ChainedPointerAnalysis.hpp

Go to the documentation of this file.

/* Copyright 2017 - 2026 R. Thomas
 * Copyright 2017 - 2026 Quarkslab
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#ifndef LIEF_MACHO_CHAINED_PTR_ANALYSIS_H
#define LIEF_MACHO_CHAINED_PTR_ANALYSIS_H
#include <memory>
#include <ostream>
#include <functional>
#include <cstring>
 
#include "LIEF/MachO/DyldChainedFormat.hpp"
#include "LIEF/errors.hpp"
#include "LIEF/visibility.h"
 
namespace LIEF {
class BinaryStream;
namespace MachO {
class LIEF_API ChainedPointerAnalysis {
  public:
  // DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E
  struct dyld_chained_ptr_arm64e_rebase_t {
    uint64_t target : 43, high8 : 8, next : 11, bind : 1, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_rebase_t& chain);
 
    uint64_t unpack_target() const {
      return uint64_t(high8) | target;
    }
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E
  struct dyld_chained_ptr_arm64e_bind_t {
    uint64_t ordinal : 16, zero : 16, addend : 19, next : 11, bind : 1, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os, const dyld_chained_ptr_arm64e_bind_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E
  struct dyld_chained_ptr_arm64e_auth_rebase_t {
    uint64_t target : 32, diversity : 16, addr_div : 1, key : 2, next : 11,
        bind : 1, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_auth_rebase_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E
  struct dyld_chained_ptr_arm64e_auth_bind_t {
    uint64_t ordinal : 16, zero : 16, diversity : 16, addr_div : 1, key : 2,
        next : 11, bind : 1, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_auth_bind_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_64 & DYLD_CHAINED_PTR_FORMAT::PTR_64_OFFSET
  struct dyld_chained_ptr_64_rebase_t {
    uint64_t target : 36, high8 : 8, reserved : 7, next : 12, bind : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os, const dyld_chained_ptr_64_rebase_t& chain);
 
    uint64_t unpack_target() const {
      return uint64_t(high8) | target;
    }
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_USERLAND24
  struct dyld_chained_ptr_arm64e_bind24_t {
    uint64_t ordinal : 24, zero : 8, addend : 19, next : 11, bind : 1, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_bind24_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_USERLAND24
  struct dyld_chained_ptr_arm64e_auth_bind24_t {
    uint64_t ordinal : 24, zero : 8, diversity : 16, addr_div : 1, key : 2,
        next : 11, bind : 1, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_auth_bind24_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_64
  struct dyld_chained_ptr_64_bind_t {
    uint64_t ordinal : 24, addend : 8, reserved : 19, next : 12, bind : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os, const dyld_chained_ptr_64_bind_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_64_KERNEL_CACHE
  struct dyld_chained_ptr_64_kernel_cache_rebase_t {
    uint64_t target : 30, cache_level : 2, diversity : 16, addr_div : 1, key : 2,
        next : 12, is_auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_64_kernel_cache_rebase_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_32
  struct dyld_chained_ptr_32_rebase_t {
    uint32_t target : 26, next : 5, bind : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os, const dyld_chained_ptr_32_rebase_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_32
  struct dyld_chained_ptr_32_bind_t {
    uint32_t ordinal : 20, addend : 6, next : 5, bind : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os, const dyld_chained_ptr_32_bind_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_32_CACHE
  struct dyld_chained_ptr_32_cache_rebase_t {
    uint32_t target : 30, next : 2;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_32_cache_rebase_t& chain);
  };
 
  // DYLD_CHAINED_PTR_FORMAT::PTR_32_FIRMWARE
  struct dyld_chained_ptr_32_firmware_rebase_t {
    uint32_t target : 26, next : 6;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_32_firmware_rebase_t& chain);
  };
 
  // DYLD_CHAINED_PTR_ARM64E_SEGMENTED
  struct dyld_chained_ptr_arm64e_segmented_rebase_t {
    uint32_t target_seg_offset : 28, target_seg_index : 4;
    uint32_t padding : 19, next : 12, auth : 1;
 
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_segmented_rebase_t& chain);
  };
 
