ionicons-v5-d 0.17.0 (baa063c8)
Updated on 29/06/2025, 18:48:01.

Mach-O

 API

Introduction

Mach-O binaries can be parsed with LIEF using the
lief::macho::FatBinary::parse lief.MachO.parse() LIEF::MachO::Parser::parse()
function.

Note

The Mach-O format defines the notion of FAT binaries which can embed different architectures into a single file.
lief::macho::FatBinary::parse lief.MachO.parse() LIEF::MachO::Parser::parse()
always returns a
lief::macho::FatBinary lief.MachO.FatBinary LIEF::MachO::FatBinary
with the assumption that a non-fat Mach-O can be represented as a
lief::macho::FatBinary lief.MachO.FatBinary LIEF::MachO::FatBinary
with one architecture.
import lief

# Using filepath
macho: lief.MachO.FatBinary = lief.MachO.parse("/bin/ls")

# Using a Path from pathlib
macho: lief.MachO.FatBinary = lief.MachO.parse(pathlib.Path(r"C:\Users\test.macho"))

# Using a io object
with open("/bin/ssh", 'rb') as f:
  macho: lief.MachO.FatBinary = lief.MachO.parse(f)
This
lief::macho::FatBinary lief.MachO.FatBinary LIEF::MachO::FatBinary
object exposes facilities to either iterate over the different
lief::macho::Binary lief.MachO.Binary LIEF::MachO::Binary
or pick/take a specific one:
fat: lief.MachO.FatBinary

# Iterate
for macho in fat:
    print(macho.entrypoint)
    print(len(macho.commands))

# Pick one at the specified index
macho: lief.MachO.Binary = fat.at(0)

# Pick one based on the architecture
macho: lief.MachO.Binary = fat.take(lief.MachO.Header.CPU_TYPE.ARM64)
Upon a
lief::macho::Binary lief.MachO.Binary LIEF::MachO::Binary
or
lief::macho::FatBinary lief.MachO.FatBinary LIEF::MachO::FatBinary
modification, one can use either
lief::macho::Binary::write lief::macho::Binary::write_with_config lief.MachO.Binary.write() LIEF::MachO::Binary::write()
or
lief.FatBinary.Binary.write() LIEF::FatBinary::Binary::write()
to write back the (FAT) MachO binary object into a raw MachO file.
macho: lief.MachO.FatBinary = ...

macho.at(0).write("fit.macho")
macho.write("fat.macho") # write-back the whole FAT binary
You can also use
lief.MachO.Binary.write_to_bytes() std::unique_ptr LIEF::MachO::Binary::write(std::ostream &) std::unique_ptr LIEF::MachO::Binary::write(std::ostream &, const Builder::config_t &)()
to get the new MachO binary as a buffer of bytes:

Note

This API can also take an extra
lief::pe::builder::Config lief.MachO.Builder.config_t LIEF::MachO::Builder::config_t
parameter
macho: lief.MachO.Binary = ...
new_macho: bytes = macho.write_to_bytes()

Advance Parsing/Writing

lief::macho::FatBinary::parse lief.MachO.parse() LIEF::MachO::Parser::parse()
can take an extra
lief.MachO.ParserConfig LIEF::MachO::ParserConfig
parameter to specify some parts of the MachO format to skip during parsing.

Warning

Generally speaking,
lief::macho::Binary::write lief::macho::Binary::write_with_config lief.MachO.Binary.write() LIEF::MachO::Binary::write()
and
lief.FatBinary.Binary.write() LIEF::FatBinary::Binary::write()
require a complete initial parsing of the MachO file.
Similarly,
lief::macho::Binary::write lief::macho::Binary::write_with_config lief.MachO.Binary.write() LIEF::MachO::Binary::write()
can also take an extra
lief::pe::builder::Config lief.MachO.Builder.config_t LIEF::MachO::Builder::config_t
to specify which parts of the MachO should be re-built or not.
parser_config = lief.MachO.ParserConfig()
parser_config.parse_dyld_bindings = False

macho: lief.MachO.FatBinary = lief.MachO.parse("my.macho", parser_config)

builder_config = lief.MachO.Builder.config_t()
builder_config.linkedit = False

macho.write("new.macho", builder_config)

See also

Binary Abstraction

RPath and Library Path Modification

Sometimes, we need to modify the Mach-O rpath commands or the (absolute) path of a linked library in an executable. When recompiling or linking the executable is not possible, LIEF can be used for these modifications.

For instance, let’s consider a binary with the following dependencies:

$ otool -L hello.bin
hello:
      /Users/romain/dev/libmylib.dylib (compatibility version 0.0.0, current version 0.0.0)
      /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 1700.255.0)
      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1345.100.2)

One can change the directory of libmylib.dylib with the following code:

macho = lief.MachO.parse("hello.bin")
lib: lief.MachO.DylibCommand = macho.find_library("libmylib.dylib")
lib.name = "/opt/hombrew/my_package/libmylib.dylib"

macho.write("hello_fixed.bin")

Note

It is worth mentioning that LIEF does not have restrictions on the length of the modified library path. LIEF manages all the internal modifications to support both longer and shorter library paths.

This kind of modification can be used in pair with the @rpath feature of Mach-O binaries:

  1. We can add an extra LC_RPATH (
    lief::macho::commands::RPath lief.MachO.RPathCommand LIEF::MachO::RPathCommand
    ) command to hello.bin:
macho = lief.MachO.parse("hello.bin")
rpath = lief.MachO.RPathCommand.create("/opt/hombrew/my_package")
macho.add(rpath)

  1. Then, we can change the library path of libmylib.dylib to include the rpath prefix:

lib: lief.MachO.DylibCommand = macho.find_library("libmylib.dylib")
lib.name = "@rpath/libmylib.dylib"

macho.write("hello_fixed.bin")

Objective-C Support

If a Mach-O binary is compiled from Objetive-C sources, it could contain metadata which are represented by the
lief::objc::Metadata lief.objc.Metadata LIEF::objc::Metadata
object.
This metadata can help understand the underlying structures of the binary and LIEF extended provides the support for accessing this information through:
lief::macho::Binary::objc_metadata lief.MachO.Binary.objc_metadata LIEF::MachO::Binary::objc_metadata()
.

For more details, you can check the Obj-C section.