LIEF icon indicating copy to clipboard operation
LIEF copied to clipboard
verified publisher icon lief-project

MachO add segment not perfect.

Open jmpews opened this issue 6 years ago • 4 comments

  1. For available_command_space_, it's default 0. should we use the cave between header(include segment info etc) and __text to avoid shift?

  2. Binary shift not fix the symbol table and relative function offset.

jmpews avatar Mar 11 '19 03:03 jmpews

Hi I'm not sure to understand the first point. Indeed default is 0 even if space is available. Mainly because codesign could use this space to add the signature command.

  1. While the shift operation, we proccess symbol table and function offset:

https://github.com/lief-project/LIEF/blob/b1e9c1baede408ddb0e26482f1f3c3e2254080a0/src/MachO/Binary.cpp#L578-L618

Maybe I'm missing something. Could you provide an example where it's wrong ?

romainthomas avatar Mar 12 '19 06:03 romainthomas

Hi, Sorry to reply you so late.

I'm working on the MachOStaticPather(static hook) with HookZz and the code snippet is below.

 void InsertHookZzSegment(MachO::Binary *binary) {
  std::vector<uint8_t> dummy_content(0x4000, 0);
  
  MachO::SegmentCommand zTEXT = MachO::SegmentCommand("__zTEXT", dummy_content);
  // zTEXT.content(dummy_content);
  // zTEXT.file_size(0x4000);
  zTEXT.max_protection(5);
  
  MachO::SegmentCommand zDATA = MachO::SegmentCommand("__zDATA", dummy_content);
  // zDATA.content(dummy_content);
  // zDATA.file_size(0x4000);
  zDATA.max_protection(3);
  
  binary->add(zTEXT);
  binary->add(zDATA);
}

  // insert ZDATA, zTEXT segment
  InsertHookZzSegment(binaryARM64);
  std::string output = std::string(argv[1]) + "_hooked";
  binaryARM64->write(output);

Do you need the demo MachO file ? https://pastebin.com/6b7UUShw

And the compile command is

xcrun --sdk iphoneos --find clang` -isysroot `xcrun --sdk iphoneos --show-sdk-path` -arch arm64 test001.c -o test001

And one more question, the origin file size is 48K, and the size is 148K after insert segment. As i known, the segment is 16K align on the ARM64 triple.

And long long ago, the demo code which i use to add segment. https://pastebin.com/btzsmUdJ, ummm, though it's primitive.

jmpews avatar Mar 14 '19 15:03 jmpews

Thanks for the details, could you tell me which version of LIEF do you use ? The issue is that the binary that you modified doesn't run right ?

romainthomas avatar Mar 14 '19 16:03 romainthomas

the latest version.

no, have not run yet, just use IDA analyze it. and the symbol address is not right. maybe you can try it.

jmpews avatar Mar 14 '19 18:03 jmpews

The upstream version of LIEF should have addressed this issue (to re-open if it's not the case)

romainthomas avatar Feb 04 '23 17:02 romainthomas