MachO¶

Parser¶

class Parser : public LIEF::Parser ¶

The main interface to parse a Mach-O binary.

This class is used to parse both Fat & non-Fat binary. Non-fat binaries are considerated as a fat with only one architecture. This is why MachO::Parser::parse outputs a FatBinary object.

Public Functions

Parser &operator=(const Parser &copy) = delete¶

Parser(const Parser &copy) = delete¶

virtual ~Parser() override¶

Public Static Functions

static std::unique_ptr<FatBinary> parse(const std::string &filename, const ParserConfig &conf = ParserConfig::deep())¶

Parse a Mach-O file from the path provided by the filename parameter.

The conf parameter can be used to tweak the configuration of the parser

Parameters:

filename – [in] Path to the Mach-O file
conf – [in] Parser configuration (Defaut: ParserConfig::deep)

static std::unique_ptr<FatBinary> parse(const std::vector<uint8_t> &data, const ParserConfig &conf = ParserConfig::deep())¶

Parse a Mach-O file from the raw content provided by the data parameter.

The conf parameter can be used to tweak the configuration of the parser

Parameters:

data – [in] Mach-O file as a vector of bytes
conf – [in] Parser configuration (Defaut: ParserConfig::deep)

static std::unique_ptr<FatBinary> parse(std::unique_ptr<BinaryStream> stream, const ParserConfig &conf = ParserConfig::deep())¶: Parser a Mach-O binary from the provided BinaryStream.

static std::unique_ptr<FatBinary> parse_from_memory(uintptr_t address, const ParserConfig &conf = ParserConfig::deep())¶: Parse the Mach-O binary from the address given in the first parameter.

static std::unique_ptr<FatBinary> parse_from_memory(uintptr_t address, size_t size, const ParserConfig &conf = ParserConfig::deep())¶: Parse the Mach-O binary from the address given in the first parameter and the size given in the second parameter.

class BinaryParser : public LIEF::Parser ¶

Class used to parse a single binary (i.e. non-FAT)

See also

MachO::Parser

Warning

This class should not be directly used.

Public Functions

BinaryParser &operator=(const BinaryParser &copy) = delete¶

BinaryParser(const BinaryParser &copy) = delete¶

~BinaryParser() override¶

Public Static Functions

static std::unique_ptr<Binary> parse(const std::string &file)¶

static std::unique_ptr<Binary> parse(const std::string &file, const ParserConfig &conf)¶

static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &data, const ParserConfig &conf = ParserConfig::deep())¶

static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &data, uint64_t fat_offset, const ParserConfig &conf = ParserConfig::deep())¶

static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream, uint64_t fat_offset, const ParserConfig &conf)¶

Friends

friend class MachO::Parser

struct ParserConfig¶

This structure is used to tweak the MachO Parser (MachO::Parser)

Public Functions

ParserConfig &full_dyldinfo(bool flag)¶: If flag is set to true, Exports, Bindings and Rebases opcodes are parsed.

Warning
Enabling this flag can slow down the parsing

Public Members

bool parse_dyld_exports = true¶: Parse the Dyld export trie.

bool parse_dyld_bindings = true¶: Parse the Dyld binding opcodes.

bool parse_dyld_rebases = true¶: Parse the Dyld rebase opcodes.

bool fix_from_memory = false¶

When parsing Mach-O from memory, this option can be used to undo relocations and symbols bindings.

When activated, this option requires parse_dyld_bindings and parse_dyld_rebases to be enabled.

Public Static Functions

static ParserConfig deep()¶: Return a parser configuration such as all the objects supported by LIEF are parsed.

static ParserConfig quick()¶: Return a configuration to parse the most important MachO structures.

FatBinary¶

class FatBinary¶

Class which represent a Mach-O (fat) binary This object is also used for representing Mach-O binaries that are NOT FAT

Public Types

using binaries_t = std::vector<std::unique_ptr<Binary>>¶: Internal containter used to store Binary objects within a Fat Mach-O.

using it_binaries = ref_iterator<binaries_t&, Binary*>¶: Iterator that outputs Binary&.

using it_const_binaries = const_ref_iterator<const binaries_t&, Binary*>¶: Iterator that outputs const Binary&.

Public Functions

FatBinary(const FatBinary&) = delete¶

FatBinary &operator=(const FatBinary&) = delete¶

virtual ~FatBinary()¶

size_t size() const¶: Number of MachO::Binary wrapped by this object.

bool empty() const¶: Checks whether this object contains MachO::Binary.

it_binaries begin()¶

it_const_binaries begin() const¶

it_binaries end()¶

it_const_binaries end() const¶

void release_all_binaries()¶

std::unique_ptr<Binary> pop_back()¶: Get a pointer to the last MachO::Binary object presents in this Fat Binary. It returns a nullptr if no binary are present.

Binary *at(size_t index)¶: Get a pointer to the MachO::Binary specified by the index. It returns a nullptr if the binary does not exist at the given index.

const Binary *at(size_t index) const¶

Binary *back()¶

const Binary *back() const¶

Binary *front()¶

const Binary *front() const¶

Binary *operator[](size_t index)¶

const Binary *operator[](size_t index) const¶

std::unique_ptr<Binary> take(size_t index)¶: Extract a MachO::Binary object. Gives ownership to the caller, and remove it from this FatBinary object.

Warning
: this invalidates any previously hold iterator!

std::unique_ptr<Binary> take(CPU_TYPES cpu)¶: Take the underlying MachO::Binary that matches the given architecture If no binary with the architecture can be found, return a nullptr.

void write(const std::string &filename)¶

Reconstruct the Fat binary object and write it in filename

Parameters:: filename – Path to write the reconstructed binary

std::vector<uint8_t> raw()¶: Reconstruct the Fat binary object and return his content as bytes.

Friends

friend class LIEF::Parser

friend std::ostream &operator<<(std::ostream &os, const FatBinary &fatbinary)¶

Binary¶

class Binary : public LIEF::Binary ¶

Class which represents a MachO binary.

Public Types

using commands_t = std::vector<std::unique_ptr<LoadCommand>>¶: Internal container for storing Mach-O LoadCommand.

using it_commands = ref_iterator<commands_t&, LoadCommand*>¶: Iterator that outputs LoadCommand&.

using it_const_commands = const_ref_iterator<const commands_t&, LoadCommand*>¶: Iterator that outputs const LoadCommand&.

using symbols_t = std::vector<std::unique_ptr<Symbol>>¶: Internal container for storing Mach-O Symbol.

using it_symbols = ref_iterator<symbols_t&, Symbol*>¶: Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&, const Symbol*>¶: Iterator that outputs const Symbol&.

using it_exported_symbols = filter_iterator<symbols_t&, Symbol*>¶: Iterator that outputs exported Symbol&.

using it_const_exported_symbols = const_filter_iterator<const symbols_t&, const Symbol*>¶: Iterator that outputs exported const Symbol&.

using it_imported_symbols = filter_iterator<symbols_t&, Symbol*>¶: Iterator that outputs imported Symbol&.

using it_const_imported_symbols = const_filter_iterator<const symbols_t&, const Symbol*>¶: Iterator that outputs imported const Symbol&.

using sections_cache_t = std::vector<Section*>¶: Internal container for caching Mach-O Section.

using it_sections = ref_iterator<sections_cache_t&>¶: Iterator that outputs Section&.

using it_const_sections = const_ref_iterator<const sections_cache_t&>¶: Iterator that outputs const Section&.

using segments_cache_t = std::vector<SegmentCommand*>¶: Internal container for storing Mach-O SegmentCommand.

using it_segments = ref_iterator<segments_cache_t&>¶: Iterator that outputs SegmentCommand&.

using it_const_segments = const_ref_iterator<const segments_cache_t&>¶: Iterator that outputs const SegmentCommand&.

using libraries_cache_t = std::vector<DylibCommand*>¶: Internal container for storing Mach-O DylibCommand.

using it_libraries = ref_iterator<libraries_cache_t&>¶: Iterator that outputs DylibCommand&.

using it_const_libraries = const_ref_iterator<const libraries_cache_t&>¶: Iterator that outputs const DylibCommand&.

using fileset_binaries_t = std::vector<std::unique_ptr<Binary>>¶: Internal container for storing Mach-O Fileset Binary.

using it_fileset_binaries = ref_iterator<fileset_binaries_t&, Binary*>¶: Iterator that outputs Binary&.

using it_const_fileset_binaries = const_ref_iterator<const fileset_binaries_t&, Binary*>¶: Iterator that outputs const Binary&.

using relocations_t = std::set<Relocation*, KeyCmp>¶: Internal container that store all the relocations found in a Mach-O. The relocations are actually owned by Section & SegmentCommand and these references are used for convenience.

using it_relocations = ref_iterator<relocations_t&, Relocation*>¶: Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>¶: Iterator which outputs const Relocation&.

using it_rpaths = filter_iterator<commands_t&, RPathCommand*>¶: Iterator which outputs RPathCommand&.

using it_const_rpaths = const_filter_iterator<const commands_t&, const RPathCommand*>¶: Iterator which outputs const RPathCommand&.

Public Functions

Binary(const Binary&) = delete¶

Binary &operator=(const Binary&) = delete¶

Header &header()¶: Return a reference to the MachO::Header.

const Header &header() const¶

it_commands commands()¶: Return an iterator over the MachO LoadCommand present in the binary.

it_const_commands commands() const¶

it_fileset_binaries filesets()¶: Return an iterator over the MachO::Binary associated with the LOAD_COMMAND_TYPES::LC_FILESET_ENTRY commands.

it_const_fileset_binaries filesets() const¶

it_symbols symbols()¶: Return binary’s symbols .

it_const_symbols symbols() const¶

bool has_symbol(const std::string &name) const¶: Check if a symbol with the given name exists.

const Symbol *get_symbol(const std::string &name) const¶: Return Symbol from the given name. If the symbol does not exists, it returns a null pointer.

Symbol *get_symbol(const std::string &name)¶

it_exported_symbols exported_symbols()¶: Return binary’s exported symbols (iterator over LIEF::MachO::Symbol)

it_const_exported_symbols exported_symbols() const¶

it_imported_symbols imported_symbols()¶: Return binary’s imported symbols (iterator over LIEF::MachO::Symbol)

it_const_imported_symbols imported_symbols() const¶

it_libraries libraries()¶: Return binary imported libraries (MachO::DylibCommand)

it_const_libraries libraries() const¶

it_segments segments()¶: Return an iterator over the SegmentCommand.

it_const_segments segments() const¶

it_sections sections()¶: Return an iterator over the MachO::Section.

it_const_sections sections() const¶

it_relocations relocations()¶: Return an iterator over the MachO::Relocation.

it_const_relocations relocations() const¶

virtual void write(const std::string &filename) override¶

Reconstruct the binary object and write the result in the given filename

Parameters:: filename – Path to write the reconstructed binary

virtual void write(std::ostream &os) override¶

Reconstruct the binary object and write the result in the given os stream.

Parameters:: os – Output stream to write the reconstructed binary

std::vector<uint8_t> raw()¶: Reconstruct the binary object and return its content as bytes.

bool has(LOAD_COMMAND_TYPES type) const¶: Check if the current binary has the given MachO::LOAD_COMMAND_TYPES.

const LoadCommand *get(LOAD_COMMAND_TYPES type) const¶: Return the LoadCommand associated with the given LOAD_COMMAND_TYPES or a nullptr if the command can’t be found.

LoadCommand *get(LOAD_COMMAND_TYPES type)¶

LoadCommand *add(const LoadCommand &command)¶: Insert a new LoadCommand.

LoadCommand *add(const LoadCommand &command, size_t index)¶: Insert a new LoadCommand at the specified index

LoadCommand *add(const DylibCommand &library)¶: Insert the given DylibCommand.

LoadCommand *add(const SegmentCommand &segment)¶: Add a new LC_SEGMENT command from the given SegmentCommand.

LoadCommand *add_library(const std::string &name)¶: Insert a new shared library through a LC_LOAD_DYLIB command.

Section *add_section(const Section &section)¶: Add a new MachO::Section in the __TEXT segment.

Section *add_section(const SegmentCommand &segment, const Section &section)¶: Add a section in the given MachO::SegmentCommand.

Warning
This method may corrupt the file if the segment is not the first one nor the last one

virtual void remove_section(const std::string &name, bool clear = false) override¶

Remove the section with the name provided in the first parameter.

Parameters:

name – Name of the MachO::Section to remove
clear – If true clear the content of the section before removing

void remove_section(const std::string &segname, const std::string &secname, bool clear = false)¶

Remove the section from the segment with the name given in the first parameter and with the section’s name provided in the second parameter.

Parameters:

segname – Name of the MachO::Segment
secname – Name of the MachO::Section to remove
clear – If true clear the content of the section before removing

bool remove(const LoadCommand &command)¶: Remove the given LoadCommand.

bool remove(LOAD_COMMAND_TYPES type)¶: Remove all LoadCommand with the given type (MachO::LOAD_COMMAND_TYPES)

bool remove_command(size_t index)¶: Remove the Load Command at the provided index

bool remove_signature()¶: Remove the LC_SIGNATURE command.

bool extend(const LoadCommand &command, uint64_t size)¶: Extend the size of the given LoadCommand.

bool extend_segment(const SegmentCommand &segment, size_t size)¶: Extend the content of the given SegmentCommand.

bool disable_pie()¶: Remove the PIE flag.

virtual uint64_t imagebase() const override¶: Return the binary’s imagebase. 0 if not relevant.

uint64_t virtual_size() const¶: Size of the binary in memory when mapped by the loader (dyld)

std::string loader() const¶: Return the binary’s loader (e.g. /usr/lib/dyld) or an empty string if the binary does not use a loader/linker.

bool has_section(const std::string &name) const¶: Check if a section with the given name exists.

Section *get_section(const std::string &name)¶: Return the section from the given name of a nullptr if the section can’t be found.

const Section *get_section(const std::string &name) const¶: Return the section from the given name or a nullptr if the section can’t be found.

Section *get_section(const std::string &segname, const std::string &secname)¶: Return the section from the segment with the name given in the first parameter and with the section’s name provided in the second parameter. If the section cannot be found, it returns a nullptr.

const Section *get_section(const std::string &segname, const std::string &secname) const¶

bool has_segment(const std::string &name) const¶: Check if a segment with the given name exists.

const SegmentCommand *get_segment(const std::string &name) const¶: Return the segment from the given name.

SegmentCommand *get_segment(const std::string &name)¶: Return the segment from the given name.

bool remove_symbol(const std::string &name)¶: Remove the symbol with the given name.

bool remove(const Symbol &sym)¶: Remove the given symbol.

bool can_remove(const Symbol &sym) const¶: Check if the given symbol can be safely removed.

bool can_remove_symbol(const std::string &name) const¶: Check if the MachO::Symbol with the given name can be safely removed.

bool unexport(const std::string &name)¶: Remove the given MachO::Symbol with the given name from the export table.

bool unexport(const Symbol &sym)¶: Remove the given symbol from the export table.

Section *section_from_offset(uint64_t offset)¶: Return the MachO::Section that encompasses the provided offset. If a section can’t be found, it returns a null pointer (nullptr)

const Section *section_from_offset(uint64_t offset) const¶

Section *section_from_virtual_address(uint64_t virtual_address)¶: Return the MachO::Section that encompasses the provided virtual address. If a section can’t be found, it returns a null pointer (nullptr)

const Section *section_from_virtual_address(uint64_t virtual_address) const¶

result<uint64_t> virtual_address_to_offset(uint64_t virtual_address) const¶: Convert a virtual address to an offset in the file.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const override¶

Convert the given offset into a virtual address.

