indis-macho 0.2.0

data/README.md

@@ -0,0 +1,6 @@
+[![Build Status](https://secure.travis-ci.org/indis/indis-macho.png?branch=master)](http://travis-ci.org/indis/indis-macho)
+
+# Indis::MachO
+
+This gem provides support for processing mach-o binaries in th indis framework.
+

data/Rakefile

@@ -0,0 +1,9 @@
+#!/usr/bin/env rake
+
+require "bundler/gem_tasks"
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new('spec')
+
+task :default => :spec

data/indis-macho.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/indis-macho/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Vladimir Pouzanov"]
+  gem.email         = ["farcaller@gmail.com"]
+  gem.description   = "Mach-o format processor for indis provides support for loading mach-o binaries for analysis"
+  gem.summary       = "Mach-o format processor for indis"
+  gem.homepage      = "http://www.indis.org/"
+  gem.license       = "GPL-3"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "indis-macho"
+  gem.require_paths = ["lib"]
+  gem.version       = Indis::MachO::VERSION
+  
+  gem.add_development_dependency 'rspec'
+  gem.add_runtime_dependency 'indis-core'
+end

data/lib/indis-macho.rb

@@ -0,0 +1,224 @@
+##############################################################################
+#   Indis framework                                                          #
+#   Copyright (C) 2012 Vladimir "Farcaller" Pouzanov <farcaller@gmail.com>   #
+#                                                                            #
+#   This program is free software: you can redistribute it and/or modify     #
+#   it under the terms of the GNU General Public License as published by     #
+#   the Free Software Foundation, either version 3 of the License, or        #
+#   (at your option) any later version.                                      #
+#                                                                            #
+#   This program is distributed in the hope that it will be useful,          #
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+#   GNU General Public License for more details.                             #
+#                                                                            #
+#   You should have received a copy of the GNU General Public License        #
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.    #
+##############################################################################
+
+require 'indis-core/binary_format'
+require 'indis-core/segment'
+require 'indis-core/section'
+require 'indis-core/symbol'
+require 'indis-macho/version'
+require 'indis-macho/command'
+require 'indis-macho/symbol'
+
+module Indis
+  module BinaryFormat
+    
+    class MachO < Format
+      MH_MAGIC = 0xfeedface
+      
+      CPUTYPE = {
+        12 => :CPU_TYPE_ARM
+      }
+
+      CPUSUBTYPE = {
+        5 => :CPU_SUBTYPE_ARM_V4T,
+        6 => :CPU_SUBTYPE_ARM_V6,
+        7 => :CPU_SUBTYPE_ARM_V5TEJ,
+        8 => :CPU_SUBTYPE_ARM_XSCALE,
+        9 => :CPU_SUBTYPE_ARM_V7
+      }
+
+      FILETYPE = {
+        0x1 => :MH_OBJECT,
+        0x2 => :MH_EXECUTE,
+        0x3 => :MH_FVMLIB,
+        0x4 => :MH_CORE,
+        0x5 => :MH_PRELOAD,
+        0x6 => :MH_DYLIB,
+        0x7 => :MH_DYLINKER,
+        0x8 => :MH_BUNDLE,
+        0x9 => :MH_DYLIB_STUB,
+        0xa => :MH_DSYM,
+        0xb => :MH_KEXT_BUNDLE
+      }
+
+      FLAGS = {
+        0x1 => :MH_NOUNDEFS,
+        0x2 => :MH_INCRLINK,
+        0x4 => :MH_DYLDLINK,
+        0x8 => :MH_BINDATLOAD,
+        0x10 => :MH_PREBOUND,
+        0x20 => :MH_SPLIT_SEGS,
+        0x40 => :MH_LAZY_INIT,
+        0x80 => :MH_TWOLEVEL,
+        0x100 => :MH_FORCE_FLAT,
+        0x200 => :MH_NOMULTIDEFS,
+        0x400 => :MH_NOFIXPREBINDING,
+        0x800 => :MH_PREBINDABLE,
+        0x1000 => :MH_ALLMODSBOUND,
+        0x2000 => :MH_SUBSECTIONS_VIA_SYMBOLS,
+        0x4000 => :MH_CANONICAL,
+        0x8000 => :MH_WEAK_DEFINES,
+        0x10000 => :MH_BINDS_TO_WEAK,
+        0x20000 => :MH_ALLOW_STACK_EXECUTION,
+        0x40000 => :MH_ROOT_SAFE,
+        0x80000 => :MH_SETUID_SAFE,
+        0x100000 => :MH_NO_REEXPORTED_DYLIBS,
