The new version of Profiler is out and it includes support for Mac OS X!
Here’s the change-list for the current version:
– ported Cerbero Profiler to MacOSX
– added command-line scripting support
– updated Header Manager to Clang 3.5
– improved parsing of PE Delay Import Descriptors
– fixed some small issues
Enjoy!
The reason behind this addition is that before undertaking the next big step in the road map of the Profiler there was some spare time to dedicate to some extra features for the upcoming 0.9.6 version. There have also been some customer requests for Mach-O support, so we hope that this will satisfy their request. While there are still some things left which would be useful and nice to add to the Mach-O support, they are not many.
The first screenshot as you can see features the Mach-O layout.
The logic of Mach-Os starts with their load commands which describe everything else:
Segments and sections:
Entry points (LC_MAIN, LC_UNIXTHREAD):
Symbols:
Then the LC_DYLD_INFO can describle some VM operations for rebasing and binding:
Binding:
Also the DyldInfo export section is represented as in the file as a tree:
Function starts:
Of course, Mach-O support makes little sense without Fat/Universal Binary support:
While the upcoming version won’t yet support validation of Apple Code Signatures embedded in Mach-Os, it’s already possible to inspect their format and the embedded certificates.
As usual all the formats added have been exposed to Python as well. I paste some of the SDK class documentation here excluding constants, which are just too many.
class MachObject
: CFFObject
AddressToOffset(MaxUInt address) -> MaxUInt
AddressToSection(MaxUInt address) -> CFFStruct
AddressToSegment(MaxUInt address) -> CFFStruct
BuildSymbolsValueHash(CFFStruct symtablc) -> NTHash< MaxUInt,UInt32 >
CertificateLCs() -> NTUIntVector
DyLibModules(CFFStruct dysymtablc) -> CFFStruct
DySymTableLC() -> CFFStruct
DyTableOfContents(CFFStruct dysymtablc) -> CFFStruct
DyldDisassembleBind(NTTextStream out, MaxUInt offset, UInt32 size)
DyldDisassembleBind(NTTextStream out, CFFStruct dyldinfo)
DyldDisassembleLazyBind(NTTextStream out, CFFStruct dyldinfo)
DyldDisassembleRebase(NTTextStream out, MaxUInt offset, UInt32 size)
DyldDisassembleRebase(NTTextStream out, CFFStruct dyldinfo)
DyldDisassembleWeakBind(NTTextStream out, CFFStruct dyldinfo)
DyldFindExportedSymbol(CFFStruct dyldinfo, char const * symbol) -> MaxUInt
DyldInfoLC() -> CFFStruct
EntryPointAddress(CFFStruct lc) -> MaxUInt
EntryPointLCs() -> NTUIntVector
ExternalSymbolReferences(CFFStruct dysymtablc) -> CFFStruct
FunctionStartsLC() -> CFFStruct
FunctionStartsOffsetsAndValues(CFFStruct funcstartslc, NTVector< MaxUInt > & values) -> NTUIntVector
GetLC(LoadCmdInfo info) -> CFFStruct
GetLC(UInt32 index) -> CFFStruct
GetLCCount() -> UInt32
GetLCDescription(CFFStruct s) -> NTString
GetLCDescription(UInt32 index) -> NTString
GetLCInfo(UInt32 index) -> LoadCmdInfo
GetLCInfoFromOffset(MaxUInt offset) -> LoadCmdInfo
static GetLCName(UInt32 cmd) -> NTString
IndirectSymbolTable(CFFStruct dysymtablc) -> CFFStruct
IsMachO64() -> bool
MachHeader() -> CFFStruct
OffsetToAddress(MaxUInt offset) -> MaxUInt
OffsetToSection(MaxUInt offset) -> CFFStruct
OffsetToSegment(MaxUInt offset) -> CFFStruct
ProcessLoadCommands() -> bool
ReadSLEB128(NTBuffer b) -> Int64
ReadSLEB128(MaxUInt offset, UInt32 & size) -> Int64
ReadULEB128(NTBuffer b) -> UInt64
ReadULEB128(MaxUInt offset, UInt32 & size) -> UInt64
SectionFromOffset(UInt32 cmd, MaxUInt offset) -> CFFStruct
SegmentSections(CFFStruct seg) -> CFFStruct
SymTableLC() -> CFFStruct
SymbolNList(CFFStruct symtablc) -> CFFStruct
class FatObject
: CFFObject
Architectures() -> CFFStruct
class AppleCodeSignatureObject
: CFFObject
BlobFromOffset(UInt32 offset) -> CFFStruct
BlobIndexes(CFFStruct supblob) -> CFFStruct
BlobName(UInt32 magic) -> NTString
BlobName(CFFStruct blob) -> NTString
IsSuperBlob(UInt32 magic) -> bool
IsSuperBlob(CFFStruct blob) -> bool
TopBlob() -> CFFStruct Given the SDK capabilities, it’s easy to perform custom scans on Mach-Os or to create plugins.
That’s all. Hope you enjoyed and don’t be shy if you have feature requests or suggestions. 😉