Parameters:

offset – [in] The offset to convert.
slide – [in] If not 0, it will replace the default base address (if any)

SegmentCommand *segment_from_offset(uint64_t offset)¶

Return the binary’s SegmentCommand that encompasses the provided offset.

If a SegmentCommand can’t be found it returns a null pointer (nullptr).

const SegmentCommand *segment_from_offset(uint64_t offset) const¶

size_t segment_index(const SegmentCommand &segment) const¶: Return the index of the given SegmentCommand.

uint64_t fat_offset() const¶: Return binary’s fat offset. 0 if not relevant.

SegmentCommand *segment_from_virtual_address(uint64_t virtual_address)¶: Return the binary’s SegmentCommand which encompasses the given virtual address or a nullptr if not found.

const SegmentCommand *segment_from_virtual_address(uint64_t virtual_address) const¶

range_t va_ranges() const¶: Return the range of virtual addresses.

range_t off_ranges() const¶: Return the range of offsets.

bool is_valid_addr(uint64_t address) const¶: Check if the given address is encompassed in the binary’s virtual addresses range.

virtual void accept(LIEF::Visitor &visitor) const override¶: Method so that the visitor can visit us.

virtual std::ostream &print(std::ostream &os) const override¶

virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override¶

Patch the content at virtual address address with patch_value.

Parameters:

address – [in] Address to patch
patch_value – [in] Patch to apply
addr_type – [in] Specify if the address should be used as an absolute virtual address or an RVA

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override¶

Patch the address with the given value.

Parameters:

address – [in] Address to patch
patch_value – [in] Patch to apply
size – [in] Size of the value in bytes (1, 2, … 8)
addr_type – [in] Specify if the address should be used as an absolute virtual address or an RVA

virtual span<const uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, Binary::VA_TYPES addr_type = Binary::VA_TYPES::AUTO) const override¶: Return the content located at virtual address.

virtual uint64_t entrypoint() const override¶: The binary entrypoint.

virtual bool is_pie() const override¶: Check if the binary is position independent.

virtual bool has_nx() const override¶: Check if the binary uses NX protection.

bool has_nx_stack() const¶: Return True if the heap is flagged as non-executable. False otherwise.

bool has_nx_heap() const¶: Return True if the stack is flagged as non-executable. False otherwise.

bool has_entrypoint() const¶

true if the binary has an entrypoint.

Basically for libraries it will return false

bool has_uuid() const¶: true if the binary has a MachO::UUIDCommand command.

UUIDCommand *uuid()¶: Return the MachO::UUIDCommand if present, a nullptr otherwise.

const UUIDCommand *uuid() const¶

bool has_main_command() const¶: true if the binary has a MachO::MainCommand command.

MainCommand *main_command()¶: Return the MachO::MainCommand if present, a nullptr otherwise.

const MainCommand *main_command() const¶

bool has_dylinker() const¶: true if the binary has a MachO::DylinkerCommand.

DylinkerCommand *dylinker()¶: Return the MachO::DylinkerCommand if present, a nullptr otherwise.

const DylinkerCommand *dylinker() const¶

bool has_dyld_info() const¶: true if the binary has a MachO::DyldInfo command.

DyldInfo *dyld_info()¶: Return the MachO::Dyld command if present, a nullptr otherwise.

const DyldInfo *dyld_info() const¶

bool has_function_starts() const¶: true if the binary has a MachO::FunctionStarts command.

FunctionStarts *function_starts()¶: Return the MachO::FunctionStarts command if present, a nullptr otherwise.

const FunctionStarts *function_starts() const¶

bool has_source_version() const¶: true if the binary has a MachO::SourceVersion command.

SourceVersion *source_version()¶: Return the MachO::SourceVersion command if present, a nullptr otherwise.

const SourceVersion *source_version() const¶

bool has_version_min() const¶: true if the binary has a MachO::VersionMin command.

VersionMin *version_min()¶: Return the MachO::VersionMin command if present, a nullptr otherwise.

const VersionMin *version_min() const¶

bool has_thread_command() const¶: true if the binary has a MachO::ThreadCommand command.

ThreadCommand *thread_command()¶: Return the MachO::ThreadCommand command if present, a nullptr otherwise.

const ThreadCommand *thread_command() const¶

bool has_rpath() const¶: true if the binary has a MachO::RPathCommand command.

RPathCommand *rpath()¶: Return the MachO::RPathCommand command if present, a nullptr otherwise.

const RPathCommand *rpath() const¶

it_rpaths rpaths()¶: Iterator over all the MachO::RPathCommand commands.

it_const_rpaths rpaths() const¶

bool has_symbol_command() const¶: true if the binary has a MachO::SymbolCommand command.

SymbolCommand *symbol_command()¶: Return the MachO::SymbolCommand if present, a nullptr otherwise.

const SymbolCommand *symbol_command() const¶

bool has_dynamic_symbol_command() const¶: true if the binary has a MachO::DynamicSymbolCommand command.

DynamicSymbolCommand *dynamic_symbol_command()¶: Return the MachO::SymbolCommand if present, a nullptr otherwise.

const DynamicSymbolCommand *dynamic_symbol_command() const¶

bool has_code_signature() const¶: true if the binary is signed with LC_CODE_SIGNATURE command

CodeSignature *code_signature()¶: Return the MachO::CodeSignature if present, a nullptr otherwise.

const CodeSignature *code_signature() const¶

bool has_code_signature_dir() const¶: true if the binary is signed with the command DYLIB_CODE_SIGN_DRS

CodeSignatureDir *code_signature_dir()¶: Return the MachO::CodeSignatureDir if present, a nullptr otherwise.

const CodeSignatureDir *code_signature_dir() const¶

bool has_data_in_code() const¶: true if the binary has a MachO::DataInCode command.

DataInCode *data_in_code()¶: Return the MachO::DataInCode if present, a nullptr otherwise.

const DataInCode *data_in_code() const¶

bool has_segment_split_info() const¶: true if the binary has segment split info.

SegmentSplitInfo *segment_split_info()¶: Return the MachO::SegmentSplitInfo if present, a nullptr otherwise.

const SegmentSplitInfo *segment_split_info() const¶

bool has_sub_framework() const¶: true if the binary has a sub framework command.

bool has_encryption_info() const¶: true if the binary has Encryption Info.

EncryptionInfo *encryption_info()¶: Return the MachO::DyldEnvironment if present, a nullptr otherwise.

const EncryptionInfo *encryption_info() const¶

SubFramework *sub_framework()¶: Return the MachO::SubFramework if present, a nullptr otherwise.

const SubFramework *sub_framework() const¶

bool has_dyld_environment() const¶: true if the binary has Dyld envrionment variables.

DyldEnvironment *dyld_environment()¶: Return the MachO::DyldEnvironment if present, a nullptr otherwise.

const DyldEnvironment *dyld_environment() const¶

bool has_build_version() const¶: true if the binary has the BuildVersion command.

BuildVersion *build_version()¶: Return the MachO::BuildVersion if present, a nullptr otherwise.

const BuildVersion *build_version() const¶

bool has_dyld_chained_fixups() const¶: true if the binary has the command LC_DYLD_CHAINED_FIXUPS.

DyldChainedFixups *dyld_chained_fixups()¶: Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const DyldChainedFixups *dyld_chained_fixups() const¶

bool has_dyld_exports_trie() const¶: true if the binary has the command LC_DYLD_CHAINED_FIXUPS.

DyldExportsTrie *dyld_exports_trie()¶: Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const DyldExportsTrie *dyld_exports_trie() const¶

bool has_two_level_hints() const¶: true if the binary has the command LC_TWO_LEVEL_HINTS.

TwoLevelHints *two_level_hints()¶: Return the MachO::DyldChainedFixups if present, a nullptr otherwise.

const TwoLevelHints *two_level_hints() const¶

bool has_linker_opt_hint() const¶: true if the binary has the command LC_LINKER_OPTIMIZATION_HINT.

LinkerOptHint *linker_opt_hint()¶: Return the MachO::LinkerOptHint if present, a nullptr otherwise.

const LinkerOptHint *linker_opt_hint() const¶

ExportInfo *add_exported_function(uint64_t address, const std::string &name)¶: Add a symbol in the export trie of the current binary.

Symbol *add_local_symbol(uint64_t address, const std::string &name)¶: Add a symbol in LC_SYMTAB command of the current binary.

template<class T> bool has_command() const¶

template<class T> T *command()¶

template<class T> const T *command() const¶

template<class T> size_t count_commands() const¶

template<class CMD, class Func> Binary &for_commands(Func f)¶

LoadCommand *operator[](LOAD_COMMAND_TYPES type)¶

const LoadCommand *operator[](LOAD_COMMAND_TYPES type) const¶

virtual LIEF::Binary::functions_t ctor_functions() const override¶: Return the list of the MachO’s constructors.

LIEF::Binary::functions_t functions() const¶: Return all the functions found in this MachO.

LIEF::Binary::functions_t unwind_functions() const¶: Return the functions found in the __unwind_info section.

bool has_filesets() const¶: true if the binary has a LOAD_COMMAND_TYPES::LC_FILESET_ENTRY command

inline const std::string &fileset_name() const¶: Name associated with the LC_FILESET_ENTRY binary.

~Binary() override¶

ok_error_t shift(size_t value)¶: Shift the content located right after the Load commands table. This operation can be used to add a new command.

ok_error_t shift_linkedit(size_t width)¶: Shift the position on the __LINKEDIT data by width

inline uint64_t memory_base_address() const¶

If this Mach-O binary has been parsed from memory, it returns the in-memory base address of this binary.

Otherwise, it returns 0

uint32_t page_size() const¶

Public Static Functions

static bool is_exported(const Symbol &symbol)¶: Check if the given symbol is exported.

static bool is_imported(const Symbol &symbol)¶: Check if the given symbol is an imported one.

static inline bool classof(const LIEF::Binary *bin)¶

struct KeyCmp¶

Public Functions

bool operator()(const Relocation *lhs, const Relocation *rhs) const¶

struct range_t¶

Public Members

uint64_t start = 0¶

uint64_t end = 0¶

class Header : public LIEF::Object¶

Class that represents the Mach-O header.

Public Types

using flags_list_t = std::set<HEADER_FLAGS>¶

Public Functions

Header()¶

Header(const details::mach_header_64 &header)¶

Header(const details::mach_header &header)¶

Header &operator=(const Header &copy)¶

Header(const Header &copy)¶

~Header() override¶

MACHO_TYPES magic() const¶: The Mach-O magic bytes. These bytes determine whether it is a 32 bits Mach-O, a 64 bits Mach-O files etc.

CPU_TYPES cpu_type() const¶: The CPU architecture targeted by this binary.

uint32_t cpu_subtype() const¶: Return the CPU subtype supported by the Mach-O binary. For ARM architectures, this value could represent the minimum version for which the Mach-O binary has been compiled for.

FILE_TYPES file_type() const¶: Return the type of the Mach-O file (executable, object, shared library, …)

flags_list_t flags_list() const¶: Return the HEADER_FLAGS as a std::set.

bool has(HEADER_FLAGS flag) const¶: Check if the given HEADER_FLAGS is present in the header’s flags.

uint32_t nb_cmds() const¶: Number of LoadCommand present in the Mach-O binary.

uint32_t sizeof_cmds() const¶: The size of all the LoadCommand.

uint32_t flags() const¶

Header flags (cf. HEADER_FLAGS)

See also

flags_list

uint32_t reserved() const¶: According to the official documentation, a reserved value.

void add(HEADER_FLAGS flag)¶

OBJECT_TYPES abstract_object_type() const¶: LIEF abstract object type.

std::pair<ARCHITECTURES, std::set<MODES>> abstract_architecture() const¶

ENDIANNESS abstract_endianness() const¶: LIEF abstract endiannes.

void magic(MACHO_TYPES magic)¶

void cpu_type(CPU_TYPES cputype)¶

void cpu_subtype(uint32_t cpusubtype)¶

void file_type(FILE_TYPES filetype)¶

void nb_cmds(uint32_t ncmds)¶

void sizeof_cmds(uint32_t sizeofcmds)¶

void flags(uint32_t flags)¶

void remove(HEADER_FLAGS flag)¶

void reserved(uint32_t reserved)¶

Header &operator+=(HEADER_FLAGS c)¶

Header &operator-=(HEADER_FLAGS c)¶

virtual void accept(Visitor &visitor) const override¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Header &hdr)¶

Builder¶

class Builder¶

Class used to rebuild a Mach-O file.

Public Functions

Builder() = delete¶

~Builder()¶

Public Static Functions

static ok_error_t write(Binary &binary, const std::string &filename)¶

static ok_error_t write(Binary &binary, const std::string &filename, config_t config)¶

static ok_error_t write(Binary &binary, std::vector<uint8_t> &out)¶

static ok_error_t write(Binary &binary, std::vector<uint8_t> &out, config_t config)¶

static ok_error_t write(Binary &binary, std::ostream &out)¶

static ok_error_t write(Binary &binary, std::ostream &out, config_t config)¶

static ok_error_t write(FatBinary &fat, const std::string &filename)¶

static ok_error_t write(FatBinary &fat, const std::string &filename, config_t config)¶

static ok_error_t write(FatBinary &fat, std::vector<uint8_t> &out)¶

static ok_error_t write(FatBinary &fat, std::vector<uint8_t> &out, config_t config)¶

static ok_error_t write(FatBinary &fat, std::ostream &out)¶

static ok_error_t write(FatBinary &fat, std::ostream &out, config_t config)¶

struct config_t¶

Options to tweak the building process.

Public Members

bool linkedit = true¶

DylibCommand¶

class DylibCommand : public LIEF::MachO::LoadCommand ¶

Class which represents a library dependency.

Public Types

using version_t = std::array<uint16_t, 3>¶

Public Functions

DylibCommand()¶

DylibCommand(const details::dylib_command &cmd)¶

DylibCommand &operator=(const DylibCommand &copy)¶

DylibCommand(const DylibCommand &copy)¶

~DylibCommand() override¶

virtual DylibCommand *clone() const override¶

const std::string &name() const¶: Library name.

uint32_t timestamp() const¶: Date and Time when the shared library was built.

version_t current_version() const¶: Current version of the shared library.

version_t compatibility_version() const¶: Compatibility version of the shared library.

void name(const std::string &name)¶

void timestamp(uint32_t timestamp)¶

void current_version(version_t currentVersion)¶

void compatibility_version(version_t compatibilityVersion)¶

virtual std::ostream &print(std::ostream &os) const override¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static version_t int2version(uint32_t version)¶: Helper to convert an integer into a version array.

static uint32_t version2int(version_t version)¶: Helper to convert a version array into an integer.

static DylibCommand weak_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)¶: Factory function to generate a LC_LOAD_WEAK_DYLIB library.

static DylibCommand id_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)¶: Factory function to generate a LC_ID_DYLIB library.

static DylibCommand load_dylib(const std::string &name, uint32_t timestamp = 2, uint32_t current_version = 0, uint32_t compat_version = 0)¶: Factory function to generate a LC_LOAD_DYLIB library.

static DylibCommand reexport_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)¶: Factory function to generate a LC_REEXPORT_DYLIB library.

static DylibCommand load_upward_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)¶: Factory function to generate a LC_LOAD_UPWARD_DYLIB library.

static DylibCommand lazy_load_dylib(const std::string &name, uint32_t timestamp = 0, uint32_t current_version = 0, uint32_t compat_version = 0)¶: Factory function to generate a LC_LAZY_LOAD_DYLIB library.

static bool classof(const LoadCommand *cmd)¶

DylinkerCommand¶

class DylinkerCommand : public LIEF::MachO::LoadCommand ¶

Class that represents the Mach-O linker, also named loader Most of the time, DylinkerCommand::name() returns /usr/lib/dyld

Public Functions

DylinkerCommand()¶

DylinkerCommand(const details::dylinker_command &cmd)¶

DylinkerCommand(std::string name)¶

DylinkerCommand &operator=(const DylinkerCommand &copy)¶

DylinkerCommand(const DylinkerCommand &copy)¶

virtual DylinkerCommand *clone() const override¶

~DylinkerCommand() override¶

virtual std::ostream &print(std::ostream &os) const override¶

const std::string &name() const¶: Path to the linker (or loader)

void name(const std::string &name)¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

DynamicSymbolCommand¶

class DynamicSymbolCommand : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_DYSYMTAB command.