+        0x200000 => :MH_PIE,
+        0x400000 => :MH_DEAD_STRIPPABLE_DYLIB,
+        0x800000 => :MH_HAS_TLV_DESCRIPTORS,
+        0x1000000 => :MH_NO_HEAP_EXECUTION,
+      }
+      
+      attr_reader :cputype, :cpusubtype, :filetype, :commands
+      
+      def self.magic
+        MH_MAGIC
+      end
+      
+      def self.name
+        'Mach-O'
+      end
+      
+      def initialize(target, io)
+        super(target, io)
+        
+        @commands = []
+
+        parse_header
+        parse_commands
+
+        build_segments
+        build_dylibs if self.flags.include? :MH_TWOLEVEL
+        build_symbols
+      end
+      
+      def flags
+        f = []
+        FLAGS.each_pair do |k, v|
+          f << v if @flags_val & k == k
+        end
+        f
+      end
+      
+      private
+      def validate_format
+        raise "Not a Mach-O" if @io.length < 4
+        magic = @io.read(4).unpack('V')[0]
+        raise "Bad magic" unless magic == MH_MAGIC
+        @io.seek(-4, IO::SEEK_CUR)          
+      end
+      
+      def parse_header
+        validate_format
+        
+        @magic, @cputype, @cpusubtype, @filetype, @ncmds, @sizeofcmds, @flags_val = @io.read(7*4).unpack('VVVVVVV')
+
+        @cputype = CPUTYPE[@cputype]
+        raise "Unknown CPU type" unless @cputype
+
+        @cpusubtype = CPUSUBTYPE[@cpusubtype]
+        raise "Unknown CPU subtype" unless @cpusubtype
+
+        @filetype = FILETYPE[@filetype]
+        raise "Unknown file type" unless @filetype
+      end
+      
+      def parse_commands
+        @ncmds.times do
+          cmd, size = @io.read(2*4).unpack('VV')
+
+          begin
+            c = Indis::MachO::Command.class_of_command(cmd).new(cmd, size, @io)
+            @commands << c
+          rescue Indis::MachO::UnknownCommandError
+            print "Unknown command #{cmd} size #{size}, skipping\n"
+            @io.read(size-8)
+          end
+        end
+      end
+      
+      def build_segments
+        @indexed_sections = [nil]
+        segcommands = @commands.map{ |c| c if c.is_a?(Indis::MachO::SegmentCommand) }.compact
+        
+        @target.segments = []
+        
+        pos = @target.io.pos
+        segcommands.each do |cmd|
+          name = if cmd.segname.length > 0
+            cmd.segname
+          else
+            if cmd.sections.length > 0 && cmd.sections.first.segname.length > 0
+              cmd.sections.first.segname
+            else
+              name = '*NONAME*'
+            end
+          end
+          
+          @target.io.pos = cmd.fileoff
+          seg = Indis::Segment.new(@target, name, cmd.vmaddr, cmd.vmsize, cmd.fileoff, @target.io.read(cmd.filesize))
+          @target.segments << seg
+          
+          cmd.sections.each do |sec|
+            sec.index = @indexed_sections.length
+            s = Indis::Section.new(seg, sec.sectname, sec.addr, sec.size, sec.offset)
+            seg.sections << s
+            @indexed_sections << s
+          end
+        end
+        @target.io.pos = pos
+      end
+      
+      def build_dylibs
+        @indexed_dylibs = [nil]
+        dylibcommands = @commands.map{ |c| c if c.is_a?(Indis::MachO::LoadDyLibCommand) }.compact
+        
+        dylibcommands.each do |dy|
+          @indexed_dylibs << dy.name
+        end
+      end
+      
+      def build_symbols
+        symtabcommand = @commands.map{ |c| c if c.is_a?(Indis::MachO::SymTabCommand) }.compact
+        return if symtabcommand.length == 0
+        
+        @target.symbols = {}
+        
+        cmd = symtabcommand.first
+        cmd.symbols.each do |sym|
+          sec = if sym.sect > 0
+            @indexed_sections[sym.sect]
+          else
+            nil
+          end
+          
+          dy = if self.flags.include? :MH_TWOLEVEL
+            l2 = sym.twolevel_library_ordinal
+            @indexed_dylibs[l2] if l2.is_a? Fixnum
+          else
+            nil
+          end
+          
+          s = Indis::Symbol.new(sym.name, sec, dy, sym.value, sym)
+          @target.symbols[sym.name] = s
+        end
+      end
+    end
+    
+  end
+end

