UNKNOWN = 0
enumerator CLANG = 1
enumerator SWIFT = 2
enumerator LD = 3
using version_t = std::array<uint32_t, 3>

A version is an array of 3 integers.

Public Functions

BuildToolVersion() = default
BuildToolVersion(const details::build_tool_version &tool)
inline TOOLS tool() const

The tools used.

inline version_t version() const

Version associated with the tool.

~BuildToolVersion() override = default
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const BuildToolVersion &tool)

Fileset Command

class FilesetCommand : public LIEF::MachO::LoadCommand

Class associated with the LC_FILESET_ENTRY commands.

Public Types

using content_t = std::vector<uint8_t>

Public Functions

FilesetCommand() = default
FilesetCommand(const details::fileset_entry_command &command)
inline FilesetCommand(std::string name)
FilesetCommand &operator=(FilesetCommand copy)
FilesetCommand(const FilesetCommand &copy)
void swap(FilesetCommand &other) noexcept
inline virtual std::unique_ptr<LoadCommand> clone() const override
~FilesetCommand() override = default
inline const std::string &name() const

Name of the underlying MachO binary (e.g. com.apple.security.quarantine)

inline uint64_t virtual_address() const

Memory address where the MachO file should be mapped.

inline uint64_t file_offset() const

Original offset in the kernel cache.

inline const Binary *binary() const

Return a pointer on the LIEF::MachO::Binary associated with this entry.

inline Binary *binary()
inline void name(std::string name)
inline void virtual_address(uint64_t virtual_address)
inline void file_offset(uint64_t file_offset)
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Friends

friend class BinaryParser

DyldChainedFixups Command

class DyldChainedFixups : public LIEF::MachO::LoadCommand

Class that represents the LC_DYLD_CHAINED_FIXUPS command.

This command aims at providing rebase and binding information like the DyldInfo’s bytecode. Compared to the DyldInfo bytecode, these chained fixups are taking less space.

Public Types

using chained_starts_in_segments_t = std::vector<chained_starts_in_segment>

Internal container for storing chained_starts_in_segment.

using it_chained_starts_in_segments_t = ref_iterator<chained_starts_in_segments_t&>

Iterator that outputs chained_starts_in_segment&.

using it_const_chained_starts_in_segments_t = const_ref_iterator<const chained_starts_in_segments_t&>

Iterator that outputs const chained_starts_in_segment&.

using binding_info_t = std::vector<std::unique_ptr<ChainedBindingInfo>>

Internal container for storing DyldBindingInfo.

using it_binding_info = ref_iterator<binding_info_t&, ChainedBindingInfo*>

Iterator which outputs DyldBindingInfo&.

using it_const_binding_info = const_ref_iterator<const binding_info_t&, ChainedBindingInfo*>

Iterator which outputs const DyldBindingInfo&.

Public Functions

DyldChainedFixups()
DyldChainedFixups(const details::linkedit_data_command &cmd)
inline virtual std::unique_ptr<LoadCommand> clone() const override
~DyldChainedFixups() override
inline uint32_t data_offset() const

Offset of the LC_DYLD_CHAINED_FIXUPS chained payload. This offset should point in the __LINKEDIT segment.

inline uint32_t data_size() const

Size of the LC_DYLD_CHAINED_FIXUPS payload.

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline it_binding_info bindings()

Iterator over the bindings (ChainedBindingInfo) associated with this command.

inline it_const_binding_info bindings() const

Iterator over the bindings (ChainedBindingInfo) associated with this command.

inline it_chained_starts_in_segments_t chained_starts_in_segments()

Iterator over the chained fixup metadata.

inline it_const_chained_starts_in_segments_t chained_starts_in_segments() const
inline uint32_t fixups_version() const

Chained fixups version. The loader (dyld v852.2) checks that this value is set to 0.

inline void fixups_version(uint32_t version)
inline uint32_t starts_offset() const

offset of dyld_chained_starts_in_image in chain_data

inline void starts_offset(uint32_t offset)
inline uint32_t imports_offset() const

Offset of imports table in chain data.

inline void imports_offset(uint32_t offset)
inline uint32_t symbols_offset() const

Offset of symbol strings in chain data.

inline void symbols_offset(uint32_t offset)
inline uint32_t imports_count() const

Number of imported symbol names.

inline void imports_count(uint32_t cnt)
inline uint32_t symbols_format() const

The compression algorithm (if any) used to store the symbols 0 means uncompressed while 1 means zlib compressed.