This command completes the LC_SYMTAB (SymbolCommand) to provide a better granularity over the symbols layout.

Public Functions

DynamicSymbolCommand()¶

DynamicSymbolCommand(const details::dysymtab_command &cmd)¶

DynamicSymbolCommand &operator=(const DynamicSymbolCommand &copy)¶

DynamicSymbolCommand(const DynamicSymbolCommand &copy)¶

virtual DynamicSymbolCommand *clone() const override¶

~DynamicSymbolCommand() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

uint32_t idx_local_symbol() const¶: Index of the first symbol in the group of local symbols.

uint32_t nb_local_symbols() const¶: Number of symbols in the group of local symbols.

uint32_t idx_external_define_symbol() const¶: Index of the first symbol in the group of defined external symbols.

uint32_t nb_external_define_symbols() const¶: Number of symbols in the group of defined external symbols.

uint32_t idx_undefined_symbol() const¶: Index of the first symbol in the group of undefined external symbols.

uint32_t nb_undefined_symbols() const¶: Number of symbols in the group of undefined external symbols.

uint32_t toc_offset() const¶

Byte offset from the start of the file to the table of contents data.

Table of content is used by legacy Mach-O loader and this field should be set to 0

uint32_t nb_toc() const¶

Number of entries in the table of contents.

Should be set to 0 on recent Mach-O

uint32_t module_table_offset() const¶

Byte offset from the start of the file to the module table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_module_table() const¶

Number of entries in the module table.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t external_reference_symbol_offset() const¶

Byte offset from the start of the file to the external reference table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_external_reference_symbols() const¶

Number of entries in the external reference table.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t indirect_symbol_offset() const¶

Byte offset from the start of the file to the indirect symbol table data.

Indirect symbol table is used by the loader to speed-up symbol resolution during the lazy binding process

References:

dyld-519.2.1/src/ImageLoaderMachOCompressed.cpp
dyld-519.2.1/src/ImageLoaderMachOClassic.cpp

uint32_t nb_indirect_symbols() const¶

Number of entries in the indirect symbol table.

See also

indirect_symbol_offset

uint32_t external_relocation_offset() const¶

Byte offset from the start of the file to the external relocation table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_external_relocations() const¶

Number of entries in the external relocation table.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t local_relocation_offset() const¶

Byte offset from the start of the file to the local relocation table data.

This field seems unused by recent Mach-O loader and should be set to 0

uint32_t nb_local_relocations() const¶

Number of entries in the local relocation table.

This field seems unused by recent Mach-O loader and should be set to 0

void idx_local_symbol(uint32_t value)¶

void nb_local_symbols(uint32_t value)¶

void idx_external_define_symbol(uint32_t value)¶

void nb_external_define_symbols(uint32_t value)¶

void idx_undefined_symbol(uint32_t value)¶

void nb_undefined_symbols(uint32_t value)¶

void toc_offset(uint32_t value)¶

void nb_toc(uint32_t value)¶

void module_table_offset(uint32_t value)¶

void nb_module_table(uint32_t value)¶

void external_reference_symbol_offset(uint32_t value)¶

void nb_external_reference_symbols(uint32_t value)¶

void indirect_symbol_offset(uint32_t value)¶

void nb_indirect_symbols(uint32_t value)¶

void external_relocation_offset(uint32_t value)¶

void nb_external_relocations(uint32_t value)¶

void local_relocation_offset(uint32_t value)¶

void nb_local_relocations(uint32_t value)¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

LoadCommand¶

class LoadCommand : public LIEF::Object¶

Based class for the Mach-O load commands.

Public Types

using raw_t = std::vector<uint8_t>¶

Public Functions

LoadCommand()¶

LoadCommand(const details::load_command &command)¶

LoadCommand(LOAD_COMMAND_TYPES type, uint32_t size)¶

LoadCommand &operator=(LoadCommand copy)¶

LoadCommand(const LoadCommand &copy)¶

void swap(LoadCommand &other)¶

virtual LoadCommand *clone() const¶

~LoadCommand() override¶

LOAD_COMMAND_TYPES command() const¶: Command type.

uint32_t size() const¶: Size of the command (should be greather than sizeof(load_command))

inline span<const uint8_t> data() const¶: Raw command.

uint64_t command_offset() const¶: Offset of the command within the Load Command Table

void data(const raw_t &data)¶

void command(LOAD_COMMAND_TYPES command)¶

void size(uint32_t size)¶

void command_offset(uint64_t offset)¶

virtual std::ostream &print(std::ostream &os) const¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static bool is_linkedit_data(const LoadCommand &cmd)¶

Friends

friend std::ostream &operator<<(std::ostream &os, const LoadCommand &cmd)¶

MainCommand¶

class MainCommand : public LIEF::MachO::LoadCommand ¶

Class that represent the LC_MAIN command. This kind of command can be used to determine the entrypoint of an executable.

Public Functions

MainCommand()¶

MainCommand(const details::entry_point_command &cmd)¶

MainCommand(uint64_t entrypoint, uint64_t stacksize)¶

MainCommand &operator=(const MainCommand &copy)¶

MainCommand(const MainCommand &copy)¶

virtual MainCommand *clone() const override¶

~MainCommand() override¶

uint64_t entrypoint() const¶: Offset of the main function relative to the __TEXT segment.

uint64_t stack_size() const¶: The initial stack size (if not 0)

void entrypoint(uint64_t entrypoint)¶

void stack_size(uint64_t stacksize)¶

virtual std::ostream &print(std::ostream &os) const override¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Section¶

class Section : public LIEF::Section ¶

Class that represents a Mach-O section.

Public Types

using content_t = std::vector<uint8_t>¶

using flag_list_t = std::set<MACHO_SECTION_FLAGS>¶

using relocations_t = std::vector<std::unique_ptr<Relocation>>¶: Internal container for storing Mach-O Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>¶: Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>¶: Iterator which outputs const Relocation&.

Public Functions

Section()¶

Section(const details::section_32 &section_cmd)¶

Section(const details::section_64 &section_cmd)¶

Section(std::string name)¶

Section(std::string name, content_t content)¶

Section &operator=(Section copy)¶

Section(const Section &copy)¶

void swap(Section &other)¶

~Section() override¶

virtual span<const uint8_t> content() const override¶: section’s content

virtual void content(const content_t &data) override¶: Update the content of the section.

const std::string &segment_name() const¶: Return the name of the segment linked to this section.

uint64_t address() const¶: Virtual base address of the section.

uint32_t alignment() const¶: Section alignment as a power of 2.

uint32_t relocation_offset() const¶

Offset of the relocation table. This value should be 0 for executable and libraries as the relocations are managed by the DyldInfo::rebase.

Other the other hand, for object files (.o) this value should not be 0

See also

numberof_relocations

See also

relocations

uint32_t numberof_relocations() const¶: Number of relocations associated with this section.

uint32_t flags() const¶

Section’s flags masked with SECTION_FLAGS_MASK (see: MACHO_SECTION_FLAGS)

See also

flags

MACHO_SECTION_TYPES type() const¶: Type of the section. This value can help to determine the purpose of the section (e.g. MACHO_SECTION_TYPES::MACHO_SECTION_TYPES)

uint32_t reserved1() const¶: According to the official loader.h file, this value is reserved for offset or index

uint32_t reserved2() const¶: According to the official loader.h file, this value is reserved for count or sizeof

uint32_t reserved3() const¶: This value is only present for 64 bits Mach-O files. In that case, the value is reserved.

flag_list_t flags_list() const¶

Return the Section::flags as an std::set of MACHO_SECTION_FLAGS.

See also

flags

uint32_t raw_flags() const¶: Section flags without applying the SECTION_FLAGS_MASK mask.

bool has_segment() const¶: Check if this section is correctly linked with a MachO::SegmentCommand.

SegmentCommand *segment()¶: The segment associated with this section or a nullptr if not present.

const SegmentCommand *segment() const¶

void clear(uint8_t v)¶: Clear the content of this section by filling its values with the byte provided in parameter.

it_relocations relocations()¶

Return an iterator over the MachO::Relocation associated with this section.

This iterator is likely to be empty of executable and libraries while it should not for object files (.o)

it_const_relocations relocations() const¶

void segment_name(const std::string &name)¶

void address(uint64_t address)¶

void alignment(uint32_t align)¶

void relocation_offset(uint32_t relocOffset)¶

void numberof_relocations(uint32_t nbReloc)¶

void flags(uint32_t flags)¶

void flags(flag_list_t flags)¶

void type(MACHO_SECTION_TYPES type)¶

void reserved1(uint32_t reserved1)¶

void reserved2(uint32_t reserved2)¶

void reserved3(uint32_t reserved3)¶

bool has(MACHO_SECTION_FLAGS flag) const¶: Check if the section has the given MACHO_SECTION_FLAGS flag.

void add(MACHO_SECTION_FLAGS flag)¶: Append a MACHO_SECTION_FLAGS to the current section.

void remove(MACHO_SECTION_FLAGS flag)¶: Remove a MACHO_SECTION_FLAGS to the current section.

Section &operator+=(MACHO_SECTION_FLAGS flag)¶

Section &operator-=(MACHO_SECTION_FLAGS flag)¶

virtual void accept(Visitor &visitor) const override¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)¶

SegmentCommand¶

class SegmentCommand : public LIEF::MachO::LoadCommand ¶

Class which represents a LOAD_COMMAND_TYPES::LC_SEGMENT / LOAD_COMMAND_TYPES::LC_SEGMENT_64 command.

Subclassed by LIEF::MachO::LinkEdit

Public Types

using content_t = std::vector<uint8_t>¶

using sections_t = std::vector<std::unique_ptr<Section>>¶: Internal container for storing Mach-O Section.

using it_sections = ref_iterator<sections_t&, Section*>¶: Iterator which outputs Section&.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>¶: Iterator which outputs const Section&.

using relocations_t = std::vector<std::unique_ptr<Relocation>>¶: Internal container for storing Mach-O Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>¶: Iterator which outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>¶: Iterator which outputs const Relocation&.

Public Functions

SegmentCommand()¶

SegmentCommand(const details::segment_command_32 &cmd)¶

SegmentCommand(const details::segment_command_64 &cmd)¶

SegmentCommand &operator=(SegmentCommand other)¶

SegmentCommand(const SegmentCommand &copy)¶

SegmentCommand(std::string name, content_t content)¶

SegmentCommand(std::string name)¶

void swap(SegmentCommand &other)¶

virtual SegmentCommand *clone() const override¶

~SegmentCommand() override¶

const std::string &name() const¶: Name of the segment (e.g. __TEXT)

uint64_t virtual_address() const¶: Absolute virtual base address of the segment.

uint64_t virtual_size() const¶: Virtual size of the segment.

uint64_t file_size() const¶: Size of this segment in the binary file.

uint64_t file_offset() const¶: Offset of the data of this segment in the file.

uint32_t max_protection() const¶: The maximum of protections for this segment (cf. VM_PROTECTIONS)

uint32_t init_protection() const¶: The initial protections of this segment (cf. VM_PROTECTIONS)

uint32_t numberof_sections() const¶: The number of sections associated with this segment.

uint32_t flags() const¶: Flags associated with this segment (cf. MACHO_SEGMENTS_FLAGS)

it_sections sections()¶: Return an iterator over the MachO::Section linked to this segment.

it_const_sections sections() const¶

it_relocations relocations()¶

Return an iterator over the MachO::Relocation linked to this segment.

For Mach-O executable or library this iterator should be empty as the relocations are managed by the Dyld::rebase_opcodes. On the other hand, for object files (.o) this iterator should not be empty

it_const_relocations relocations() const¶

const Section *get_section(const std::string &name) const¶: Get the section with the given name.

Section *get_section(const std::string &name)¶

inline span<const uint8_t> content() const¶: The raw content of this segment.

inline int8_t index() const¶: The original index of this segment.

void name(const std::string &name)¶

void virtual_address(uint64_t virtual_address)¶

void virtual_size(uint64_t virtual_size)¶

void file_offset(uint64_t file_offset)¶

void file_size(uint64_t file_size)¶

void max_protection(uint32_t max_protection)¶

void init_protection(uint32_t init_protection)¶

void numberof_sections(uint32_t nb_section)¶

void flags(uint32_t flags)¶

void content(content_t data)¶

Section &add_section(const Section &section)¶: Add a new section in this segment.

void remove_all_sections()¶: Remove all the sections linked to this segment.

bool has(const Section &section) const¶: Check if the current segment embeds the given section.

bool has_section(const std::string &section_name) const¶: Check if the current segment embeds the given section name.

virtual std::ostream &print(std::ostream &os) const override¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Symbol¶

class Symbol : public LIEF::Symbol ¶

Class that represents a Symbol in a Mach-O file.

A Mach-O symbol can come from:

The symbols command (LC_SYMTAB / SymbolCommand)
The Dyld Export trie
The Dyld Symbol bindings

Public Types

enum class CATEGORY¶

Category of the symbol when the symbol comes from the LC_SYMTAB command. The category is defined according to the LC_DYSYMTAB (DynamicSymbolCommand) command.

Values:

enumerator NONE = 0¶

enumerator LOCAL¶

enumerator EXTERNAL¶

enumerator UNDEFINED¶

enumerator INDIRECT_ABS¶

enumerator INDIRECT_LOCAL¶

Public Functions

Symbol()¶

Symbol(const details::nlist_32 &cmd)¶

Symbol(const details::nlist_64 &cmd)¶

Symbol &operator=(Symbol other)¶

Symbol(const Symbol &other)¶

void swap(Symbol &other)¶

~Symbol() override¶

uint8_t type() const¶

uint8_t numberof_sections() const¶: It returns the number of sections in which this symbol can be found. If the symbol can’t be found in any section, it returns 0 (NO_SECT)

uint16_t description() const¶: Return information about the symbol (SYMBOL_DESCRIPTIONS)

bool has_export_info() const¶: True if the symbol is associated with an ExportInfo This value is set when the symbol comes from the Dyld Export trie.

const ExportInfo *export_info() const¶

Return the ExportInfo associated with this symbol (or nullptr if not present)

See also

has_export_info

ExportInfo *export_info()¶

bool has_binding_info() const¶: True if the symbol is associated with a BindingInfo This value is set when the symbol comes from the Dyld symbol bindings.

const BindingInfo *binding_info() const¶

Return the BindingInfo associated with this symbol (or nullptr if not present)

See also

has_binding_info

BindingInfo *binding_info()¶

std::string demangled_name() const¶: Try to demangle the symbol or return an empty string if it is not possible.

bool is_external() const¶

True if the symbol is defined as an external symbol.

