indis-macho 0.2.0 → 0.3.0

data/README.md

@@ -2,5 +2,4 @@
 
 # Indis::MachO
 
-This gem provides support for processing mach-o binaries in th indis framework.
-
+This gem provides support for processing mach-o binaries in the indis framework.

data/indis-macho.gemspec

@@ -17,5 +17,5 @@ Gem::Specification.new do |gem|
   gem.version       = Indis::MachO::VERSION
   
   gem.add_development_dependency 'rspec'
-  gem.add_runtime_dependency 'indis-core'
+  gem.add_runtime_dependency 'indis-core', '~> 0.1.2'
 end

data/lib/indis-macho.rb

@@ -105,6 +105,7 @@ module Indis
         build_segments
         build_dylibs if self.flags.include? :MH_TWOLEVEL
         build_symbols
+        build_indirect_symbols
       end
       
       def flags
@@ -115,6 +116,26 @@ module Indis
         f
       end
       
+      def resolve_symbol_at_address(vmaddr)
+        segcommands = @commands.map{ |c| c if c.is_a?(Indis::MachO::SegmentCommand) }.compact
+        seg = segcommands.find { |seg| vmaddr >= seg.vmaddr && vmaddr < seg.vmaddr+seg.vmsize }
+        return nil unless seg
+        
+        ok_types = [:S_NON_LAZY_SYMBOL_POINTERS, :S_LAZY_SYMBOL_POINTERS, :S_LAZY_DYLIB_SYMBOL_POINTERS,
+                    :S_THREAD_LOCAL_VARIABLE_POINTERS, :S_SYMBOL_STUBS]
+        sect = seg.sections.find { |sec| vmaddr >= sec.addr && vmaddr < sec.addr+sec.size && ok_types.include?(sec.type) }
+        return nil unless sect
+        
+        stride = sect.type == :S_SYMBOL_STUBS ? sect.reserved2 : 4 # cctools/otool/ofile_print.c:8105
+        index = sect.reserved1 + (vmaddr - sect.addr) / stride
+        
+        return nil if index >= @indirect_symbols.length
+        
+        symb = @symbols[@indirect_symbols[index]].name
+        @target.publish_event(:macho_indirect_symbol_resolved, vmaddr, symb)
+        symb
+      end
+      
       private
       def validate_format
         raise "Not a Mach-O" if @io.length < 4
@@ -145,6 +166,7 @@ module Indis
           begin
             c = Indis::MachO::Command.class_of_command(cmd).new(cmd, size, @io)
             @commands << c
+            @target.publish_event(:macho_command_processed, c)
           rescue Indis::MachO::UnknownCommandError
             print "Unknown command #{cmd} size #{size}, skipping\n"
             @io.read(size-8)
@@ -173,11 +195,13 @@ module Indis
           @target.io.pos = cmd.fileoff
           seg = Indis::Segment.new(@target, name, cmd.vmaddr, cmd.vmsize, cmd.fileoff, @target.io.read(cmd.filesize))
           @target.segments << seg
+          @target.publish_event(:target_segment_processed, seg)
           
           cmd.sections.each do |sec|
             sec.index = @indexed_sections.length
-            s = Indis::Section.new(seg, sec.sectname, sec.addr, sec.size, sec.offset)
+            s = Indis::Section.new(seg, sec.sectname, sec.addr, sec.size, sec.offset, sec.type, sec.attributes)
             seg.sections << s
+            @target.publish_event(:target_section_processed, s)
             @indexed_sections << s
           end
         end
@@ -194,13 +218,16 @@ module Indis
       end
       
       def build_symbols
-        symtabcommand = @commands.map{ |c| c if c.is_a?(Indis::MachO::SymTabCommand) }.compact
+        symtabcommand = @commands.find{ |c| c.is_a?(Indis::MachO::SymTabCommand) }
         return if symtabcommand.length == 0
         
-        @target.symbols = {}
+        @symbols = symtabcommand.symbols
+        
+        @target.symbols = []
         