As far of the version v852.2 of dyld loader, it only supports uncompressed format

inline void symbols_format(uint32_t fmt)
inline DYLD_CHAINED_FORMAT imports_format() const

The format of the imports (ChainedBindingInfo)

inline void imports_format(DYLD_CHAINED_FORMAT fmt)
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)
struct chained_starts_in_segment

Structure that mirrors the raw dyld_chained_starts_in_segment which aims at providing information about the chained rebase/bind fixups.

The relocations provided by this structure can be accessed through SegmentCommand::relocations

Public Functions

inline size_t page_count() const

How many pages are in the page_start array.

Public Members

uint32_t offset = 0

Original offset of the structure, relative to DyldChainedFixups::starts_offset.

uint32_t size = 0

sizeof(size) + sizeof(page_size) + … + sizeof(pointer_format)

uint16_t page_size = 0

Likely 0x1000 for x86/x86_64 architectures and 0x4000 for ARM64 architecture.

uint64_t segment_offset = 0

Offset of the segment’s data from the beginning of the file (it should match SegmentCommand::file_offset)

uint32_t max_valid_pointer = 0

for 32-bit OS, any value beyond this is not a pointer

DYLD_CHAINED_PTR_FORMAT pointer_format

How pointers are encoded.

std::vector<uint16_t> page_start

Offset in the SegmentCommand of the first element of the chain.

std::vector<uint16_t> chain_starts

Currently not supported.

SegmentCommand &segment

Segment in which the rebase/bind fixups take place.

Friends

friend std::ostream &operator<<(std::ostream &os, const chained_starts_in_segment &info)

DyldExportsTrie Command

class DyldExportsTrie : public LIEF::MachO::LoadCommand

Class that represents the LC_DYLD_EXPORTS_TRIE command.

In recent Mach-O binaries, this command replace the DyldInfo export trie buffer

Public Types

using export_info_t = std::vector<std::unique_ptr<ExportInfo>>

Internal container for storing ExportInfo.

using it_export_info = ref_iterator<export_info_t&, ExportInfo*>

Iterator which outputs const ExportInfo&.

using it_const_export_info = const_ref_iterator<const export_info_t&, ExportInfo*>

Iterator which outputs const ExportInfo&.

Public Functions

DyldExportsTrie()
DyldExportsTrie(const details::linkedit_data_command &cmd)
inline virtual std::unique_ptr<LoadCommand> clone() const override
void swap(DyldExportsTrie &other) noexcept
~DyldExportsTrie() override
inline uint32_t data_offset() const

Offset of the LC_DYLD_EXPORTS_TRIE. This offset should point in the __LINKEDIT segment.

inline uint32_t data_size() const

Size of the LC_DYLD_EXPORTS_TRIE payload.

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline span<const uint8_t> content() const
inline it_export_info exports()

Iterator over the ExportInfo entries.

inline it_const_export_info exports() const
std::string show_export_trie() const

Print the exports trie in a humman-readable way.

void add(std::unique_ptr<ExportInfo> info)

Add an entrie in the current trie. See also: LIEF::MachO::Binary::add_exported_function.

virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Code Signature Dir Command

class CodeSignatureDir : public LIEF::MachO::LoadCommand

Public Functions

CodeSignatureDir() = default
CodeSignatureDir(const details::linkedit_data_command &cmd)
CodeSignatureDir &operator=(const CodeSignatureDir &copy) = default
CodeSignatureDir(const CodeSignatureDir &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t data_offset() const

Offset in the binary where the signature starts.

inline uint32_t data_size() const

Size of the raw signature.

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline span<const uint8_t> content() const
inline span<uint8_t> content()
~CodeSignatureDir() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Linker Optimization Hint Command

class LinkerOptHint : public LIEF::MachO::LoadCommand

Class which represents the LC_LINKER_OPTIMIZATION_HINT command.

Public Functions

LinkerOptHint() = default
LinkerOptHint(const details::linkedit_data_command &cmd)
LinkerOptHint &operator=(const LinkerOptHint &copy) = default
LinkerOptHint(const LinkerOptHint &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline uint32_t data_offset() const

Offset in the binary where the hint starts.

inline uint32_t data_size() const

Size of the payload.

inline void data_offset(uint32_t offset)
inline void data_size(uint32_t size)
inline span<const uint8_t> content() const
inline span<uint8_t> content()
~LinkerOptHint() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Two Level Hints Command

class TwoLevelHints : public LIEF::MachO::LoadCommand

Class which represents the LC_TWOLEVEL_HINTS command.