This function check if the flag N_LIST_TYPES::N_UNDF is set

inline const DylibCommand *library() const¶: Return the library in which the symbol is defined. It returns a null pointer if the library can’t be resolved.

inline DylibCommand *library()¶

SYMBOL_ORIGINS origin() const¶: Return the origin of the symbol: from LC_SYMTAB command or from the Dyld information.

inline CATEGORY category() const¶: Category of the symbol according to the LC_DYSYMTAB command.

void type(uint8_t type)¶

void numberof_sections(uint8_t nbsections)¶

void description(uint16_t desc)¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static const Symbol &indirect_abs()¶

static const Symbol &indirect_local()¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &symbol)¶

SymbolCommand¶

class SymbolCommand : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_SYMTAB command.

Public Functions

SymbolCommand()¶

SymbolCommand(const details::symtab_command &command)¶

SymbolCommand &operator=(const SymbolCommand &copy)¶

SymbolCommand(const SymbolCommand &copy)¶

virtual SymbolCommand *clone() const override¶

~SymbolCommand() override¶

uint32_t symbol_offset() const¶: Offset from the start of the file to the n_list associated with the command.

uint32_t numberof_symbols() const¶: Number of symbols registered.

uint32_t strings_offset() const¶: Offset from the start of the file to the string table.

uint32_t strings_size() const¶: Size of the size string table.

void symbol_offset(uint32_t offset)¶

void numberof_symbols(uint32_t nb)¶

void strings_offset(uint32_t offset)¶

void strings_size(uint32_t size)¶

inline span<const uint8_t> symbol_table() const¶

inline span<uint8_t> symbol_table()¶

inline span<const uint8_t> string_table() const¶

inline span<uint8_t> string_table()¶

inline uint32_t original_str_size() const¶

inline uint32_t original_nb_symbols() const¶

virtual std::ostream &print(std::ostream &os) const override¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

UUIDCommand¶

class UUIDCommand : public LIEF::MachO::LoadCommand ¶

Class that represents the UUID command.

Public Functions

UUIDCommand()¶

UUIDCommand(const details::uuid_command &cmd)¶

UUIDCommand &operator=(const UUIDCommand &copy)¶

UUIDCommand(const UUIDCommand &copy)¶

virtual UUIDCommand *clone() const override¶

~UUIDCommand() override¶

uuid_t uuid() const¶: The UUID as a 16-bytes array.

void uuid(const uuid_t &uuid)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Dyld Info¶

class DyldInfo : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_DYLD_INFO and LC_DYLD_INFO_ONLY commands.

Public Types

enum class BINDING_ENCODING_VERSION¶

Values:

enumerator UNKNOWN = 0¶

enumerator V1¶

enumerator V2¶

using info_t = std::pair<uint32_t, uint32_t>¶: Tuple of offset and size

using binding_info_t = std::vector<std::unique_ptr<DyldBindingInfo>>¶: Internal container for storing DyldBindingInfo.

using it_binding_info = ref_iterator<binding_info_t&, DyldBindingInfo*>¶: Iterator which outputs DyldBindingInfo&.

using it_const_binding_info = const_ref_iterator<const binding_info_t&, DyldBindingInfo*>¶: Iterator which outputs const DyldBindingInfo&.

using export_info_t = std::vector<std::unique_ptr<ExportInfo>>¶: Internal container for storing ExportInfo.

using it_export_info = ref_iterator<export_info_t&, ExportInfo*>¶: Iterator which outputs const ExportInfo&.

using it_const_export_info = const_ref_iterator<const export_info_t&, ExportInfo*>¶: Iterator which outputs const ExportInfo&.

Public Functions

DyldInfo()¶

DyldInfo(const details::dyld_info_command &dyld_info_cmd)¶

DyldInfo &operator=(DyldInfo other)¶

DyldInfo(const DyldInfo &copy)¶

void swap(DyldInfo &other)¶

virtual DyldInfo *clone() const override¶

~DyldInfo() override¶

const info_t &rebase() const¶

Rebase information

Dyld rebases an image whenever dyld loads it at an address different from its preferred address. The rebase information is a stream of byte sized opcodes for which symbolic names start with REBASE_OPCODE_. Conceptually the rebase information is a table of tuples: <seg-index, seg-offset, type> The opcodes are a compressed way to encode the table by only encoding when a column changes. In addition simple patterns like “every n’th offset for m times” can be encoded in a few bytes.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> rebase_opcodes() const¶: Return Rebase’s opcodes as raw data.

span<uint8_t> rebase_opcodes()¶

void rebase_opcodes(buffer_t raw)¶: Set new opcodes.

std::string show_rebases_opcodes() const¶: Return the rebase opcodes in a humman-readable way.

const info_t &bind() const¶

Bind information

Dyld binds an image during the loading process, if the image requires any pointers to be initialized to symbols in other images. The rebase information is a stream of byte sized opcodes for which symbolic names start with BIND_OPCODE_. Conceptually the bind information is a table of tuples: <seg-index, seg-offset, type, symbol-library-ordinal, symbol-name, addend> The opcodes are a compressed way to encode the table by only encoding when a column changes. In addition simple patterns like for runs of pointers initialzed to the same value can be encoded in a few bytes.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> bind_opcodes() const¶: Return Binding’s opcodes as raw data.

span<uint8_t> bind_opcodes()¶

void bind_opcodes(buffer_t raw)¶: Set new opcodes.

std::string show_bind_opcodes() const¶: Return the bind opcodes in a humman-readable way.

const info_t &weak_bind() const¶

Weak Bind information

Some C++ programs require dyld to unique symbols so that all images in the process use the same copy of some code/data. This step is done after binding. The content of the weak_bind info is an opcode stream like the bind_info. But it is sorted alphabetically by symbol name. This enables dyld to walk all images with weak binding information in order and look for collisions. If there are no collisions, dyld does no updating. That means that some fixups are also encoded in the bind_info. For instance, all calls to “operator new” are first bound to libstdc++.dylib using the information in bind_info. Then if some image overrides operator new that is detected when the weak_bind information is processed and the call to operator new is then rebound.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> weak_bind_opcodes() const¶: Return Weak Binding’s opcodes as raw data.

span<uint8_t> weak_bind_opcodes()¶

void weak_bind_opcodes(buffer_t raw)¶: Set new opcodes.

std::string show_weak_bind_opcodes() const¶: Return the bind opcodes in a humman-readable way.

const info_t &lazy_bind() const¶

Lazy Bind information

Some uses of external symbols do not need to be bound immediately. Instead they can be lazily bound on first use. The lazy_bind are contains a stream of BIND opcodes to bind all lazy symbols. Normal use is that dyld ignores the lazy_bind section when loading an image. Instead the static linker arranged for the lazy pointer to initially point to a helper function which pushes the offset into the lazy_bind area for the symbol needing to be bound, then jumps to dyld which simply adds the offset to lazy_bind_off to get the information on what to bind.

See also

/usr/include/mach-o/loader.h

span<const uint8_t> lazy_bind_opcodes() const¶: Return Lazy Binding’s opcodes as raw data.

span<uint8_t> lazy_bind_opcodes()¶

void lazy_bind_opcodes(buffer_t raw)¶: Set new opcodes.

std::string show_lazy_bind_opcodes() const¶: Return the lazy opcodes in a humman-readable way.

it_binding_info bindings()¶: Iterator over BindingInfo entries.

it_const_binding_info bindings() const¶

const info_t &export_info() const¶

Export information

The symbols exported by a dylib are encoded in a trie. This is a compact representation that factors out common prefixes. It also reduces LINKEDIT pages in RAM because it encodes all information (name, address, flags) in one small, contiguous range. The export area is a stream of nodes. The first node sequentially is the start node for the trie.

Nodes for a symbol start with a byte that is the length of the exported symbol information for the string so far. If there is no exported symbol, the byte is zero. If there is exported info, it follows the length byte. The exported info normally consists of a flags and offset both encoded in uleb128. The offset is location of the content named by the symbol. It is the offset from the mach_header for the image.

After the initial byte and optional exported symbol information is a byte of how many edges (0-255) that this node has leaving it, followed by each edge. Each edge is a zero terminated cstring of the addition chars in the symbol, followed by a uleb128 offset for the node that edge points to.

See also

/usr/include/mach-o/loader.h

it_export_info exports()¶: Iterator over ExportInfo entries.

it_const_export_info exports() const¶

span<const uint8_t> export_trie() const¶: Return Export’s trie as raw data.

span<uint8_t> export_trie()¶

void export_trie(buffer_t raw)¶: Set new trie.

std::string show_export_trie() const¶: Return the export trie in a humman-readable way.

void rebase(const info_t &info)¶

void bind(const info_t &info)¶

void weak_bind(const info_t &info)¶

void lazy_bind(const info_t &info)¶

void export_info(const info_t &info)¶

void set_rebase_offset(uint32_t offset)¶

void set_rebase_size(uint32_t size)¶

void set_bind_offset(uint32_t offset)¶

void set_bind_size(uint32_t size)¶

void set_weak_bind_offset(uint32_t offset)¶

void set_weak_bind_size(uint32_t size)¶

void set_lazy_bind_offset(uint32_t offset)¶

void set_lazy_bind_size(uint32_t size)¶

void set_export_offset(uint32_t offset)¶

void set_export_size(uint32_t size)¶

void add(std::unique_ptr<ExportInfo> info)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Function starts¶

class FunctionStarts : public LIEF::MachO::LoadCommand ¶

Class which represents the LC_FUNCTION_STARTS command.

This command is an array of ULEB128 encoded values

Public Functions

FunctionStarts()¶

FunctionStarts(const details::linkedit_data_command &cmd)¶

FunctionStarts &operator=(const FunctionStarts &copy)¶

FunctionStarts(const FunctionStarts &copy)¶

virtual FunctionStarts *clone() const override¶

uint32_t data_offset() const¶: Offset in the __LINKEDIT SegmentCommand where start functions are located.

uint32_t data_size() const¶: Size of the functions list in the binary.

const std::vector<uint64_t> &functions() const¶

Addresses of every function entry point in the executable.

This allows functions to exist for which there are no entries in the symbol table.

Warning

The address is relative to the __TEXT segment

std::vector<uint64_t> &functions()¶

void add_function(uint64_t address)¶: Add a new function.

void data_offset(uint32_t offset)¶

void data_size(uint32_t size)¶

void functions(const std::vector<uint64_t> &funcs)¶

inline span<const uint8_t> content() const¶

inline span<uint8_t> content()¶

~FunctionStarts() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Source Version¶

class SourceVersion : public LIEF::MachO::LoadCommand ¶

Class that represents the MachO LOAD_COMMAND_TYPES::LC_SOURCE_VERSION This command is used to provide the version of the sources used to build the binary.

Public Types

using version_t = std::array<uint32_t, 5>¶: Version is an array of 5 integers.

Public Functions

SourceVersion()¶

SourceVersion(const details::source_version_command &version_cmd)¶

SourceVersion &operator=(const SourceVersion &copy)¶

SourceVersion(const SourceVersion &copy)¶

virtual SourceVersion *clone() const override¶

~SourceVersion() override¶

const SourceVersion::version_t &version() const¶: Return the version as an array.

void version(const SourceVersion::version_t &version)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Version Min¶

class VersionMin : public LIEF::MachO::LoadCommand ¶

Class that wraps the LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, … commands.

Public Types

using version_t = std::array<uint32_t, 3>¶: Version is an array of 3 integers.

Public Functions

VersionMin()¶

VersionMin(const details::version_min_command &version_cmd)¶

VersionMin &operator=(const VersionMin &copy)¶

VersionMin(const VersionMin &copy)¶

virtual VersionMin *clone() const override¶

~VersionMin() override¶

const version_t &version() const¶: Return the version as an array.

void version(const version_t &version)¶

const version_t &sdk() const¶: Return the sdk version as an array.

void sdk(const version_t &sdk)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Relocation¶

class Relocation : public LIEF::Relocation ¶

Class that represents a Mach-O relocation.

See also

MachO::RelocationObject
MachO::RelocationDyld
MachO::RelocationFixup

Subclassed by LIEF::MachO::RelocationDyld, LIEF::MachO::RelocationFixup, LIEF::MachO::RelocationObject

Public Functions

Relocation()¶

Relocation(uint64_t address, uint8_t type)¶

Relocation &operator=(const Relocation &other)¶

Relocation(const Relocation &other)¶

void swap(Relocation &other)¶

~Relocation() override¶

virtual Relocation *clone() const = 0¶

virtual bool is_pc_relative() const = 0¶

Indicates whether the item containing the address to be relocated is part of a CPU instruction that uses PC-relative addressing.

For addresses contained in PC-relative instructions, the CPU adds the address of the instruction to the address contained in the instruction.

virtual uint8_t type() const¶

Type of the relocation according to the Relocation::architecture and/or the Relocation::origin.

See:

MachO::X86_RELOCATION
MachO::X86_64_RELOCATION
MachO::PPC_RELOCATION
MachO::ARM_RELOCATION
MachO::ARM64_RELOCATION
MachO::REBASE_TYPES

CPU_TYPES architecture() const¶: Achitecture targeted by this relocation.

virtual RELOCATION_ORIGINS origin() const = 0¶: Origin of the relocation.

bool has_symbol() const¶: true if the relocation has a symbol associated with

Symbol *symbol()¶: Symbol associated with the relocation, if any, otherwise a nullptr.

const Symbol *symbol() const¶

bool has_section() const¶: true if the relocation has a section associated with

Section *section()¶: Section associated with the relocation, if any, otherwise a nullptr.

const Section *section() const¶

bool has_segment() const¶: true if the relocation has a SegmentCommand associated with

SegmentCommand *segment()¶: SegmentCommand associated with the relocation, if any, otherwise a nullptr.

const SegmentCommand *segment() const¶

virtual void pc_relative(bool val) = 0¶

virtual void type(uint8_t type)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)¶

Relocation Object¶

class RelocationObject : public LIEF::MachO::Relocation ¶

Class that represents a relocation presents in the MachO object file (.o). Usually, this kind of relocation is found in the MachO::Section.

See also

RelocationDyld

Public Functions

RelocationObject()¶

RelocationObject(const details::relocation_info &relocinfo)¶

RelocationObject(const details::scattered_relocation_info &scattered_relocinfo)¶

RelocationObject &operator=(RelocationObject other)¶

RelocationObject(const RelocationObject &other)¶

void swap(RelocationObject &other)¶

~RelocationObject() override¶

virtual RelocationObject *clone() const override¶

virtual bool is_pc_relative() const override¶: Whether the relocation is PC relative.

virtual size_t size() const override¶: Size of the relocation.

virtual uint64_t address() const override¶: Address where the relocation is applied This address is relative to the start of the section where the relocation takes place.

bool is_scattered() const¶: true if the relocation is a scattered one

int32_t value() const¶

For scattered relocations: The address of the relocatable expression for the item in the file that needs to be updated if the address is changed.

For relocatable expressions with the difference of two section addresses, the address from which to subtract (in mathematical terms, the minuend) is contained in the first relocation entry and the address to subtract (the subtrahend) is contained in the second relocation entry.

virtual RELOCATION_ORIGINS origin() const override¶: Origin of the relocation. For this object it should be RELOCATION_ORIGINS::ORIGIN_RELOC_TABLE)

virtual void pc_relative(bool val) override¶

virtual void size(size_t size) override¶

void value(int32_t value)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Relocation()¶

Relocation(uint64_t address, uint8_t type)¶

Relocation(const Relocation &other)¶

Public Static Functions

static bool classof(const Relocation &r)¶

Relocation Dyld¶

class RelocationDyld : public LIEF::MachO::Relocation ¶

Class that represents a relocation found in the DyldInfo structure.