  // DYLD_CHAINED_PTR_ARM64E_SEGMENTED
  struct dyld_chained_ptr_arm64e_auth_segmented_rebase_t {
    uint32_t target_seg_offset : 28, target_seg_index : 4;
    uint32_t diversity : 16, addr_div : 1, key : 2, next : 12, auth : 1;
    friend LIEF_API std::ostream&
        operator<<(std::ostream& os,
                   const dyld_chained_ptr_arm64e_auth_segmented_rebase_t& chain);
  };
 
 
  enum class PTR_TYPE : uint64_t {
    UNKNOWN = 0,
    DYLD_CHAINED_PTR_ARM64E_REBASE,
    DYLD_CHAINED_PTR_ARM64E_BIND,
    DYLD_CHAINED_PTR_ARM64E_AUTH_REBASE,
    DYLD_CHAINED_PTR_ARM64E_AUTH_BIND,
    DYLD_CHAINED_PTR_64_REBASE,
    DYLD_CHAINED_PTR_ARM64E_BIND24,
    DYLD_CHAINED_PTR_ARM64E_AUTH_BIND24,
    DYLD_CHAINED_PTR_64_BIND,
    DYLD_CHAINED_PTR_64_KERNEL_CACHE_REBASE,
    DYLD_CHAINED_PTR_32_REBASE,
    DYLD_CHAINED_PTR_32_BIND,
    DYLD_CHAINED_PTR_32_CACHE_REBASE,
    DYLD_CHAINED_PTR_32_FIRMWARE_REBASE,
    DYLD_CHAINED_PTR_ARM64E_SEGMENTED_REBASE,
    DYLD_CHAINED_PTR_ARM64E_AUTH_SEGMENTED_REBASE,
  };
 
  static std::unique_ptr<ChainedPointerAnalysis> from_value(uint64_t value,
                                                            size_t size) {
    return std::unique_ptr<ChainedPointerAnalysis>(
        new ChainedPointerAnalysis(value, size)
    );
  }
 
  static size_t stride(DYLD_CHAINED_PTR_FORMAT fmt) {
    switch (fmt) {
      case DYLD_CHAINED_PTR_FORMAT::NONE: return 0;
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_USERLAND:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_USERLAND24:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_SHARED_CACHE: return 8;
 
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_KERNEL:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_FIRMWARE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_32_FIRMWARE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_64:
      case DYLD_CHAINED_PTR_FORMAT::PTR_64_OFFSET:
      case DYLD_CHAINED_PTR_FORMAT::PTR_32:
      case DYLD_CHAINED_PTR_FORMAT::PTR_32_CACHE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_64_KERNEL_CACHE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_SEGMENTED: return 4;
 
      case DYLD_CHAINED_PTR_FORMAT::PTR_X86_64_KERNEL_CACHE: return 1;
    }
    return 0;
  }
 
  static size_t ptr_size(DYLD_CHAINED_PTR_FORMAT fmt) {
    switch (fmt) {
      case DYLD_CHAINED_PTR_FORMAT::NONE: return 0;
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_USERLAND:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_USERLAND24:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_KERNEL:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_FIRMWARE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_64:
      case DYLD_CHAINED_PTR_FORMAT::PTR_64_OFFSET:
      case DYLD_CHAINED_PTR_FORMAT::PTR_64_KERNEL_CACHE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_X86_64_KERNEL_CACHE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_SHARED_CACHE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_ARM64E_SEGMENTED: return sizeof(uint64_t);
 
      case DYLD_CHAINED_PTR_FORMAT::PTR_32_FIRMWARE:
      case DYLD_CHAINED_PTR_FORMAT::PTR_32:
      case DYLD_CHAINED_PTR_FORMAT::PTR_32_CACHE: return sizeof(uint32_t);
    }
    return 0;
  }
 
  ChainedPointerAnalysis(uint64_t value, size_t size) :
    value_(value),
    size_(size) {}
 
  ChainedPointerAnalysis(const ChainedPointerAnalysis&) = default;
  ChainedPointerAnalysis& operator=(const ChainedPointerAnalysis&) = default;
 
  ChainedPointerAnalysis(ChainedPointerAnalysis&&) noexcept = default;
  ChainedPointerAnalysis& operator=(ChainedPointerAnalysis&&) noexcept = default;
 