data/lib/indis-macho/command.rb

@@ -0,0 +1,271 @@
+##############################################################################
+#   Indis framework                                                          #
+#   Copyright (C) 2012 Vladimir "Farcaller" Pouzanov <farcaller@gmail.com>   #
+#                                                                            #
+#   This program is free software: you can redistribute it and/or modify     #
+#   it under the terms of the GNU General Public License as published by     #
+#   the Free Software Foundation, either version 3 of the License, or        #
+#   (at your option) any later version.                                      #
+#                                                                            #
+#   This program is distributed in the hope that it will be useful,          #
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+#   GNU General Public License for more details.                             #
+#                                                                            #
+#   You should have received a copy of the GNU General Public License        #
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.    #
+##############################################################################
+
+require 'indis-macho/symbol'
+
+module Indis
+  module MachO
+    
+    class UnknownCommandError < RuntimeError; end
+    
+    class Command
+      LC_REQ_DYLD = 0x80000000
+      
+      CMD = {
+        0x1 => :LC_SEGMENT,
+        0x2 => :LC_SYMTAB,
+        0x3 => :LC_SYMSEG,
+        0x4 => :LC_THREAD,
+        0x5 => :LC_UNIXTHREAD,
+        0x6 => :LC_LOADFVMLIB,
+        0x7 => :LC_IDFVMLIB,
+        0x8 => :LC_IDENT,
+        0x9 => :LC_FVMFILE,
+        0xa => :LC_PREPAGE,
+        0xb => :LC_DYSYMTAB,
+        0xc => :LC_LOAD_DYLIB,
+        0xd => :LC_ID_DYLIB,
+        0xe => :LC_LOAD_DYLINKER,
+        0xf => :LC_ID_DYLINKER,
+        0x10 => :LC_PREBOUND_DYLIB,
+        0x11 => :LC_ROUTINES,
+        0x12 => :LC_SUB_FRAMEWORK,
+        0x13 => :LC_SUB_UMBRELLA,
+        0x14 => :LC_SUB_CLIENT,
+        0x15 => :LC_SUB_LIBRARY,
+        0x16 => :LC_TWOLEVEL_HINTS,
+        0x17 => :LC_PREBIND_CKSUM,
+        
+        0x18 | LC_REQ_DYLD => :LC_LOAD_WEAK_DYLIB,
+        0x19 => :LC_SEGMENT_64,
+        0x1a => :LC_ROUTINES_64,
+        0x1b => :LC_UUID,
+        0x1c | LC_REQ_DYLD => :LC_RPATH,
+        0x1d => :LC_CODE_SIGNATURE,
+        0x1e => :LC_SEGMENT_SPLIT_INFO,
+        0x1f | LC_REQ_DYLD => :LC_REEXPORT_DYLIB,
+        0x20 => :LC_LAZY_LOAD_DYLIB,
+        0x21 => :LC_ENCRYPTION_INFO,
+        0x22 => :LC_DYLD_INFO,
+        0x22|LC_REQ_DYLD => :LC_DYLD_INFO_ONLY,
+        
+        0x23 | LC_REQ_DYLD => :LC_LOAD_UPWARD_DYLIB,
+        0x24 => :LC_VERSION_MIN_MACOSX,
+        0x25 => :LC_VERSION_MIN_IPHONEOS,
+        0x26 => :LC_FUNCTION_STARTS,
+        0x27 => :LC_DYLD_ENVIRONMENT,
+      }
+      
+      CMD_CLASS = {