While this class does not have an associated structure in the Mach-O format specification, it provides a convenient interface for the Dyld::rebase

Public Functions

RelocationDyld()¶

RelocationDyld &operator=(const RelocationDyld&)¶

RelocationDyld(const RelocationDyld&)¶

~RelocationDyld() override¶

virtual Relocation *clone() const override¶

virtual bool is_pc_relative() const override¶

Indicates whether the item containing the address to be relocated is part of a CPU instruction that uses PC-relative addressing.

For addresses contained in PC-relative instructions, the CPU adds the address of the instruction to the address contained in the instruction.

virtual RELOCATION_ORIGINS origin() const override¶: Origin of the relocation. For this concrete object, it should be RELOCATION_ORIGINS::ORIGIN_DYLDINFO.

virtual void pc_relative(bool val) override¶

bool operator<(const RelocationDyld &rhs) const¶

bool operator>=(const RelocationDyld &rhs) const¶

bool operator>(const RelocationDyld &rhs) const¶

bool operator<=(const RelocationDyld &rhs) const¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Relocation()¶

Relocation(uint64_t address, uint8_t type)¶

Relocation(const Relocation &other)¶

Public Static Functions

static bool classof(const Relocation &r)¶

Relocation Fixup¶

class RelocationFixup : public LIEF::MachO::Relocation ¶

Class that represents a rebase relocation found in the LC_DYLD_CHAINED_FIXUPS command.

This class extends LIEF::Relocation in which LIEF::Relocation::address is set to the absolute virtual address where the relocation must take place (e.g. 0x10000d270).

On the other hand, RelocationFixup::target contains the value that should be set at LIEF::Relocation::address if the imagebase is LIEF::Binary::imagebase (e.g. 0x1000073a8).

If the Mach-O loader chooses another base address (like 0x7ff100000), it must set 0x10000d270 to 0x7ff1073a8.

Public Functions

RelocationFixup() = delete¶

RelocationFixup(DYLD_CHAINED_PTR_FORMAT fmt, uint64_t imagebase)¶

RelocationFixup &operator=(const RelocationFixup&)¶

RelocationFixup(const RelocationFixup&)¶

RelocationFixup &operator=(RelocationFixup&&)¶

RelocationFixup(RelocationFixup&&)¶

~RelocationFixup() override¶

virtual Relocation *clone() const override¶

virtual bool is_pc_relative() const override¶: Not relevant for this kind of relocation.

virtual RELOCATION_ORIGINS origin() const override¶: Origin of the relocation. For this concrete object, it should be RELOCATION_ORIGINS::ORIGIN_CHAINED_FIXUPS.

inline DYLD_CHAINED_PTR_FORMAT ptr_format() const¶

uint64_t target() const¶: The value that should be set at LIEF::Relocation::address if the imagebase is LIEF::Binary::imagebase. Otherwise, it should be: target() - LIEF::Binary::imagebase() + new_imagebase.

void target(uint64_t target)¶

virtual void pc_relative(bool) override¶: Not relevant for this kind of relocation.

inline uint32_t offset() const¶

inline void offset(uint32_t offset)¶

virtual uint64_t address() const override¶: The address of this relocation is bound to its offset.

virtual void address(uint64_t address) override¶: Changing the address means changing the offset.

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Members

details::dyld_chained_ptr_arm64e_rebase *arm64_rebase_ = nullptr¶

details::dyld_chained_ptr_arm64e_auth_rebase *arm64_auth_rebase_¶

details::dyld_chained_ptr_64_rebase *p64_rebase_¶

details::dyld_chained_ptr_32_rebase *p32_rebase_¶

Public Static Functions

static bool classof(const Relocation &r)¶

Dyld Binding Info¶

class DyldBindingInfo : public LIEF::MachO::BindingInfo¶

This class represents a symbol binding operation associated with the LC_DYLD_INFO bytecode.

It does not represent a structure that exists in the Mach-O format specifications but it provides a view on an entry of the Dyld binding opcodes.

See also

: BindingInfo

Public Functions

DyldBindingInfo()¶

DyldBindingInfo(BINDING_CLASS cls, BIND_TYPES type, uint64_t address, int64_t addend = 0, int32_t oridnal = 0, bool is_weak = false, bool is_non_weak_definition = false, uint64_t offset = 0)¶

DyldBindingInfo &operator=(DyldBindingInfo other)¶

DyldBindingInfo(const DyldBindingInfo &other)¶

DyldBindingInfo(DyldBindingInfo&&)¶

void swap(DyldBindingInfo &other)¶

BINDING_CLASS binding_class() const¶: Class of the binding (weak, lazy, …)

void binding_class(BINDING_CLASS bind_class)¶

BIND_TYPES binding_type() const¶: Type of the binding. Most of the times it’s BIND_TYPES::BIND_TYPE_POINTER.

void binding_type(BIND_TYPES type)¶

inline bool is_non_weak_definition() const¶

inline void set_non_weak_definition(bool val)¶

uint64_t original_offset() const¶: Original relative offset of the binding opcodes.

inline virtual BindingInfo::TYPES type() const override¶: The type of the binding. This type provides the origin of the binding (LC_DYLD_INFO or LC_DYLD_CHAINED_FIXUPS)

~DyldBindingInfo() override¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static inline bool classof(BindingInfo *info)¶

Friends

friend std::ostream &operator<<(std::ostream &os, const DyldBindingInfo &binding_info)¶

Chained Binding Info¶

class ChainedBindingInfo : public LIEF::MachO::BindingInfo¶

This class represents a symbol binding operation associated with the LC_DYLD_CHAINED_FIXUPS command.

This class does not represent a structure that exists in the Mach-O format specifications but it provides a view on an entry.

See also

: BindingInfo

Public Functions

ChainedBindingInfo() = delete¶

explicit ChainedBindingInfo(DYLD_CHAINED_FORMAT fmt, bool is_weak)¶

ChainedBindingInfo &operator=(ChainedBindingInfo other)¶

ChainedBindingInfo(const ChainedBindingInfo &other)¶

ChainedBindingInfo(ChainedBindingInfo&&)¶

void swap(ChainedBindingInfo &other)¶

inline DYLD_CHAINED_FORMAT format() const¶: Format of the imports.

inline DYLD_CHAINED_PTR_FORMAT ptr_format() const¶: Format of the pointer.

inline uint32_t offset() const¶: Original offset in the chain of this binding.

inline void offset(uint32_t offset)¶

virtual uint64_t address() const override¶: Address of the binding.

virtual void address(uint64_t address) override¶

uint64_t sign_extended_addend() const¶

inline virtual BindingInfo::TYPES type() const override¶: The type of the binding. This type provides the origin of the binding (LC_DYLD_INFO or LC_DYLD_CHAINED_FIXUPS)

~ChainedBindingInfo() override¶

virtual void accept(Visitor &visitor) const override¶

Public Members

details::dyld_chained_ptr_arm64e_bind *arm64_bind_ = nullptr¶

details::dyld_chained_ptr_arm64e_auth_bind *arm64_auth_bind_¶

details::dyld_chained_ptr_arm64e_bind24 *arm64_bind24_¶

details::dyld_chained_ptr_arm64e_auth_bind24 *arm64_auth_bind24_¶

details::dyld_chained_ptr_64_bind *p64_bind_¶

details::dyld_chained_ptr_32_bind *p32_bind_¶

Public Static Functions

static inline bool classof(BindingInfo *info)¶

Friends

friend std::ostream &operator<<(std::ostream &os, const ChainedBindingInfo &info)¶

Export Info¶

class ExportInfo : public LIEF::Object¶

Class that provides an interface over the Dyld export info.

This class does not represent a structure that exists in the Mach-O format specification but provides a view on an entry of the Dyld export trie.

Public Types

using flag_list_t = std::vector<EXPORT_SYMBOL_FLAGS>¶

Public Functions

ExportInfo()¶

ExportInfo(uint64_t address, uint64_t flags, uint64_t offset = 0)¶

ExportInfo &operator=(ExportInfo copy)¶

ExportInfo(const ExportInfo &copy)¶

void swap(ExportInfo &other)¶

uint64_t node_offset() const¶: Original offset in the export Trie.

uint64_t flags() const¶: Some information (EXPORT_SYMBOL_FLAGS) about the export (like weak export, reexport, …)

void flags(uint64_t flags)¶

flag_list_t flags_list() const¶: The export flags() as a list.

bool has(EXPORT_SYMBOL_FLAGS flag) const¶: Check if the current entry contains the provided EXPORT_SYMBOL_FLAGS.

EXPORT_SYMBOL_KINDS kind() const¶: The export’s kind (regular, thread local, absolute, …)

uint64_t other() const¶

uint64_t address() const¶: The address of the export.

void address(uint64_t addr)¶

bool has_symbol() const¶: Check if a symbol is associated with this export.

const Symbol *symbol() const¶: MachO::Symbol associated with this export or a nullptr if no symbol.

Symbol *symbol()¶

Symbol *alias()¶: If the export is a EXPORT_SYMBOL_FLAGS::EXPORT_SYMBOL_FLAGS_REEXPORT, this returns the (optional) MachO::Symbol.

const Symbol *alias() const¶

DylibCommand *alias_library()¶: If the export is a EXPORT_SYMBOL_FLAGS::EXPORT_SYMBOL_FLAGS_REEXPORT, this returns the (optional) library (MachO::DylibCommand)

const DylibCommand *alias_library() const¶

~ExportInfo() override¶

virtual void accept(Visitor &visitor) const override¶

Friends

friend std::ostream &operator<<(std::ostream &os, const ExportInfo &export_info)¶

Thread Command¶

class ThreadCommand : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_THREAD / LC_UNIXTHREAD commands and that can be used to get the binary entrypoint when the LC_MAIN (MainCommand) is not present.

Generally speaking, this command aims at defining the original state of the main thread which includes the registers’ values

Public Functions

ThreadCommand()¶

ThreadCommand(const details::thread_command &cmd, CPU_TYPES arch = CPU_TYPES::CPU_TYPE_ANY)¶

ThreadCommand(uint32_t flavor, uint32_t count, CPU_TYPES arch = CPU_TYPES::CPU_TYPE_ANY)¶

ThreadCommand &operator=(const ThreadCommand &copy)¶

ThreadCommand(const ThreadCommand &copy)¶

virtual ThreadCommand *clone() const override¶

~ThreadCommand() override¶

uint32_t flavor() const¶

Integer that defines a special flavor for the thread.

The meaning of this value depends on the architecture(). The list of the values can be found in the XNU kernel files:

xnu/osfmk/mach/arm/thread_status.h for the ARM/AArch64 architectures
xnu/osfmk/mach/i386/thread_status.h for the x86/x86-64 architectures

uint32_t count() const¶

Size of the thread state data with 32-bits alignment.

This value should match state().size()

CPU_TYPES architecture() const¶: The CPU architecture that is targeted by this ThreadCommand.

inline span<const uint8_t> state() const¶: The actual thread state as a vector of bytes. Depending on the architecture(), these data can be casted into x86_thread_state_t, x86_thread_state64_t, …

inline span<uint8_t> state()¶

uint64_t pc() const¶

Return the initial Program Counter regardless of the underlying architecture. This value, when non null, can be used to determine the binary’s entrypoint.

Underneath, it works by looking for the PC register value in the state() data

void state(const std::vector<uint8_t> &state)¶

void flavor(uint32_t flavor)¶

void count(uint32_t count)¶

void architecture(CPU_TYPES arch)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

RPath Command¶

class RPathCommand : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_RPATH command.

This command is used to add path for searching libraries associated with the @rpath prefix.

Public Functions

RPathCommand()¶

RPathCommand(const details::rpath_command &rpathCmd)¶

RPathCommand &operator=(const RPathCommand &copy)¶

RPathCommand(const RPathCommand &copy)¶

virtual RPathCommand *clone() const override¶

~RPathCommand() override¶

const std::string &path() const¶: The rpath value as a string.

void path(const std::string &path)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Code Signature¶

class CodeSignature : public LIEF::MachO::LoadCommand ¶

Public Functions

CodeSignature()¶

CodeSignature(const details::linkedit_data_command &cmd)¶

CodeSignature &operator=(const CodeSignature &copy)¶

CodeSignature(const CodeSignature &copy)¶

virtual CodeSignature *clone() const override¶

uint32_t data_offset() const¶: Offset in the binary where the signature starts.

uint32_t data_size() const¶: Size of the raw signature.

void data_offset(uint32_t offset)¶

void data_size(uint32_t size)¶

inline span<uint8_t> content()¶

inline span<const uint8_t> content() const¶

~CodeSignature() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Data In Code¶

class DataInCode : public LIEF::MachO::LoadCommand ¶

Interface of the LC_DATA_IN_CODE command This command is used to list slices of code sections that contain data. The slices information are stored as an array of DataCodeEntry.

See also

DataCodeEntry

Public Types

using entries_t = std::vector<DataCodeEntry>¶

using it_const_entries = const_ref_iterator<const entries_t&>¶

using it_entries = ref_iterator<entries_t&>¶

Public Functions

DataInCode()¶

DataInCode(const details::linkedit_data_command &cmd)¶

DataInCode &operator=(const DataInCode&)¶

DataInCode(const DataInCode&)¶

virtual DataInCode *clone() const override¶

uint32_t data_offset() const¶: Start of the array of the DataCodeEntry entries.

uint32_t data_size() const¶: Whole size of the array (size = sizeof(DataCodeEntry) * nb_elements)

void data_offset(uint32_t offset)¶

void data_size(uint32_t size)¶

DataInCode &add(const DataCodeEntry &entry)¶: Add a new entry.

it_const_entries entries() const¶: Iterator over the DataCodeEntry.

it_entries entries()¶

inline span<uint8_t> content()¶

inline span<const uint8_t> content() const¶

~DataInCode() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Data Code Entry¶

class DataCodeEntry : public LIEF::Object¶

Interface over an entry in the DataInCode command.

Public Types

enum class TYPES¶

Values:

enumerator UNKNOWN = 0¶

enumerator DATA = 1¶

enumerator JUMP_TABLE_8 = 2¶

enumerator JUMP_TABLE_16 = 3¶

enumerator JUMP_TABLE_32 = 4¶

enumerator ABS_JUMP_TABLE_32 = 5¶

Public Functions

DataCodeEntry()¶

DataCodeEntry(uint32_t off, uint16_t length, TYPES type)¶

DataCodeEntry(const details::data_in_code_entry &entry)¶

DataCodeEntry &operator=(const DataCodeEntry&)¶

DataCodeEntry(const DataCodeEntry&)¶

uint32_t offset() const¶: Offset of the data.

uint16_t length() const¶: Length of the data.

TYPES type() const¶

void offset(uint32_t off)¶

void length(uint16_t length)¶

void type(TYPES type)¶

~DataCodeEntry() override¶

virtual void accept(Visitor &visitor) const override¶

Friends

friend std::ostream &operator<<(std::ostream &os, const DataCodeEntry &entry)¶

Segment Split Info¶

class SegmentSplitInfo : public LIEF::MachO::LoadCommand ¶

Class that represents the LOAD_COMMAND_TYPES::LC_SEGMENT_SPLIT_INFO command.