Public Types

using hints_list_t = std::vector<uint32_t>
using it_hints_t = ref_iterator<hints_list_t&>
using it_const_hints_t = const_ref_iterator<const hints_list_t&>

Public Functions

TwoLevelHints() = default
TwoLevelHints(const details::twolevel_hints_command &cmd)
TwoLevelHints &operator=(const TwoLevelHints &copy) = default
TwoLevelHints(const TwoLevelHints &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
inline span<const uint8_t> content() const

Original payload of the command.

inline span<uint8_t> content()
inline it_hints_t hints()

Iterator over the hints (uint32_t integers)

inline it_const_hints_t hints() const
inline uint32_t offset() const

Original offset of the command. It should point in the __LINKEDIT segment.

inline void offset(uint32_t offset)
inline uint32_t original_nb_hints() const
~TwoLevelHints() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Unknown Command

class UnknownCommand : public LIEF::MachO::LoadCommand

Generic class when the command is not recognized by LIEF.

Public Functions

UnknownCommand() = delete
inline UnknownCommand(const details::load_command &command)
UnknownCommand &operator=(const UnknownCommand &copy) = default
UnknownCommand(const UnknownCommand &copy) = default
inline virtual std::unique_ptr<LoadCommand> clone() const override
~UnknownCommand() override = default
inline uint64_t original_command() const

The original LC_ int that is not supported by LIEF.

virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadCommand *cmd)

Utilities

bool LIEF::MachO::is_macho(const std::string &file)

Check if the given file is a Mach-O binary.

bool LIEF::MachO::is_macho(const std::vector<uint8_t> &raw)

Check if the given raw data is a Mach-O binary.

bool LIEF::MachO::is_fat(const std::string &file)

Check if the given file is a FAT Mach-O.

bool LIEF::MachO::is_64(const std::string &file)

Check if the given Mach-O is 64-bits.

Enums

enum class LIEF::MachO::MACHO_TYPES : uint32_t

Values:

enumerator UNKNOWN = 0
enumerator MH_MAGIC = 0xFEEDFACEu

32-bit big-endian magic

enumerator MH_CIGAM = 0xCEFAEDFEu

32-bit little-endian magic

enumerator MH_MAGIC_64 = 0xFEEDFACFu

64-bit big-endian magic

enumerator MH_CIGAM_64 = 0xCFFAEDFEu

64-bit little-endian magic

enumerator FAT_MAGIC = 0xCAFEBABEu

big-endian fat magic

enumerator FAT_CIGAM = 0xBEBAFECAu

little-endian fat magic

enum class LIEF::MachO::X86_RELOCATION

Values:

enumerator GENERIC_RELOC_VANILLA = 0

A generic relocation entry for both addresses contained in data and addresses contained in CPU instructions.

enumerator GENERIC_RELOC_PAIR = 1

The second relocation entry of a pair.

enumerator GENERIC_RELOC_SECTDIFF = 2

A relocation entry for an item that contains the difference of two section addresses. This is generally used for position-independent code generation.

enumerator GENERIC_RELOC_PB_LA_PTR = 3

contains the address from which to subtract; it must be followed by a X86_RELOCATION::GENERIC_RELOC_PAIR containing the address to subtract.

enumerator GENERIC_RELOC_LOCAL_SECTDIFF = 4

Similar to X86_RELOCATION::GENERIC_RELOC_SECTDIFF except that this entry refers specifically to the address in this item. If the address is that of a globally visible coalesced symbol, this relocation entry does not change if the symbol is overridden. This is used to associate stack unwinding information with the object code this relocation entry describes.

enumerator GENERIC_RELOC_TLV = 5

A relocation entry for a prebound lazy pointer. This is always a scattered relocation entry. The MachO::Relocation::value field contains the non-prebound value of the lazy pointer.

enum class LIEF::MachO::X86_64_RELOCATION

Values:

enumerator X86_64_RELOC_UNSIGNED = 0

A CALL/JMP instruction with 32-bit displacement.

enumerator X86_64_RELOC_SIGNED = 1

A MOVQ load of a GOT entry.

enumerator X86_64_RELOC_BRANCH = 2

Other GOT references.

enumerator X86_64_RELOC_GOT_LOAD = 3

Signed 32-bit displacement.

enumerator X86_64_RELOC_GOT = 4

Absolute address.

enumerator X86_64_RELOC_SUBTRACTOR = 5

Must be followed by a X86_64_RELOCATION::X86_64_RELOC_UNSIGNED relocation.