-        cmd = symtabcommand.first
-        cmd.symbols.each do |sym|
+        symtabcommand.symbols.each do |sym|
+          next if sym.stab?
+          
           sec = if sym.sect > 0
             @indexed_sections[sym.sect]
           else
@@ -215,9 +242,17 @@ module Indis
           end
           
           s = Indis::Symbol.new(sym.name, sec, dy, sym.value, sym)
-          @target.symbols[sym.name] = s
+          @target.symbols << s
+          @target.publish_event(:target_symbol_processed, s)
         end
       end
+      
+      def build_indirect_symbols
+        dysymtabcommand = @commands.find{ |c| c.is_a?(Indis::MachO::DySymTabCommand) }
+        return if !dysymtabcommand || dysymtabcommand.length == 0
+        
+        @indirect_symbols = dysymtabcommand.indirect_symbols
+      end
     end
     
   end

data/lib/indis-macho/command.rb

@@ -17,6 +17,7 @@
 ##############################################################################
 
 require 'indis-macho/symbol'
+require 'indis-macho/dyld_info_parser'
 
 module Indis
   module MachO
@@ -140,11 +141,53 @@ module Indis
     class SectionSubCommand < Command # LC_SEGMENT.sub
       f_string :sectname, 16
       f_string :segname, 16
-      f_uint32 :addr, :size, :offset, :align, :reloff, :nreloc, :flags, :reserved1, :reseved2
+      f_uint32 :addr, :size, :offset, :align, :reloff, :nreloc, :flags, :reserved1, :reserved2
       attr_accessor :index
+      attr_reader :type, :attributes
+      
+      SECTION_TYPE_MASK = 0x000000ff
+      SECTION_ATTRIBUTES_MASK = 0xffffff00
+      
+      SECTION_TYPE = {
+        0x00 => :S_REGULAR,                             # regular section
+        0x01 => :S_ZEROFILL,                            # zero-fill on demand section
+        0x02 => :S_CSTRING_LITERALS,                    # section with only literal C strings
+        0x03 => :S_4BYTE_LITERALS,                      # section with only 4 byte literals
+        0x04 => :S_8BYTE_LITERALS,                      # section with only 8 byte literals
+        0x05 => :S_LITERAL_POINTERS,                    # section with only pointers to literals
+        0x06 => :S_NON_LAZY_SYMBOL_POINTERS,            # section with only non-lazy symbol pointers
+        0x07 => :S_LAZY_SYMBOL_POINTERS,                # section with only lazy symbol pointers
+        0x08 => :S_SYMBOL_STUBS,                        # section with only symbol stubs (s.a. byte size of stub in the reserved2)
+        0x09 => :S_MOD_INIT_FUNC_POINTERS,              # section with only function pointers for initialization
+        0x0a => :S_MOD_TERM_FUNC_POINTERS,              # section with only function pointers for termination
+        0x0b => :S_COALESCED,                           # section contains symbols that are to be coalesced
+        0x0c => :S_GB_ZEROFILL,                         # zero fill on demand section (>4Gb)
+        0x0d => :S_INTERPOSING,                         # section with only pairs of function pointers for interposing
+        0x0e => :S_16BYTE_LITERALS,                     # section with only 16 byte literals
+        0x0f => :S_DTRACE_DOF,                          # section contains DTrace Object Format
+        0x10 => :S_LAZY_DYLIB_SYMBOL_POINTERS,          # section with only lazy symbol pointers to lazy loaded dylibs
+        0x11 => :S_THREAD_LOCAL_REGULAR,                # template of initial values for TLVs
+        0x12 => :S_THREAD_LOCAL_ZEROFILL,               # template of initial values for TLVs (zero-filled on demand?)
+        0x13 => :S_THREAD_LOCAL_VARIABLES,              # TLV descriptors
+        0x14 => :S_THREAD_LOCAL_VARIABLE_POINTERS,      # pointers to TLV descriptors
+        0x15 => :S_THREAD_LOCAL_INIT_FUNCTION_POINTERS, # functions to call to initialize TLV values
+      }
+      
+      SECTION_ATTRIBUTES = {
+        0x80000000 => :S_ATTR_PURE_INSTRUCTIONS,   # section contains only true machine instructions
+        0x40000000 => :S_ATTR_NO_TOC,              # section contains coalesced symbols that are not to be in a ranlib table of contents
+        0x20000000 => :S_ATTR_STRIP_STATIC_SYMS,   # ok to strip static symbols in this section in files with the MH_DYLDLINK flag
+        0x10000000 => :S_ATTR_NO_DEAD_STRIP,       # no dead stripping
+        0x08000000 => :S_ATTR_LIVE_SUPPORT,        # blocks are live if they reference live blocks
+        0x04000000 => :S_ATTR_SELF_MODIFYING_CODE, # Used with i386 code stubs written on by dyld
+        # s.a. S_ATTR_DEBUG & friends in loader.h
+      }
       
       def initialize(payload)
         process(payload)
+        @type = SECTION_TYPE[@flags & SECTION_TYPE_MASK]
+        atr = @falgs & SECTION_ATTRIBUTES_MASK
+        @attributes = SECTION_ATTRIBUTES.map { |k,v| (atr & k == k) ? v : nil }.compact
       end
     end
     