Public Functions

SegmentSplitInfo()¶

SegmentSplitInfo(const details::linkedit_data_command &cmd)¶

SegmentSplitInfo &operator=(const SegmentSplitInfo &copy)¶

SegmentSplitInfo(const SegmentSplitInfo &copy)¶

virtual SegmentSplitInfo *clone() const override¶

uint32_t data_offset() const¶

uint32_t data_size() const¶

void data_offset(uint32_t offset)¶

void data_size(uint32_t size)¶

inline span<uint8_t> content()¶

inline span<const uint8_t> content() const¶

~SegmentSplitInfo() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Sub-Framework¶

class SubFramework : public LIEF::MachO::LoadCommand ¶

Class that represents the SubFramework command. Accodring to the Mach-O loader.h documentation:

A dynamically linked shared library may be a subframework of an umbrella framework. If so it will be linked with “-umbrella umbrella_name” where Where “umbrella_name” is the name of the umbrella framework. A subframework can only be linked against by its umbrella framework or other subframeworks that are part of the same umbrella framework. Otherwise the static link editor produces an error and states to link against the umbrella framework. The name of the umbrella framework for subframeworks is recorded in the following structure.

Public Functions

SubFramework()¶

SubFramework(const details::sub_framework_command &cmd)¶

SubFramework &operator=(const SubFramework &copy)¶

SubFramework(const SubFramework &copy)¶

virtual SubFramework *clone() const override¶

const std::string &umbrella() const¶: Name of the umbrella framework.

void umbrella(const std::string &u)¶

~SubFramework() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Dyld Environment¶

class DyldEnvironment : public LIEF::MachO::LoadCommand ¶

Class that represents a LC_DYLD_ENVIRONMENT which is used by the Mach-O linker/loader to initialize an environment variable.

Public Functions

DyldEnvironment()¶

DyldEnvironment(const details::dylinker_command &cmd)¶

DyldEnvironment &operator=(const DyldEnvironment &copy)¶

DyldEnvironment(const DyldEnvironment &copy)¶

virtual DyldEnvironment *clone() const override¶

~DyldEnvironment() override¶

virtual std::ostream &print(std::ostream &os) const override¶

const std::string &value() const¶: The actual environment variable.

void value(const std::string &values)¶

virtual void accept(Visitor &visitor) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Encryption Info¶

class EncryptionInfo : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_ENCRYPTION_INFO / LC_ENCRYPTION_INFO_64 commands.

The encryption info is usually present in Mach-O executables that target iOS to encrypt some sections of the binary

Public Functions

EncryptionInfo()¶

EncryptionInfo(const details::encryption_info_command &cmd)¶

EncryptionInfo &operator=(const EncryptionInfo &copy)¶

EncryptionInfo(const EncryptionInfo &copy)¶

~EncryptionInfo() override¶

uint32_t crypt_offset() const¶: The beginning of the encrypted area.

uint32_t crypt_size() const¶: The size of the encrypted area.

uint32_t crypt_id() const¶: The encryption system. 0 means no encrypted.

void crypt_offset(uint32_t offset)¶

void crypt_size(uint32_t size)¶

void crypt_id(uint32_t id)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Build Version¶

class BuildVersion : public LIEF::MachO::LoadCommand ¶

Public Types

enum class PLATFORMS¶

Values:

enumerator UNKNOWN = 0¶

enumerator MACOS = 1¶

enumerator IOS = 2¶

enumerator TVOS = 3¶

enumerator WATCHOS = 4¶

using version_t = std::array<uint32_t, 3>¶: Version is an array of 3 integers.

using tools_list_t = std::vector<BuildToolVersion>¶

Public Functions

BuildVersion()¶

BuildVersion(const details::build_version_command &version_cmd)¶

BuildVersion &operator=(const BuildVersion &copy)¶

BuildVersion(const BuildVersion &copy)¶

virtual BuildVersion *clone() const override¶

version_t minos() const¶

void minos(version_t version)¶

version_t sdk() const¶

void sdk(version_t version)¶

PLATFORMS platform() const¶

void platform(PLATFORMS plat)¶

tools_list_t tools() const¶

~BuildVersion() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Build Tool Version¶

class BuildToolVersion : public LIEF::Object¶

Class that represents a tool’s version that was involved in the build of the binary.

Public Types

enum class TOOLS¶

Values:

enumerator UNKNOWN = 0¶

enumerator CLANG = 1¶

enumerator SWIFT = 2¶

enumerator LD = 3¶

using version_t = std::array<uint32_t, 3>¶: A version is an array of 3 integers.

Public Functions

BuildToolVersion() = default¶

BuildToolVersion(const details::build_tool_version &tool)¶

inline TOOLS tool() const¶: The tools used.

inline version_t version() const¶: Version associated with the tool.

~BuildToolVersion() override = default¶

virtual void accept(Visitor &visitor) const override¶

Friends

friend std::ostream &operator<<(std::ostream &os, const BuildToolVersion &tool)¶

Fileset Command¶

class FilesetCommand : public LIEF::MachO::LoadCommand ¶

Class associated with the LC_FILESET_ENTRY commands.

Public Types

using content_t = std::vector<uint8_t>¶

Public Functions

FilesetCommand()¶

FilesetCommand(const details::fileset_entry_command &command)¶

FilesetCommand(const std::string &name)¶

FilesetCommand &operator=(FilesetCommand copy)¶

FilesetCommand(const FilesetCommand &copy)¶

void swap(FilesetCommand &other)¶

virtual FilesetCommand *clone() const override¶

~FilesetCommand() override¶

const std::string &name() const¶: Name of the underlying MachO binary (e.g. com.apple.security.quarantine)

uint64_t virtual_address() const¶: Memory address where the MachO file should be mapped.

uint64_t file_offset() const¶: Original offset in the kernel cache.

inline const Binary *binary() const¶: Return a pointer on the LIEF::MachO::Binary associated with this entry.

inline Binary *binary()¶

void name(const std::string &name)¶

void virtual_address(uint64_t virtual_address)¶

void file_offset(uint64_t file_offset)¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Friends

friend class BinaryParser

DyldChainedFixups Command¶

class DyldChainedFixups : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_DYLD_CHAINED_FIXUPS command.

This command aims at providing rebase and binding information like the DyldInfo’s bytecode. Compared to the DyldInfo bytecode, these chained fixups are taking less space.

Public Types

using chained_starts_in_segments_t = std::vector<chained_starts_in_segment>¶: Internal container for storing chained_starts_in_segment.

using it_chained_starts_in_segments_t = ref_iterator<chained_starts_in_segments_t&>¶: Iterator that outputs chained_starts_in_segment&.

using it_const_chained_starts_in_segments_t = const_ref_iterator<const chained_starts_in_segments_t&>¶: Iterator that outputs const chained_starts_in_segment&.

using binding_info_t = std::vector<std::unique_ptr<ChainedBindingInfo>>¶: Internal container for storing DyldBindingInfo.

using it_binding_info = ref_iterator<binding_info_t&, ChainedBindingInfo*>¶: Iterator which outputs DyldBindingInfo&.

using it_const_binding_info = const_ref_iterator<const binding_info_t&, ChainedBindingInfo*>¶: Iterator which outputs const DyldBindingInfo&.

Public Functions

DyldChainedFixups()¶

DyldChainedFixups(const details::linkedit_data_command &cmd)¶

virtual DyldChainedFixups *clone() const override¶

~DyldChainedFixups() override¶

uint32_t data_offset() const¶: Offset of the LC_DYLD_CHAINED_FIXUPS chained payload. This offset should point in the __LINKEDIT segment.

uint32_t data_size() const¶: Size of the LC_DYLD_CHAINED_FIXUPS payload.

void data_offset(uint32_t offset)¶

void data_size(uint32_t size)¶

inline it_binding_info bindings()¶: Iterator over the bindings (ChainedBindingInfo) associated with this command.

inline it_const_binding_info bindings() const¶: Iterator over the bindings (ChainedBindingInfo) associated with this command.

inline it_chained_starts_in_segments_t chained_starts_in_segments()¶: Iterator over the chained fixup metadata.

inline it_const_chained_starts_in_segments_t chained_starts_in_segments() const¶

inline uint32_t fixups_version() const¶: Chained fixups version. The loader (dyld v852.2) checks that this value is set to 0.

inline void fixups_version(uint32_t version)¶

inline uint32_t starts_offset() const¶: offset of dyld_chained_starts_in_image in chain_data

inline void starts_offset(uint32_t offset)¶

inline uint32_t imports_offset() const¶: Offset of imports table in chain data.

inline void imports_offset(uint32_t offset)¶

inline uint32_t symbols_offset() const¶: Offset of symbol strings in chain data.

inline void symbols_offset(uint32_t offset)¶

inline uint32_t imports_count() const¶: Number of imported symbol names.

inline void imports_count(uint32_t cnt)¶

inline uint32_t symbols_format() const¶

The compression algorithm (if any) used to store the symbols 0 means uncompressed while 1 means zlib compressed.

As far of the version v852.2 of dyld loader, it only supports uncompressed format

inline void symbols_format(uint32_t fmt)¶

inline DYLD_CHAINED_FORMAT imports_format() const¶: The format of the imports (ChainedBindingInfo)

inline void imports_format(DYLD_CHAINED_FORMAT fmt)¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

struct chained_starts_in_segment¶

Structure that mirrors the raw dyld_chained_starts_in_segment which aims at providing information about the chained rebase/bind fixups.

The relocations provided by this structure can be accessed through SegmentCommand::relocations

Public Functions

inline size_t page_count() const¶: How many pages are in the page_start array.

Public Members

uint32_t offset = 0¶: Original offset of the structure, relative to DyldChainedFixups::starts_offset.

uint32_t size = 0¶: sizeof(size) + sizeof(page_size) + … + sizeof(pointer_format)

uint16_t page_size = 0¶: Likely 0x1000 for x86/x86_64 architectures and 0x4000 for ARM64 architecture.

uint64_t segment_offset = 0¶: Offset of the segment’s data from the beginning of the file (it should match SegmentCommand::file_offset)

uint32_t max_valid_pointer = 0¶: for 32-bit OS, any value beyond this is not a pointer

DYLD_CHAINED_PTR_FORMAT pointer_format¶: How pointers are encoded.

std::vector<uint16_t> page_start¶: Offset in the SegmentCommand of the first element of the chain.

std::vector<uint16_t> chain_starts¶: Currently not supported.

SegmentCommand &segment¶: Segment in which the rebase/bind fixups take place.

Friends

friend std::ostream &operator<<(std::ostream &os, const chained_starts_in_segment &info)¶

DyldExportsTrie Command¶

class DyldExportsTrie : public LIEF::MachO::LoadCommand ¶

Class that represents the LC_DYLD_EXPORTS_TRIE command.

In recent Mach-O binaries, this command replace the DyldInfo export trie buffer

Public Types

using export_info_t = std::vector<std::unique_ptr<ExportInfo>>¶: Internal container for storing ExportInfo.

using it_export_info = ref_iterator<export_info_t&, ExportInfo*>¶: Iterator which outputs const ExportInfo&.

using it_const_export_info = const_ref_iterator<const export_info_t&, ExportInfo*>¶: Iterator which outputs const ExportInfo&.

Public Functions

DyldExportsTrie()¶

DyldExportsTrie(const details::linkedit_data_command &cmd)¶

virtual DyldExportsTrie *clone() const override¶

void swap(DyldExportsTrie &other)¶

~DyldExportsTrie() override¶

uint32_t data_offset() const¶: Offset of the LC_DYLD_EXPORTS_TRIE. This offset should point in the __LINKEDIT segment.

uint32_t data_size() const¶: Size of the LC_DYLD_EXPORTS_TRIE payload.

void data_offset(uint32_t offset)¶

void data_size(uint32_t size)¶

inline span<const uint8_t> content() const¶

it_export_info exports()¶: Iterator over the ExportInfo entries.

it_const_export_info exports() const¶

std::string show_export_trie() const¶: Print the exports trie in a humman-readable way.

void add(std::unique_ptr<ExportInfo> info)¶: Add an entrie in the current trie. See also: LIEF::MachO::Binary::add_exported_function.

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Code Signature Dir Command¶

class CodeSignatureDir : public LIEF::MachO::LoadCommand ¶

Public Functions

CodeSignatureDir()¶

CodeSignatureDir(const details::linkedit_data_command &cmd)¶

CodeSignatureDir &operator=(const CodeSignatureDir &copy)¶

CodeSignatureDir(const CodeSignatureDir &copy)¶

virtual CodeSignatureDir *clone() const override¶

inline uint32_t data_offset() const¶: Offset in the binary where the signature starts.

inline uint32_t data_size() const¶: Size of the raw signature.

inline void data_offset(uint32_t offset)¶

inline void data_size(uint32_t size)¶

inline span<const uint8_t> content() const¶

inline span<uint8_t> content()¶

~CodeSignatureDir() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Linker Optimization Hint Command¶

class LinkerOptHint : public LIEF::MachO::LoadCommand ¶

Class which represents the LC_LINKER_OPTIMIZATION_HINT command.

Public Functions

LinkerOptHint()¶

LinkerOptHint(const details::linkedit_data_command &cmd)¶

LinkerOptHint &operator=(const LinkerOptHint &copy)¶

LinkerOptHint(const LinkerOptHint &copy)¶

virtual LinkerOptHint *clone() const override¶

inline uint32_t data_offset() const¶: Offset in the binary where the signature starts.

inline uint32_t data_size() const¶: Size of the raw signature.

inline void data_offset(uint32_t offset)¶

inline void data_size(uint32_t size)¶

inline span<const uint8_t> content() const¶

inline span<uint8_t> content()¶

~LinkerOptHint() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Two Level Hints Command¶

class TwoLevelHints : public LIEF::MachO::LoadCommand ¶

Class which represents the LC_TWOLEVEL_HINTS command.

Public Types

using hints_list_t = std::vector<uint32_t>¶

using it_hints_t = ref_iterator<hints_list_t&>¶

using it_const_hints_t = const_ref_iterator<const hints_list_t&>¶

Public Functions

TwoLevelHints()¶

TwoLevelHints(const details::twolevel_hints_command &cmd)¶

TwoLevelHints &operator=(const TwoLevelHints &copy)¶

TwoLevelHints(const TwoLevelHints &copy)¶

virtual TwoLevelHints *clone() const override¶

inline span<const uint8_t> content() const¶: Original payload of the command.

inline span<uint8_t> content()¶

inline it_hints_t hints()¶: Iterator over the hints (uint32_t integers)

inline it_const_hints_t hints() const¶

inline uint32_t offset() const¶: Original offset of the command. It should point in the __LINKEDIT segment.

inline void offset(uint32_t offset)¶

inline uint32_t original_nb_hints() const¶

~TwoLevelHints() override¶

virtual void accept(Visitor &visitor) const override¶

virtual std::ostream &print(std::ostream &os) const override¶

Public Static Functions

static bool classof(const LoadCommand *cmd)¶

Utilities¶

bool LIEF::MachO::is_macho(const std::string &file)¶: Check if the given file is a Mach-O binary.

bool LIEF::MachO::is_macho(const std::vector<uint8_t> &raw)¶: Check if the given raw data is a Mach-O binary.

bool LIEF::MachO::is_fat(const std::string &file)¶: Check if the given file is a FAT Mach-O.

bool LIEF::MachO::is_64(const std::string &file)¶: Check if the given Mach-O is 64-bits.