enumerator X86_64_RELOC_SIGNED_1 = 6
enumerator X86_64_RELOC_SIGNED_2 = 7
enumerator X86_64_RELOC_SIGNED_4 = 8
enumerator X86_64_RELOC_TLV = 9
enum class LIEF::MachO::PPC_RELOCATION

Values:

enumerator PPC_RELOC_VANILLA = 0
enumerator PPC_RELOC_PAIR = 1
enumerator PPC_RELOC_BR14 = 2
enumerator PPC_RELOC_BR24 = 3
enumerator PPC_RELOC_HI16 = 4
enumerator PPC_RELOC_LO16 = 5
enumerator PPC_RELOC_HA16 = 6
enumerator PPC_RELOC_LO14 = 7
enumerator PPC_RELOC_SECTDIFF = 8
enumerator PPC_RELOC_PB_LA_PTR = 9
enumerator PPC_RELOC_HI16_SECTDIFF = 10
enumerator PPC_RELOC_LO16_SECTDIFF = 11
enumerator PPC_RELOC_HA16_SECTDIFF = 12
enumerator PPC_RELOC_JBSR = 13
enumerator PPC_RELOC_LO14_SECTDIFF = 14
enumerator PPC_RELOC_LOCAL_SECTDIFF = 15
enum class LIEF::MachO::ARM_RELOCATION

Values:

enumerator ARM_RELOC_VANILLA = 0
enumerator ARM_RELOC_PAIR = 1
enumerator ARM_RELOC_SECTDIFF = 2
enumerator ARM_RELOC_LOCAL_SECTDIFF = 3
enumerator ARM_RELOC_PB_LA_PTR = 4
enumerator ARM_RELOC_BR24 = 5
enumerator ARM_THUMB_RELOC_BR22 = 6
enumerator ARM_THUMB_32BIT_BRANCH = 7
enumerator ARM_RELOC_HALF = 8
enumerator ARM_RELOC_HALF_SECTDIFF = 9
enum class LIEF::MachO::ARM64_RELOCATION

Values:

enumerator ARM64_RELOC_UNSIGNED = 0

For pointers.

enumerator ARM64_RELOC_SUBTRACTOR = 1

Must be followed by an ARM64_RELOCATION::ARM64_RELOC_UNSIGNED

enumerator ARM64_RELOC_BRANCH26 = 2

A B/BL instruction with 26-bit displacement.

enumerator ARM64_RELOC_PAGE21 = 3

PC-rel distance to page of target.

enumerator ARM64_RELOC_PAGEOFF12 = 4

Offset within page, scaled by MachO::Relocation::size.

enumerator ARM64_RELOC_GOT_LOAD_PAGE21 = 5

PC-rel distance to page of GOT slot

enumerator ARM64_RELOC_GOT_LOAD_PAGEOFF12 = 6

Offset within page of GOT slot, scaled by MachO::Relocation::size.

enumerator ARM64_RELOC_POINTER_TO_GOT = 7

For pointers to GOT slots.

enumerator ARM64_RELOC_TLVP_LOAD_PAGE21 = 8

PC-rel distance to page of TLVP slot.

enumerator ARM64_RELOC_TLVP_LOAD_PAGEOFF12 = 9

Offset within page of TLVP slot, scaled by MachO::Relocation::size.

enumerator ARM64_RELOC_ADDEND = 10

Must be followed by ARM64_RELOCATION::ARM64_RELOC_PAGE21 or ARM64_RELOCATION::ARM64_RELOC_PAGEOFF12.

enum class LIEF::MachO::DYLD_CHAINED_FORMAT

Values:

enumerator IMPORT = 1
enumerator IMPORT_ADDEND = 2
enumerator IMPORT_ADDEND64 = 3
enum LIEF::MachO::DYLD_CHAINED_PTR_FORMAT

Values:

enumerator PTR_ARM64E = 1
enumerator PTR_64 = 2
enumerator PTR_32 = 3
enumerator PTR_32_CACHE = 4
enumerator PTR_32_FIRMWARE = 5
enumerator PTR_64_OFFSET = 6
enumerator PTR_ARM64E_OFFSET = 7
enumerator PTR_ARM64E_KERNEL = 7
enumerator PTR_64_KERNEL_CACHE = 8
enumerator PTR_ARM64E_USERLAND = 9
enumerator PTR_ARM64E_FIRMWARE = 10
enumerator PTR_X86_64_KERNEL_CACHE = 11
enumerator PTR_ARM64E_USERLAND24 = 12