+        LC_SEGMENT: :SegmentCommand,
+        LC_DYLD_INFO_ONLY: :DyldInfoOnlyCommand,
+        LC_SYMTAB: :SymTabCommand,
+        LC_DYSYMTAB: :DySymTabCommand,
+        LC_LOAD_DYLINKER: :LoadDyLinkerCommand,
+        LC_UUID: :UUIDCommand,
+        LC_UNIXTHREAD: :ARMUnixThreadCommand,
+        LC_ENCRYPTION_INFO: :EncryptionInfoCommand,
+        LC_LOAD_DYLIB: :LoadDyLibCommand,
+        LC_CODE_SIGNATURE: :CodeSignatureCommand,
+        LC_VERSION_MIN_IPHONEOS: :VersionMinIPhoneOSCommand,
+        LC_FUNCTION_STARTS: :FunctionStartsCommand,
+      }
+  
+      attr_reader :cmd, :length
+  
+      def initialize(cmd, length, payload)
+        @cmd = CMD[cmd]
+        @length = length
+        raise "Unknown mach-o command" unless @cmd
+    
+        process(payload)
+      end
+  
+      def self.class_of_command(c)
+        cmd = CMD[c]
+        raise UnknownCommandError, "Unknown mach-o command #{c.to_s(16)}" unless cmd
+        clsnm = CMD_CLASS[cmd]
+        raise "Unsupported mach-o command #{c.to_s(16)} (#{cmd})" unless clsnm
+        cls = Indis::MachO.const_get(clsnm)
+      end
+      
+      private
+      def process(payload)
+        return unless self.class.fields
+        self.class.fields.each do |f|
+          case f[0]
+          when :string
+            s = payload.read(f[2]).strip.gsub("\0", "")
+            instance_variable_set("@#{f[1]}".to_sym, s)
+          when :uint32
+            instance_variable_set("@#{f[1]}".to_sym, payload.read(4).unpack('V')[0])
+          end
+        end
+      end
+      
+      def self.f_string(name, sz)
+        @fields ||= []
+        @fields << [:string, name, sz]
+        attr_reader name.to_sym
+      end
+      
+      def self.f_uint32(*names)
+        @fields ||= []
+        names.each do |nm|
+          @fields << [:uint32, nm]
+          attr_reader nm.to_sym
+        end
+      end
+      
+      def self.fields
+        @fields
+      end
+    end
+    
+    class SectionSubCommand < Command # LC_SEGMENT.sub
+      f_string :sectname, 16
+      f_string :segname, 16
+      f_uint32 :addr, :size, :offset, :align, :reloff, :nreloc, :flags, :reserved1, :reseved2
+      attr_accessor :index
+      
+      def initialize(payload)
+        process(payload)
+      end
+    end
+    
+    class SegmentCommand < Command # LC_SEGMENT
+      f_string :segname, 16
+      f_uint32 :vmaddr, :vmsize, :fileoff, :filesize, :maxprot, :initprot, :nsects, :flags
+      attr_reader :sections
+      
+      def process(payload)
+        super(payload)
+        
+        @sections = []
+        @nsects.times do
+          s = SectionSubCommand.new(payload)
+          @sections << s
+        end
+      end
+    end
+    
+    class SymTabCommand < Command # LC_SYMTAB
+      f_uint32 :symoff, :nsyms, :stroff, :strsize
+      attr_reader :symbols
+      
+      def process(payload)
+        super(payload)
+        
+        pos = payload.pos
+        
+        payload.pos = @stroff