Enums¶

enum class LIEF::MachO::MACHO_TYPES : uint32_t¶

Values:

enumerator MH_MAGIC = 0xFEEDFACEu¶: 32-bit big-endian magic

enumerator MH_CIGAM = 0xCEFAEDFEu¶: 32-bit little-endian magic

enumerator MH_MAGIC_64 = 0xFEEDFACFu¶: 64-bit big-endian magic

enumerator MH_CIGAM_64 = 0xCFFAEDFEu¶: 64-bit little-endian magic

enumerator FAT_MAGIC = 0xCAFEBABEu¶: big-endian fat magic

enumerator FAT_CIGAM = 0xBEBAFECAu¶: little-endian fat magic

enum class LIEF::MachO::FILE_TYPES : size_t¶

Values:

enumerator MH_OBJECT = 0x1u¶

enumerator MH_EXECUTE = 0x2u¶

enumerator MH_FVMLIB = 0x3u¶

enumerator MH_CORE = 0x4u¶

enumerator MH_PRELOAD = 0x5u¶

enumerator MH_DYLIB = 0x6u¶

enumerator MH_DYLINKER = 0x7u¶

enumerator MH_BUNDLE = 0x8u¶

enumerator MH_DYLIB_STUB = 0x9u¶

enumerator MH_DSYM = 0xAu¶

enumerator MH_KEXT_BUNDLE = 0xBu¶

enum class LIEF::MachO::HEADER_FLAGS : size_t¶

Values:

enumerator MH_NOUNDEFS = 0x00000001u¶

enumerator MH_INCRLINK = 0x00000002u¶

enumerator MH_DYLDLINK = 0x00000004u¶

enumerator MH_BINDATLOAD = 0x00000008u¶

enumerator MH_PREBOUND = 0x00000010u¶

enumerator MH_SPLIT_SEGS = 0x00000020u¶

enumerator MH_LAZY_INIT = 0x00000040u¶

enumerator MH_TWOLEVEL = 0x00000080u¶

enumerator MH_FORCE_FLAT = 0x00000100u¶

enumerator MH_NOMULTIDEFS = 0x00000200u¶

enumerator MH_NOFIXPREBINDING = 0x00000400u¶

enumerator MH_PREBINDABLE = 0x00000800u¶

enumerator MH_ALLMODSBOUND = 0x00001000u¶

enumerator MH_SUBSECTIONS_VIA_SYMBOLS = 0x00002000u¶

enumerator MH_CANONICAL = 0x00004000u¶

enumerator MH_WEAK_DEFINES = 0x00008000u¶

enumerator MH_BINDS_TO_WEAK = 0x00010000u¶

enumerator MH_ALLOW_STACK_EXECUTION = 0x00020000u¶

enumerator MH_ROOT_SAFE = 0x00040000u¶

enumerator MH_SETUID_SAFE = 0x00080000u¶

enumerator MH_NO_REEXPORTED_DYLIBS = 0x00100000u¶

enumerator MH_PIE = 0x00200000u¶

enumerator MH_DEAD_STRIPPABLE_DYLIB = 0x00400000u¶

enumerator MH_HAS_TLV_DESCRIPTORS = 0x00800000u¶

enumerator MH_NO_HEAP_EXECUTION = 0x01000000u¶

enumerator MH_APP_EXTENSION_SAFE = 0x02000000u¶

enum class LIEF::MachO::LOAD_COMMAND_TYPES : size_t¶

Values:

enumerator LC_SEGMENT = 0x00000001u¶

enumerator LC_SYMTAB = 0x00000002u¶

enumerator LC_SYMSEG = 0x00000003u¶

enumerator LC_THREAD = 0x00000004u¶

enumerator LC_UNIXTHREAD = 0x00000005u¶

enumerator LC_LOADFVMLIB = 0x00000006u¶

enumerator LC_IDFVMLIB = 0x00000007u¶

enumerator LC_IDENT = 0x00000008u¶

enumerator LC_FVMFILE = 0x00000009u¶

enumerator LC_PREPAGE = 0x0000000Au¶

enumerator LC_DYSYMTAB = 0x0000000Bu¶

enumerator LC_LOAD_DYLIB = 0x0000000Cu¶

enumerator LC_ID_DYLIB = 0x0000000Du¶

enumerator LC_LOAD_DYLINKER = 0x0000000Eu¶

enumerator LC_ID_DYLINKER = 0x0000000Fu¶

enumerator LC_PREBOUND_DYLIB = 0x00000010u¶

enumerator LC_ROUTINES = 0x00000011u¶

enumerator LC_SUB_FRAMEWORK = 0x00000012u¶

enumerator LC_SUB_UMBRELLA = 0x00000013u¶

enumerator LC_SUB_CLIENT = 0x00000014u¶

enumerator LC_SUB_LIBRARY = 0x00000015u¶

enumerator LC_TWOLEVEL_HINTS = 0x00000016u¶

enumerator LC_PREBIND_CKSUM = 0x00000017u¶

enumerator LC_LOAD_WEAK_DYLIB = 0x80000018u¶

enumerator LC_SEGMENT_64 = 0x00000019u¶

enumerator LC_ROUTINES_64 = 0x0000001Au¶

enumerator LC_UUID = 0x0000001Bu¶

enumerator LC_RPATH = 0x8000001Cu¶

enumerator LC_CODE_SIGNATURE = 0x0000001Du¶

enumerator LC_SEGMENT_SPLIT_INFO = 0x0000001Eu¶

enumerator LC_REEXPORT_DYLIB = 0x8000001Fu¶

enumerator LC_LAZY_LOAD_DYLIB = 0x00000020u¶

enumerator LC_ENCRYPTION_INFO = 0x00000021u¶

enumerator LC_DYLD_INFO = 0x00000022u¶

enumerator LC_DYLD_INFO_ONLY = 0x80000022u¶

enumerator LC_LOAD_UPWARD_DYLIB = 0x80000023u¶

enumerator LC_VERSION_MIN_MACOSX = 0x00000024u¶

enumerator LC_VERSION_MIN_IPHONEOS = 0x00000025u¶

enumerator LC_FUNCTION_STARTS = 0x00000026u¶

enumerator LC_DYLD_ENVIRONMENT = 0x00000027u¶

enumerator LC_MAIN = 0x80000028u¶

enumerator LC_DATA_IN_CODE = 0x00000029u¶

enumerator LC_SOURCE_VERSION = 0x0000002Au¶

enumerator LC_DYLIB_CODE_SIGN_DRS = 0x0000002Bu¶

enumerator LC_ENCRYPTION_INFO_64 = 0x0000002Cu¶

enumerator LC_LINKER_OPTION = 0x0000002Du¶

enumerator LC_LINKER_OPTIMIZATION_HINT = 0x0000002Eu¶

enumerator LC_VERSION_MIN_TVOS = 0x0000002Fu¶

enumerator LC_VERSION_MIN_WATCHOS = 0x00000030u¶

enumerator LC_NOTE = 0x00000031u¶

enumerator LC_BUILD_VERSION = 0x00000032u¶

enumerator LC_DYLD_EXPORTS_TRIE = 0x80000033u¶

enumerator LC_DYLD_CHAINED_FIXUPS = 0x80000034u¶

enumerator LC_FILESET_ENTRY = 0x80000035u¶

enum class LIEF::MachO::MACHO_SEGMENTS_FLAGS : size_t¶

Values:

enumerator SG_HIGHVM = 0x1u¶: The file contents for this segment are for the high part of the virtual memory space; the low part is zero filled (for stacks in core files).

enumerator SG_FVMLIB = 0x2u¶: this segment is the VM that is allocated by a fixed VM library, for overlap checking in the link editor.

enumerator SG_NORELOC = 0x4u¶: This segment has nothing that was relocated in it and nothing relocated to it. It may be safely replaced without relocation.

enumerator SG_PROTECTED_VERSION_1 = 0x8u¶

enum class LIEF::MachO::MACHO_SECTION_TYPES : size_t¶

These are the section type and attributes fields. A MachO section can have only one Type, but can have any of the attributes specified.

Values:

enumerator S_REGULAR = 0x00u¶: Regular section.

enumerator S_ZEROFILL = 0x01u¶: Zero fill on demand section.

enumerator S_CSTRING_LITERALS = 0x02u¶: Section with literal C strings.

enumerator S_4BYTE_LITERALS = 0x03u¶: Section with 4 byte literals.

enumerator S_8BYTE_LITERALS = 0x04u¶: Section with 8 byte literals.

enumerator S_LITERAL_POINTERS = 0x05u¶: Section with pointers to literals.

enumerator S_NON_LAZY_SYMBOL_POINTERS = 0x06u¶: Section with non-lazy symbol pointers.

enumerator S_LAZY_SYMBOL_POINTERS = 0x07u¶: Section with lazy symbol pointers.

enumerator S_SYMBOL_STUBS = 0x08u¶: Section with symbol stubs, byte size of stub in the Reserved2 field.

enumerator S_MOD_INIT_FUNC_POINTERS = 0x09u¶: Section with only function pointers for initialization.

enumerator S_MOD_TERM_FUNC_POINTERS = 0x0au¶: Section with only function pointers for termination.

enumerator S_COALESCED = 0x0bu¶: Section contains symbols that are to be coalesced.

enumerator S_GB_ZEROFILL = 0x0cu¶: Zero fill on demand section (that can be larger than 4 gigabytes).

enumerator S_INTERPOSING = 0x0du¶: Section with only pairs of function pointers for interposing.

enumerator S_16BYTE_LITERALS = 0x0eu¶: Section with only 16 byte literals.

enumerator S_DTRACE_DOF = 0x0fu¶: Section contains DTrace Object Format.

enumerator S_LAZY_DYLIB_SYMBOL_POINTERS = 0x10u¶: Section with lazy symbol pointers to lazy loaded dylibs.

enumerator S_THREAD_LOCAL_REGULAR = 0x11u¶: Thread local data section.

enumerator S_THREAD_LOCAL_ZEROFILL = 0x12u¶: Thread local zerofill section.

enumerator S_THREAD_LOCAL_VARIABLES = 0x13u¶: Section with thread local variable structure data.

enumerator S_THREAD_LOCAL_VARIABLE_POINTERS = 0x14u¶: Section with pointers to thread local structures.

enumerator S_THREAD_LOCAL_INIT_FUNCTION_POINTERS = 0x15u¶: Section with thread local variable initialization pointers to functions.

enumerator LAST_KNOWN_SECTION_TYPE = 0x15u¶

enum class LIEF::MachO::MACHO_SECTION_FLAGS : size_t¶

Values:

enumerator S_ATTR_PURE_INSTRUCTIONS = 0x80000000u¶: Section contains only true machine instructions.

enumerator S_ATTR_NO_TOC = 0x40000000u¶: Section contains coalesced symbols that are not to be in a ranlib table of contents.

enumerator S_ATTR_STRIP_STATIC_SYMS = 0x20000000u¶: Ok to strip static symbols in this section in files with the MY_DYLDLINK flag.

enumerator S_ATTR_NO_DEAD_STRIP = 0x10000000u¶: No dead stripping.

enumerator S_ATTR_LIVE_SUPPORT = 0x08000000u¶: Blocks are live if they reference live blocks.

enumerator S_ATTR_SELF_MODIFYING_CODE = 0x04000000u¶: Used with i386 code stubs written on by dyld.

enumerator S_ATTR_DEBUG = 0x02000000u¶: A debug section.

enumerator S_ATTR_SOME_INSTRUCTIONS = 0x00000400u¶: Section contains some machine instructions.

enumerator S_ATTR_EXT_RELOC = 0x00000200u¶: Section has external relocation entries.

enumerator S_ATTR_LOC_RELOC = 0x00000100u¶: Section has local relocation entries.

enumerator INDIRECT_SYMBOL_LOCAL = 0x80000000u¶

enumerator INDIRECT_SYMBOL_ABS = 0x40000000u¶

enum class LIEF::MachO::MACHO_SYMBOL_TYPES : size_t¶

Values:

enumerator N_STAB = 0xe0¶: The symbol is symbolic debugging table.

enumerator N_PEXT = 0x10¶: Limited global scope symbol.

enumerator N_TYPE = 0x0e¶

Define the type of the symbol.

See also

N_LIST_TYPES

enumerator N_EXT = 0x01¶: External symbol, a symbol that is either defined outside this file or that is defined in this file but can be referenced by other files.

enum class LIEF::MachO::SYMBOL_DESCRIPTIONS : size_t¶

Values:

enumerator REFERENCE_TYPE = 0x7¶

enumerator REFERENCE_FLAG_UNDEFINED_NON_LAZY = 0¶: Reference to an external non-lazy (data) symbol.

enumerator REFERENCE_FLAG_UNDEFINED_LAZY = 1¶: Reference to an external lazy symbol - that is, to a function call.

enumerator REFERENCE_FLAG_DEFINED = 2¶: Defined in this module.

enumerator REFERENCE_FLAG_PRIVATE_DEFINED = 3¶: Defined in this module and is visible only to modules within this shared library.

enumerator REFERENCE_FLAG_PRIVATE_UNDEFINED_NON_LAZY = 4¶: Defined in another module in this file, is a non-lazy (data) symbol, and is visible only to modules within this shared library.

enumerator REFERENCE_FLAG_PRIVATE_UNDEFINED_LAZY = 5¶: Defined in another module in this file, is a lazy (function) symbol, and is visible only to modules within this shared library.

enumerator N_ARM_THUMB_DEF = 0x0008u¶

enumerator REFERENCED_DYNAMICALLY = 0x0010u¶

enumerator N_NO_DEAD_STRIP = 0x0020u¶

enumerator N_WEAK_REF = 0x0040u¶

enumerator N_WEAK_DEF = 0x0080u¶

enumerator N_SYMBOL_RESOLVER = 0x0100u¶

enumerator N_ALT_ENTRY = 0x0200u¶

enumerator SELF_LIBRARY_ORDINAL = 0x0¶

enumerator MAX_LIBRARY_ORDINAL = 0xfd¶

enumerator DYNAMIC_LOOKUP_ORDINAL = 0xfe¶

enumerator EXECUTABLE_ORDINAL = 0xff¶

enum class LIEF::MachO::X86_RELOCATION : size_t¶

Values:

enumerator GENERIC_RELOC_VANILLA = 0¶: A generic relocation entry for both addresses contained in data and addresses contained in CPU instructions.

enumerator GENERIC_RELOC_PAIR = 1¶: The second relocation entry of a pair.

enumerator GENERIC_RELOC_SECTDIFF = 2¶: A relocation entry for an item that contains the difference of two section addresses. This is generally used for position-independent code generation.

enumerator GENERIC_RELOC_PB_LA_PTR = 3¶: contains the address from which to subtract; it must be followed by a X86_RELOCATION::GENERIC_RELOC_PAIR containing the address to subtract.

enumerator GENERIC_RELOC_LOCAL_SECTDIFF = 4¶: Similar to X86_RELOCATION::GENERIC_RELOC_SECTDIFF except that this entry refers specifically to the address in this item. If the address is that of a globally visible coalesced symbol, this relocation entry does not change if the symbol is overridden. This is used to associate stack unwinding information with the object code this relocation entry describes.

enumerator GENERIC_RELOC_TLV = 5¶: A relocation entry for a prebound lazy pointer. This is always a scattered relocation entry. The MachO::Relocation::value field contains the non-prebound value of the lazy pointer.

enum class LIEF::MachO::X86_64_RELOCATION : size_t¶

Values:

enumerator X86_64_RELOC_UNSIGNED = 0¶: A CALL/JMP instruction with 32-bit displacement.

enumerator X86_64_RELOC_SIGNED = 1¶: A MOVQ load of a GOT entry.

enumerator X86_64_RELOC_BRANCH = 2¶: Other GOT references.

enumerator X86_64_RELOC_GOT_LOAD = 3¶: Signed 32-bit displacement.

enumerator X86_64_RELOC_GOT = 4¶: Absolute address.

enumerator X86_64_RELOC_SUBTRACTOR = 5¶: Must be followed by a X86_64_RELOCATION::X86_64_RELOC_UNSIGNED relocation.