@@ -191,6 +234,16 @@ module Indis
       f_uint32 :ilocalsym, :nlocalsym, :iextdefsym, :nextdefsym, :iundefsym, :nundefsym, :tocoff,
                :ntoc, :modtaboff, :nmodtab, :extrefsymoff, :nextrefsyms, :indirectsymoff, :nindirectsyms,
                :extreloff, :nextrel, :locreloff, :nlocrel
+      attr_reader :indirect_symbols
+      
+      def process(payload)
+        super(payload)
+        
+        ofs = payload.pos
+        payload.pos = @indirectsymoff
+        @indirect_symbols = payload.read(@nindirectsyms * 4).unpack('V*')
+        payload.pos = ofs
+      end
     end
     
     class LoadDyLinkerCommand < Command # LC_LOAD_DYLINKER
@@ -265,6 +318,30 @@ module Indis
     class DyldInfoOnlyCommand < Command # LC_DYLD_INFO_ONLY
       f_uint32 :rebase_off, :rebase_size, :bind_off, :bind_size, :weak_bind_off, :weak_bind_size,
                :lazy_bind_off, :lazy_bind_size, :export_off, :export_size
+      attr_reader :bind_symbols, :weak_bind_symbols, :lazy_bind_symbols
+     
+      def process(payload)
+        super(payload)
+        
+        # TODO: rebase
+        
+        off = payload.pos
+        payload.pos = @bind_off
+        bind = payload.read(@bind_size)
+        @bind_symbols = DyldInfoParser.new(bind).parse if @bind_size > 0
+        
+        payload.pos = @weak_bind_off
+        weak_bind = payload.read(@weak_bind_size)
+        @weak_bind_symbols = DyldInfoParser.new(weak_bind).parse if @weak_bind_size > 0
+        
+        payload.pos = @lazy_bind_off
+        lazy_bind = payload.read(@lazy_bind_size)
+        @lazy_bind_symbols = DyldInfoParser.new(lazy_bind).parse if @lazy_bind_size > 0
+        
+        # TODO: export
+        
+        payload.pos = off
+      end
     end
   
   end

data/lib/indis-macho/dyld_info_parser.rb

@@ -0,0 +1,127 @@
+##############################################################################
+#   Indis framework                                                          #
+#   Copyright (C) 2012 Vladimir "Farcaller" Pouzanov <farcaller@gmail.com>   #
+#                                                                            #
+#   This program is free software: you can redistribute it and/or modify     #
+#   it under the terms of the GNU General Public License as published by     #
+#   the Free Software Foundation, either version 3 of the License, or        #
+#   (at your option) any later version.                                      #
+#                                                                            #
+#   This program is distributed in the hope that it will be useful,          #
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+#   GNU General Public License for more details.                             #
+#                                                                            #
+#   You should have received a copy of the GNU General Public License        #
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.    #
+##############################################################################
+
+module Indis
+  module MachO
+    
+    class DyldInfoParser
+      BIND_OPCODE_MASK    = 0xF0
+      BIND_IMMEDIATE_MASK = 0x0F
+      
+      BIND_OPCODES = {
+        0x00 => :BIND_OPCODE_DONE,
+        0x10 => :BIND_OPCODE_SET_DYLIB_ORDINAL_IMM,
+        0x20 => :BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB,
+        0x30 => :BIND_OPCODE_SET_DYLIB_SPECIAL_IMM,
+        0x40 => :BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM,
+        0x50 => :BIND_OPCODE_SET_TYPE_IMM,
+        0x60 => :BIND_OPCODE_SET_ADDEND_SLEB,
+        0x70 => :BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB,
+        0x80 => :BIND_OPCODE_ADD_ADDR_ULEB,
+        0x90 => :BIND_OPCODE_DO_BIND,
+        0xA0 => :BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB,
+        0xB0 => :BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED,
+        0xC0 => :BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB,
+      }
+      
+      TYPE_IMM = {
+        1 => :POINTER,
+        2 => :TEXT_ABSOLUTE32,
+        3 => :TEXT_PCREL32,
+      }
+      
+      def initialize(bytes)
+        @bytes = StringIO.new(bytes)
+      end
+      
+      def parse
+        syms = []
+        sym = {offset: 0}
+        begin
+          
+          b = pop
+          opcode = BIND_OPCODES[b & BIND_OPCODE_MASK]
+          imm = b & BIND_IMMEDIATE_MASK
+          #puts "** OPCODE #{opcode} IMM #{imm}"
+          case opcode
+          when :BIND_OPCODE_SET_DYLIB_ORDINAL_IMM
+            sym[:library] = imm
+          when :BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM
+            sym[:flags] = []
+            sym[:flags] << :WEAK_IMPORT if imm & 1 == 1
+            sym[:flags] << :NON_WEAK_DEFINITION if imm & 8 == 8
+            
+            nm = ''
+            c = pop
+            while c != 0 do
+              nm += c.chr
+              c = pop
+            end
+            sym[:name] = nm
+          when :BIND_OPCODE_SET_TYPE_IMM
+            #puts "Unknown type #{imm}" unless TYPE_IMM[imm]
+            sym[:type] = TYPE_IMM[imm] || imm
+          when :BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB
+            sym[:segment] = imm
+            sym[:offset] = pop_uleb
+          when :BIND_OPCODE_DONE
+            #break
+          when :BIND_OPCODE_DO_BIND
+            syms << sym.dup
+            sym[:offset] += 4
+          when :BIND_OPCODE_ADD_ADDR_ULEB
+            u = pop_uleb
+            sym[:offset] += u
+          when :BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED
+            syms << sym.dup
+            sym[:offset] += 4 + imm*4
+          when :BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB
+            count = pop_uleb
+            skip  = pop_uleb
+            count.times do
+              syms << sym.dup
+              sym[:offset] += skip + 4
+            end
+          else
+            raise "unknown opcode #{opcode} #{(b & BIND_OPCODE_MASK).to_s 16}"
+          end
+          sym[:offset] &= 0xffffffff
+        end while @bytes.pos < @bytes.length
+        syms
+      end
+      
+      private
+      def pop
+        @bytes.read(1).ord
+      end
+      
+      def pop_uleb
+        result = 0
+        bit = 0
+        begin
+          p = pop
+          slice = p & 0x7f
+          result |= (slice << bit)
+          bit += 7
+        end while p & 0x80 != 0
+        result
+      end
+    end
+    
+  end
+end