+        strings = payload.read(@strsize)
+        
+        payload.pos = @symoff
+        @symbols = []
+        
+        @nsyms.times do |n|
+          s = Indis::MachO::Symbol.new(payload, strings)
+          @symbols << s
+        end
+        payload.pos = pos
+      end
+    end
+    
+    class DySymTabCommand < Command # LC_DYSYMTAB
+      f_uint32 :ilocalsym, :nlocalsym, :iextdefsym, :nextdefsym, :iundefsym, :nundefsym, :tocoff,
+               :ntoc, :modtaboff, :nmodtab, :extrefsymoff, :nextrefsyms, :indirectsymoff, :nindirectsyms,
+               :extreloff, :nextrel, :locreloff, :nlocrel
+    end
+    
+    class LoadDyLinkerCommand < Command # LC_LOAD_DYLINKER
+      attr_reader :name
+      
+      def process(payload)
+        super(payload)
+        @name = payload.read(@length-8).strip
+      end
+    end
+    
+    class UUIDCommand < Command # LC_UUID
+      attr_reader :UUID
+      
+      def process(payload)
+        super(payload)
+        @UUID = payload.read(16)
+      end
+    end
+    
+    class ARMUnixThreadCommand < Command # LC_UNIXTHREAD
+      REGISTERS = [:r0, :r1, :r2, :r3, :r4, :r5, :r6, :r7, :r8, :r9, :r10, :r11, :r12, :sp, :lr, :pc, :cpsr]
+      f_uint32 :flavor, :count
+      attr_reader :registers
+      
+      def process(payload)
+        super(payload)
+        # XXX: this one parses only ARM thread state, need to get back to mach-o header to know the flavor
+        
+        @registers = payload.read(4*17).unpack('V'*17)
+      end
+    end
+    
+    class EncryptionInfoCommand < Command # LC_ENCRYPTION_INFO
+      f_uint32 :cryptoff, :cryptsize, :cryptid
+    end
+    
+    class LoadDyLibCommand < Command # LC_LOAD_DYLIB
+      attr_reader :name, :timestamp, :current_version, :compatibility_version
+      
+      def process(payload)
+        super(payload)
+        
+        ofs_to_name = payload.read(4).unpack('V')[0]
+        
+        @timestamp, @current_version, @compatibility_version = payload.read(4*3).unpack('VVV')
+        
+        name_sz = @length - ofs_to_name - 4*3 + 8 + 4
+        @name = payload.read(name_sz).strip
+      end
+    end
+    
+    class CodeSignatureCommand < Command # LC_CODE_SIGNATURE
+      f_uint32 :dataoff, :datasize
+    end
+    
+    class VersionMinIPhoneOSCommand < Command # LC_VERSION_MIN_IPHONEOS
+      attr_reader :version, :sdk
+      
+      def process(payload)
+        v, s = payload.read(8).unpack('VV')
+        
+        @version = "#{(v & 0xffff0000) >> 16}.#{(v & 0xff00) >> 8}.#{v & 0xff}"
+        @sdk = s
+      end
+    end
+    
+    class FunctionStartsCommand < Command # LC_FUNCTION_STARTS
+      f_uint32 :dataoff, :datasize
+    end
+    
+    class DyldInfoOnlyCommand < Command # LC_DYLD_INFO_ONLY
+      f_uint32 :rebase_off, :rebase_size, :bind_off, :bind_size, :weak_bind_off, :weak_bind_size,
+               :lazy_bind_off, :lazy_bind_size, :export_off, :export_size
+    end
+  
+  end
+end