enumerator X86_64_RELOC_SIGNED_1 = 6¶

enumerator X86_64_RELOC_SIGNED_2 = 7¶

enumerator X86_64_RELOC_SIGNED_4 = 8¶

enumerator X86_64_RELOC_TLV = 9¶

enum class LIEF::MachO::PPC_RELOCATION : size_t¶

Values:

enumerator PPC_RELOC_VANILLA = 0¶

enumerator PPC_RELOC_PAIR = 1¶

enumerator PPC_RELOC_BR14 = 2¶

enumerator PPC_RELOC_BR24 = 3¶

enumerator PPC_RELOC_HI16 = 4¶

enumerator PPC_RELOC_LO16 = 5¶

enumerator PPC_RELOC_HA16 = 6¶

enumerator PPC_RELOC_LO14 = 7¶

enumerator PPC_RELOC_SECTDIFF = 8¶

enumerator PPC_RELOC_PB_LA_PTR = 9¶

enumerator PPC_RELOC_HI16_SECTDIFF = 10¶

enumerator PPC_RELOC_LO16_SECTDIFF = 11¶

enumerator PPC_RELOC_HA16_SECTDIFF = 12¶

enumerator PPC_RELOC_JBSR = 13¶

enumerator PPC_RELOC_LO14_SECTDIFF = 14¶

enumerator PPC_RELOC_LOCAL_SECTDIFF = 15¶

enum class LIEF::MachO::ARM_RELOCATION : size_t¶

Values:

enumerator ARM_RELOC_VANILLA = 0¶

enumerator ARM_RELOC_PAIR = 1¶

enumerator ARM_RELOC_SECTDIFF = 2¶

enumerator ARM_RELOC_LOCAL_SECTDIFF = 3¶

enumerator ARM_RELOC_PB_LA_PTR = 4¶

enumerator ARM_RELOC_BR24 = 5¶

enumerator ARM_THUMB_RELOC_BR22 = 6¶

enumerator ARM_THUMB_32BIT_BRANCH = 7¶

enumerator ARM_RELOC_HALF = 8¶

enumerator ARM_RELOC_HALF_SECTDIFF = 9¶

enum class LIEF::MachO::ARM64_RELOCATION : size_t¶

Values:

enumerator ARM64_RELOC_UNSIGNED = 0¶: For pointers.

enumerator ARM64_RELOC_SUBTRACTOR = 1¶: Must be followed by an ARM64_RELOCATION::ARM64_RELOC_UNSIGNED

enumerator ARM64_RELOC_BRANCH26 = 2¶: A B/BL instruction with 26-bit displacement.

enumerator ARM64_RELOC_PAGE21 = 3¶: PC-rel distance to page of target.

enumerator ARM64_RELOC_PAGEOFF12 = 4¶: Offset within page, scaled by MachO::Relocation::size.

enumerator ARM64_RELOC_GOT_LOAD_PAGE21 = 5¶: PC-rel distance to page of GOT slot

enumerator ARM64_RELOC_GOT_LOAD_PAGEOFF12 = 6¶: Offset within page of GOT slot, scaled by MachO::Relocation::size.

enumerator ARM64_RELOC_POINTER_TO_GOT = 7¶: For pointers to GOT slots.

enumerator ARM64_RELOC_TLVP_LOAD_PAGE21 = 8¶: PC-rel distance to page of TLVP slot.

enumerator ARM64_RELOC_TLVP_LOAD_PAGEOFF12 = 9¶: Offset within page of TLVP slot, scaled by MachO::Relocation::size.

enumerator ARM64_RELOC_ADDEND = 10¶: Must be followed by ARM64_RELOCATION::ARM64_RELOC_PAGE21 or ARM64_RELOCATION::ARM64_RELOC_PAGEOFF12.

enum class LIEF::MachO::CPU_TYPES : int¶

Values:

enumerator CPU_TYPE_ANY = -1¶

enumerator CPU_TYPE_X86 = 7¶

enumerator CPU_TYPE_I386 = 7¶

enumerator CPU_TYPE_X86_64 = 7 | 0x01000000¶

enumerator CPU_TYPE_MC98000 = 10¶

enumerator CPU_TYPE_ARM = 12¶

enumerator CPU_TYPE_ARM64 = 12 | 0x01000000¶

enumerator CPU_TYPE_SPARC = 14¶

enumerator CPU_TYPE_POWERPC = 18¶

enumerator CPU_TYPE_POWERPC64 = 18 | 0x01000000¶

enum class LIEF::MachO::CPU_SUBTYPES_X86 : size_t¶

Values:

enumerator CPU_SUBTYPE_I386_ALL = 3¶

enumerator CPU_SUBTYPE_386 = 3¶

enumerator CPU_SUBTYPE_486 = 4¶

enumerator CPU_SUBTYPE_486SX = 0x84¶

enumerator CPU_SUBTYPE_586 = 5¶

enumerator CPU_SUBTYPE_PENT = 5¶

enumerator CPU_SUBTYPE_PENTPRO = 0x16¶

enumerator CPU_SUBTYPE_PENTII_M3 = 0x36¶

enumerator CPU_SUBTYPE_PENTII_M5 = 0x56¶

enumerator CPU_SUBTYPE_CELERON = 0x67¶

enumerator CPU_SUBTYPE_CELERON_MOBILE = 0x77¶

enumerator CPU_SUBTYPE_PENTIUM_3 = 0x08¶

enumerator CPU_SUBTYPE_PENTIUM_3_M = 0x18¶

enumerator CPU_SUBTYPE_PENTIUM_3_XEON = 0x28¶

enumerator CPU_SUBTYPE_PENTIUM_M = 0x09¶

enumerator CPU_SUBTYPE_PENTIUM_4 = 0x0a¶

enumerator CPU_SUBTYPE_PENTIUM_4_M = 0x1a¶

enumerator CPU_SUBTYPE_ITANIUM = 0x0b¶

enumerator CPU_SUBTYPE_ITANIUM_2 = 0x1b¶

enumerator CPU_SUBTYPE_XEON = 0x0c¶

enumerator CPU_SUBTYPE_XEON_MP = 0x1c¶

enumerator CPU_SUBTYPE_X86_ALL = 3¶

enumerator CPU_SUBTYPE_X86_64_ALL = 3¶

enumerator CPU_SUBTYPE_X86_ARCH1 = 4¶

enumerator CPU_SUBTYPE_X86_64_H = 8¶

enum class LIEF::MachO::RELOCATION_ORIGINS : size_t¶

Values:

enumerator ORIGIN_UNKNOWN = 0¶

enumerator ORIGIN_DYLDINFO = 1¶

enumerator ORIGIN_RELOC_TABLE = 2¶

enumerator ORIGIN_CHAINED_FIXUPS = 3¶

enum class LIEF::MachO::REBASE_TYPES : size_t¶

Values:

enumerator REBASE_TYPE_POINTER = 1u¶

enumerator REBASE_TYPE_TEXT_ABSOLUTE32 = 2u¶

enumerator REBASE_TYPE_TEXT_PCREL32 = 3u¶

enumerator REBASE_TYPE_THREADED = 102u¶

enum class LIEF::MachO::BINDING_CLASS : size_t¶

Within the dyld_info_command there are differents area of binding. These enums tag these area.

Values:

enumerator BIND_CLASS_WEAK = 1u¶

enumerator BIND_CLASS_LAZY = 2u¶

enumerator BIND_CLASS_STANDARD = 3u¶

enumerator BIND_CLASS_THREADED = 100u¶

enum class LIEF::MachO::REBASE_OPCODES : uint8_t¶

Opcodes used by Dyld info to rebase a Mach-O image.

Values:

enumerator REBASE_OPCODE_DONE = 0x00u¶: It’s finished.

enumerator REBASE_OPCODE_SET_TYPE_IMM = 0x10u¶: Set type to immediate (lower 4-bits). Used for ordinal numbers from 0-15.

enumerator REBASE_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB = 0x20u¶: Set segment’s index to immediate (lower 4-bits) and segment’s offset to following ULEB128 encoding.

enumerator REBASE_OPCODE_ADD_ADDR_ULEB = 0x30u¶: Add segment’s offset with the following ULEB128 encoding.

enumerator REBASE_OPCODE_ADD_ADDR_IMM_SCALED = 0x40u¶: Add segment’s offset with immediate scaling.

enumerator REBASE_OPCODE_DO_REBASE_IMM_TIMES = 0x50u¶: Rebase in the range of [segment's offset; segment's offset + immediate * sizeof(ptr)]

enumerator REBASE_OPCODE_DO_REBASE_ULEB_TIMES = 0x60u¶: Same as REBASE_OPCODE_DO_REBASE_IMM_TIMES but immediate is replaced with ULEB128 value.

enumerator REBASE_OPCODE_DO_REBASE_ADD_ADDR_ULEB = 0x70u¶: Rebase and increment segment’s offset with following ULEB128 encoding + pointer’s size.

enumerator REBASE_OPCODE_DO_REBASE_ULEB_TIMES_SKIPPING_ULEB = 0x80u¶: Rebase and skip several bytes.

enum class LIEF::MachO::BIND_TYPES : size_t¶

Values:

enumerator BIND_TYPE_POINTER = 1u¶

enumerator BIND_TYPE_TEXT_ABSOLUTE32 = 2u¶

enumerator BIND_TYPE_TEXT_PCREL32 = 3u¶

enum class LIEF::MachO::BIND_SPECIAL_DYLIB : int¶

Values:

enumerator BIND_SPECIAL_DYLIB_SELF = 0¶

enumerator BIND_SPECIAL_DYLIB_MAIN_EXECUTABLE = -1¶

enumerator BIND_SPECIAL_DYLIB_FLAT_LOOKUP = -2¶

enum class LIEF::MachO::BIND_OPCODES : uint8_t¶

Opcodes used by Dyld info to bind symbols.

Values:

enumerator BIND_OPCODE_DONE = 0x00u¶: It’s finished.

enumerator BIND_OPCODE_SET_DYLIB_ORDINAL_IMM = 0x10u¶: Set ordinal to immediate (lower 4-bits). Used for ordinal numbers from 0-15.

enumerator BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB = 0x20u¶: Set ordinal to following ULEB128 encoding. Used for ordinal numbers from 16+.

enumerator BIND_OPCODE_SET_DYLIB_SPECIAL_IMM = 0x30u¶: Set ordinal, with 0 or negative number as immediate. the value is sign extended.

enumerator BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM = 0x40u¶: Set the following symbol (NULL-terminated char*).

enumerator BIND_OPCODE_SET_TYPE_IMM = 0x50u¶: Set the type to immediate (lower 4-bits). See BIND_TYPES.

enumerator BIND_OPCODE_SET_ADDEND_SLEB = 0x60u¶: Set the addend field to the following SLEB128 encoding.

enumerator BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB = 0x70u¶: Set Segment to immediate value, and address to the following SLEB128 encoding.

enumerator BIND_OPCODE_ADD_ADDR_ULEB = 0x80u¶: Set the address field to the following SLEB128 encoding.

enumerator BIND_OPCODE_DO_BIND = 0x90u¶: Perform binding of current table row.

enumerator BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB = 0xA0u¶: Perform binding, also add following ULEB128 as address.

enumerator BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED = 0xB0u¶: Perform binding, also add immediate (lower 4-bits) using scaling.

enumerator BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB = 0xC0u¶: Perform binding for several symbols (as following ULEB128), and skip several bytes.

enumerator BIND_OPCODE_THREADED = 0xD0u¶

enumerator BIND_OPCODE_THREADED_APPLY = 0xD0u | 0x01u¶

enumerator BIND_OPCODE_THREADED_SET_BIND_ORDINAL_TABLE_SIZE_ULEB = 0xD0u | 0x00u¶

enum class LIEF::MachO::EXPORT_SYMBOL_KINDS : size_t¶

Values:

enumerator EXPORT_SYMBOL_FLAGS_KIND_REGULAR = 0x00u¶

enumerator EXPORT_SYMBOL_FLAGS_KIND_THREAD_LOCAL = 0x01u¶

enumerator EXPORT_SYMBOL_FLAGS_KIND_ABSOLUTE = 0x02u¶

enum class LIEF::MachO::EXPORT_SYMBOL_FLAGS : size_t¶

Values:

enumerator EXPORT_SYMBOL_FLAGS_KIND_MASK = 0x03u¶: Mask to access to EXPORT_SYMBOL_KINDS.

enumerator EXPORT_SYMBOL_FLAGS_WEAK_DEFINITION = 0x04u¶

enumerator EXPORT_SYMBOL_FLAGS_REEXPORT = 0x08u¶

enumerator EXPORT_SYMBOL_FLAGS_STUB_AND_RESOLVER = 0x10u¶

enum class LIEF::MachO::VM_PROTECTIONS : size_t¶

Values for segment_command.initprot. From <mach/vm_prot.h>

Values:

enumerator VM_PROT_READ = 0x1¶: Reading data within the segment is allowed.

enumerator VM_PROT_WRITE = 0x2¶: Writing data within the segment is allowed.

enumerator VM_PROT_EXECUTE = 0x4¶: Executing data within the segment is allowed.

enum class LIEF::MachO::SYMBOL_ORIGINS : size_t¶

Values:

enumerator SYM_ORIGIN_UNKNOWN = 0¶

enumerator SYM_ORIGIN_DYLD_EXPORT = 1¶

enumerator SYM_ORIGIN_DYLD_BIND = 2¶

enumerator SYM_ORIGIN_LC_SYMTAB = 3¶: The symbol comes from the binding opcodes.

enum class LIEF::MachO::DYLD_CHAINED_FORMAT¶

Values:

enumerator IMPORT = 1¶

enumerator IMPORT_ADDEND = 2¶

enumerator IMPORT_ADDEND64 = 3¶

enum LIEF::MachO::DYLD_CHAINED_PTR_FORMAT¶

Values:

enumerator PTR_ARM64E = 1¶

enumerator PTR_64 = 2¶

enumerator PTR_32 = 3¶

enumerator PTR_32_CACHE = 4¶

enumerator PTR_32_FIRMWARE = 5¶

enumerator PTR_64_OFFSET = 6¶

enumerator PTR_ARM64E_OFFSET = 7¶

enumerator PTR_ARM64E_KERNEL = 7¶

enumerator PTR_64_KERNEL_CACHE = 8¶

enumerator PTR_ARM64E_USERLAND = 9¶

enumerator PTR_ARM64E_FIRMWARE = 10¶

enumerator PTR_X86_64_KERNEL_CACHE = 11¶

enumerator PTR_ARM64E_USERLAND24 = 12¶

MachO¶

Parser¶

FatBinary¶

Binary¶

Header¶

Builder¶

DylibCommand¶

DylinkerCommand¶

DynamicSymbolCommand¶

LoadCommand¶

MainCommand¶

Section¶

SegmentCommand¶

Symbol¶

SymbolCommand¶

UUIDCommand¶

Dyld Info¶

Function starts¶

Source Version¶

Version Min¶

Relocation¶

Relocation Object¶

Relocation Dyld¶

Relocation Fixup¶

Dyld Binding Info¶

Chained Binding Info¶

Export Info¶

Thread Command¶

RPath Command¶

Code Signature¶

Data In Code¶

Data Code Entry¶

Segment Split Info¶

Sub-Framework¶

Dyld Environment¶

Encryption Info¶

Build Version¶

Build Tool Version¶

Fileset Command¶

DyldChainedFixups Command¶

DyldExportsTrie Command¶

Code Signature Dir Command¶

Linker Optimization Hint Command¶

Two Level Hints Command¶

Utilities¶

Enums¶