  ~ChainedPointerAnalysis() = default;
 
  uint64_t value() const {
    return value_;
  }
 
  size_t size() const {
    return size_;
  }
 
  const dyld_chained_ptr_arm64e_rebase_t dyld_chained_ptr_arm64e_rebase() const {
    dyld_chained_ptr_arm64e_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_bind_t dyld_chained_ptr_arm64e_bind() const {
    dyld_chained_ptr_arm64e_bind_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_auth_rebase_t
      dyld_chained_ptr_arm64e_auth_rebase() const {
    dyld_chained_ptr_arm64e_auth_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_auth_bind_t
      dyld_chained_ptr_arm64e_auth_bind() const {
    dyld_chained_ptr_arm64e_auth_bind_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_64_rebase_t dyld_chained_ptr_64_rebase() const {
    dyld_chained_ptr_64_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_bind24_t dyld_chained_ptr_arm64e_bind24() const {
    dyld_chained_ptr_arm64e_bind24_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_auth_bind24_t
      dyld_chained_ptr_arm64e_auth_bind24() const {
    dyld_chained_ptr_arm64e_auth_bind24_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_64_bind_t dyld_chained_ptr_64_bind() const {
    dyld_chained_ptr_64_bind_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_64_kernel_cache_rebase_t
      dyld_chained_ptr_64_kernel_cache_rebase() const {
    dyld_chained_ptr_64_kernel_cache_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_32_rebase_t dyld_chained_ptr_32_rebase() const {
    dyld_chained_ptr_32_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_32_bind_t dyld_chained_ptr_32_bind() const {
    dyld_chained_ptr_32_bind_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_32_cache_rebase_t
      dyld_chained_ptr_32_cache_rebase() const {
    dyld_chained_ptr_32_cache_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_32_firmware_rebase_t
      dyld_chained_ptr_32_firmware_rebase() const {
    dyld_chained_ptr_32_firmware_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_segmented_rebase_t
      dyld_chained_ptr_arm64e_segmented_rebase() const {
    dyld_chained_ptr_arm64e_segmented_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  const dyld_chained_ptr_arm64e_auth_segmented_rebase_t
      dyld_chained_ptr_arm64e_auth_segmented_rebase() const {
    dyld_chained_ptr_arm64e_auth_segmented_rebase_t result;
    std::memcpy(&result, &value_, sizeof(result));
    return result;
  }
 
  struct union_pointer_t {
    PTR_TYPE type = PTR_TYPE::UNKNOWN;
    union {
      dyld_chained_ptr_arm64e_rebase_t arm64e_rebase;
      dyld_chained_ptr_arm64e_bind_t arm64e_bind;
      dyld_chained_ptr_arm64e_auth_rebase_t arm64e_auth_rebase;
      dyld_chained_ptr_arm64e_auth_bind_t arm64e_auth_bind;
      dyld_chained_ptr_64_rebase_t ptr_64_rebase;
      dyld_chained_ptr_arm64e_bind24_t arm64e_bind24;
      dyld_chained_ptr_arm64e_auth_bind24_t arm64e_auth_bind24;
      dyld_chained_ptr_64_bind_t ptr_64_bind;
      dyld_chained_ptr_64_kernel_cache_rebase_t ptr_64_kernel_cache_rebase;
      dyld_chained_ptr_32_rebase_t ptr_32_rebase;
      dyld_chained_ptr_32_bind_t ptr_32_bind;
      dyld_chained_ptr_32_cache_rebase_t ptr_32_cache_rebase;
      dyld_chained_ptr_32_firmware_rebase_t ptr_32_firmware_rebase;
 
      dyld_chained_ptr_arm64e_segmented_rebase_t ptr_arm64e_segmented_rebase;
      dyld_chained_ptr_arm64e_auth_segmented_rebase_t
          ptr_arm64e_auth_segmented_rebase;
      uint64_t raw;
    };
    uint32_t next() const;
 
    result<uint32_t> ordinal() const;
    result<uint64_t> target() const;
 
    bool is_bind() const {
      return (bool)ordinal();
    }
    bool is_auth() const;
 
    friend LIEF_API std::ostream& operator<<(std::ostream& os,
                                             const union_pointer_t& ptr);
  };
 
  static_assert(sizeof(union_pointer_t) == 16);
 
  union_pointer_t get_as(DYLD_CHAINED_PTR_FORMAT fmt) const;
 
  static uint64_t walk_chain(
      BinaryStream& stream, DYLD_CHAINED_PTR_FORMAT format,
      const std::function<int(uint64_t, const union_pointer_t& ptr)>& callback
  );
 
  private:
  uint64_t value_ = 0;
  size_t size_ = 0;
};
}
}
#endif