data/lib/indis-macho/symbol.rb

@@ -32,35 +32,35 @@ module Indis
         0xa => :INDR,
       }
       STAB = {
-        0x20 => :N_GSYM,
-        0x22 => :N_FNAME,
-        0x24 => :N_FUN,
-        0x26 => :N_STSYM,
-        0x28 => :N_LCSYM,
-        0x2e => :N_BNSYM,
-        0x3c => :N_OPT,
-        0x40 => :N_RSYM,
-        0x44 => :N_SLINE,
-        0x4e => :N_ENSYM,
-        0x60 => :N_SSYM,
-        0x64 => :N_SO,
-        0x66 => :N_OSO,
-        0x80 => :N_LSYM,
-        0x82 => :N_BINCL,
-        0x84 => :N_SOL,
-        0x86 => :N_PARAMS,
-        0x88 => :N_VERSION,
-        0x8A => :N_OLEVEL,
-        0xa0 => :N_PSYM,
-        0xa2 => :N_EINCL,
-        0xa4 => :N_ENTRY,
-        0xc0 => :N_LBRAC,
-        0xc2 => :N_EXCL,
-        0xe0 => :N_RBRAC,
-        0xe2 => :N_BCOMM,
-        0xe4 => :N_ECOMM,
-        0xe8 => :N_ECOML,
-        0xfe => :N_LENG,
+        0x20 => :N_GSYM,    # global symbol
+        0x22 => :N_FNAME,   # procedure name (f77 kludge)
+        0x24 => :N_FUN,     # procedure name
+        0x26 => :N_STSYM,   # static symbol
+        0x28 => :N_LCSYM,   # .lcomm symbol
+        0x2e => :N_BNSYM,   # begin nsect symbol
+        0x3c => :N_OPT,     # emitted with gcc2_compiled and in gcc source
+        0x40 => :N_RSYM,    # register symbol
+        0x44 => :N_SLINE,   # src line
+        0x4e => :N_ENSYM,   # end nsect symbol
+        0x60 => :N_SSYM,    # structure elt
+        0x64 => :N_SO,      # source file name
+        0x66 => :N_OSO,     # object file name
+        0x80 => :N_LSYM,    # local symbol
+        0x82 => :N_BINCL,   # include file beginning
+        0x84 => :N_SOL,     # #included file name
+        0x86 => :N_PARAMS,  # compiler parameters
+        0x88 => :N_VERSION, # compiler version
+        0x8A => :N_OLEVEL,  # compiler -O level
+        0xa0 => :N_PSYM,    # parameter
+        0xa2 => :N_EINCL,   # include file end
+        0xa4 => :N_ENTRY,   # alternate entry
+        0xc0 => :N_LBRAC,   # left bracket
+        0xc2 => :N_EXCL,    # deleted include file
+        0xe0 => :N_RBRAC,   # right bracket
+        0xe2 => :N_BCOMM,   # begin common
+        0xe4 => :N_ECOMM,   # end common
+        0xe8 => :N_ECOML,   # end common (local name)
+        0xfe => :N_LENG,    # second stab entry with length information
       }
       REFERENCE_TYPE_MASK = 0xf
       DESC_REFERENCE = {
@@ -94,7 +94,11 @@ module Indis
           @name = strtab[name_idx..-1].split("\0", 2)[0]
         end
         
-        #puts "#{printf('%08x', value)} #{@name} sect #{@sect} #{self.type ? self.type : 'UNK 0b'+@type_val.to_s(2)} #{self.stab? ? 'stab ' : ''} #{self.private_extern? ? 'pvt ' : ''} #{self.extern? ? 'extern' : ''}"
+        # if stab?
+        #   puts ".stabs \"#{@name}\", #{STAB[@type_val]}, #{@sect}, #{self.desc}, #{@value}"
+        # else
+        #   puts "SYM \"#{@name}\", #{TYPE[@type_val & TYPE_MASK]}, #{@sect}, #{self.desc}, #{@value}"
+        # end
       end
       
       def type

data/lib/indis-macho/version.rb

@@ -18,6 +18,6 @@
 
 module Indis
   module MachO
-    VERSION = '0.2.0'
+    VERSION = '0.3.0'
   end
 end

data/spec/indis-macho/macho_spec.rb

@@ -14,10 +14,11 @@ def macho_target_double(*args)
   if o[:symbols]
     target.should_receive(:symbols){ o[:symbols] }.any_number_of_times
   else
-    target.should_receive(:symbols).any_number_of_times.and_return({})
+    target.should_receive(:symbols).any_number_of_times.and_return([])
   end
   target.stub(:vamap=)
   target.stub(:io).and_return(o[:io])
+  target.stub(:publish_event)
   target
 end
 
@@ -87,14 +88,37 @@ describe Indis::BinaryFormat::MachO do
   end
   
   it "should parse symbols" do
-    sym = {}
+    sym = []
     io = StringIO.new(File.open('spec/fixtures/single-object.o', 'rb').read().force_encoding('BINARY'))
     target = macho_target_double(io: io, symbols: sym)
     
     m = Indis::BinaryFormat::MachO.new(target, io)
     
-    sym.keys.should include("_add")
-    sym.keys.should include("_sub")
-    sym.keys.should include("_printf")
+    sym.find {|s| s.name == '_add' }.should be_a(Indis::Symbol)
+    sym.find {|s| s.name == '_sub' }.should be_a(Indis::Symbol)
+    sym.find {|s| s.name == '_printf' }.should be_a(Indis::Symbol)
+  end
+  
+  it "should parse dyld operands" do
+    io = StringIO.new(File.open('spec/fixtures/app-arm-release.o', 'rb').read().force_encoding('BINARY'))
+    target = macho_target_double(io: io)
+    
+    m = Indis::BinaryFormat::MachO.new(target, io)
+    dysymtab = m.commands.map{ |c| c if c.is_a?(Indis::MachO::DyldInfoOnlyCommand) }.compact.first
+    dysymtab.bind_symbols.length.should == 20
+    dysymtab.weak_bind_symbols.should be_nil
+    dysymtab.lazy_bind_symbols.length.should == 10
+  end
+  
+  it "should post events while parsing" do
+    io = StringIO.new(File.open('spec/fixtures/app-arm-release.o', 'rb').read().force_encoding('BINARY'))
+    target = macho_target_double(io: io)
+    
+    target.should_receive(:publish_event).with(:macho_command_processed, anything).exactly(20).times
+    target.should_receive(:publish_event).with(:target_segment_processed, anything).exactly(4).times
+    target.should_receive(:publish_event).with(:target_section_processed, anything).exactly(22).times
+    target.should_receive(:publish_event).with(:target_symbol_processed, anything).exactly(51).times
+    
+    m = Indis::BinaryFormat::MachO.new(target, io)
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: indis-macho
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-15 00:00:00.000000000 Z
+date: 2012-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -32,17 +32,17 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.2
 description: Mach-o format processor for indis provides support for loading mach-o
   binaries for analysis
 email:
@@ -62,6 +62,7 @@ files:
 - indis-macho.gemspec
 - lib/indis-macho.rb
 - lib/indis-macho/command.rb
+- lib/indis-macho/dyld_info_parser.rb
 - lib/indis-macho/symbol.rb
 - lib/indis-macho/version.rb
 - spec/fixtures/app-arm-release.o