Expand description

Mach-O definitions.

These definitions are independent of read/write support, although we do implement some traits useful for those.

This module is based heavily on header files from MacOSX11.1.sdk.

Structs

The dyld cache header. Corresponds to struct dyld_cache_header from dyld_cache_format.h. This header has grown over time. Only the fields up to and including dyld_base_address are guaranteed to be present. For all other fields, check the header size before accessing the field. The header size is stored in mapping_offset; the mappings start right after the theader.

Corresponds to struct dyld_cache_image_info from dyld_cache_format.h.

Corresponds to struct dyld_cache_mapping_info from dyld_cache_format.h.

Corresponds to a struct whose source code has not been published as of Nov 2021. Added in the dyld cache version which shipped with macOS 12 / iOS 15.

A variable length string in a load command.

Common fields at the start of every load command.

The 32-bit mach header.

The 64-bit mach header.

A relocation entry.

32-bit section.

64-bit section.

32-bit segment load command.

64-bit segment load command.

Constants

must be followed by PAGE21 or PAGEOFF12

a B/BL instruction with 26-bit displacement

pc-rel distance to page of GOT slot

offset within page of GOT slot, scaled by r_length

pc-rel distance to page of target

offset within page, scaled by r_length

for pointers to GOT slots

must be followed by a ARM64_RELOC_UNSIGNED

pc-rel distance to page of TLVP slot

offset within page of TLVP slot, scaled by r_length

24 bit branch displacement (to a word address)

like ARM_RELOC_SECTDIFF, but the symbol referenced was local.

the second relocation entry of a pair

prebound lazy pointer

a PAIR follows with subtract symbol value

generic relocation as discribed above

obsolete - a thumb 32-bit branch instruction possibly needing page-spanning branch workaround

22 bit branch displacement (to a half-word address)

64 bit ABI

ABI for 64-bit hardware with 32-bit types; LP32

mask for architecture bits

When selecting a slice, ANY will pick the slice with the best grading for the selected cpu_type_t, unlike the “ALL” subtypes, which are the slices that can run on any hardware for that cpu type.

Not meant to be run under xnu

ARMv7-A and ARMv7-R

Not meant to be run under xnu

Not meant to be run under xnu

Not meant to be run under xnu

64 bit libraries

mask for feature flags

pointer authentication with versioned ABI

Haswell feature subset

NXSwapLong(FAT_MAGIC)

NXSwapLong(FAT_MAGIC_64)

Only follows a GENERIC_RELOC_SECTDIFF

prebound lazy pointer

thread local variables

generic relocation as discribed above

build for platform min OS version

local of code signature

table of non-instructions in __text

used with LinkeditDataCommand

string for dyld to treat like environment variable

used with LinkeditDataCommand, payload is trie

compressed dyld information

compressed dyld information only

Code signing DRs copied from linked dylibs

dynamic link-edit symbol table info

encrypted segment information

64-bit encrypted segment information

used with FilesetEntryCommand

compressed table of function start addresses

fixed VM file inclusion (internal use)

object identification info (obsolete)

fixed VM shared library identification

dynamically linked shared lib ident

dynamic linker identification

delay load of dylib until first use

optimization hints in MH_OBJECT files

linker options in MH_OBJECT files

load a specified fixed VM shared library

load a dynamically linked shared library

load a dynamic linker

load upward dylib

load a dynamically linked shared library that is allowed to be missing (all symbols are weak imported).

replacement for LC_UNIXTHREAD

arbitrary data included within a Mach-O file

prebind checksum

modules prebound for a dynamically linked shared library

prepage command (internal use)

load and re-export dylib

image routines

64-bit image routines

runpath additions

segment of this file to be mapped

64-bit segment of this file to be mapped

local of info to split segments

source version used to build binary

sub client

sub framework

sub library

sub umbrella

link-edit gdb symbol table info (obsolete)

link-edit stab symbol table info

thread

two-level namespace lookup hints

unix thread (includes a stack)

the uuid

build for iPhoneOS min OS version

build for MacOSX min OS version

build for AppleTV min OS version

build for Watch min OS version

1 thru 255 inclusive

indicates that this binary binds to all two-level namespace modules of its dependent libraries. only used when MH_PREBINDABLE and MH_TWOLEVEL are both set.

When this bit is set, all stacks in the task will be given stack execution privilege. Only used in MH_EXECUTE filetypes.

The code was linked for use in an application extension.

the object file’s undefined references are bound by the dynamic linker when loaded.

the final linked image uses weak symbols

dynamically bound bundle file

the binary has been canonicalized via the unprebind operation

NXSwapInt(MH_MAGIC)

NXSwapInt(MH_MAGIC_64)

core file

Only for use on dylibs. When linking against a dylib that has this bit set, the static linker will automatically not create a LC_LOAD_DYLIB load command to the dylib if no symbols are being referenced from the dylib.

companion file with only debug sections

the object file is input for the dynamic linker and can’t be staticly link edited again

dynamically bound shared library

Only for use on dylibs. When this bit is set, the dylib is part of the dyld shared cache, rather than loose in the filesystem.

shared library stub for static linking only, no section contents

dynamic link editor

demand paged executable file

set of mach-o’s

the executable is forcing all images to use flat name space bindings

fixed VM shared library file

Contains a section of type S_THREAD_LOCAL_VARIABLES

the object file is the output of an incremental link against a base file and can’t be link edited again

x86_64 kexts

the shared library init routine is to be run lazily via catching memory faults to its writeable segments (obsolete)

the mach magic number

the 64-bit mach magic number

The external symbols listed in the nlist symbol table do not include all the symbols listed in the dyld info.

do not have dyld notify the prebinding agent about this executable

this umbrella guarantees no multiple defintions of symbols in its sub-images so the two-level namespace hints can always be used.

the object file has no undefined references

When this bit is set, the OS will run the main executable with a non-executable heap even on platforms (e.g. i386) that don’t require it. Only used in MH_EXECUTE filetypes.

When this bit is set on a dylib, the static linker does not need to examine dependent dylibs to see if any are re-exported

relocatable object file

When this bit is set, the OS will load the main executable at a random address. Only used in MH_EXECUTE filetypes.

the binary is not prebound but can have its prebinding redone. only used when MH_PREBOUND is not set.

the file has its dynamic undefined references prebound.

preloaded executable file

When this bit is set, the binary declares it is safe for use in processes with uid zero

When this bit is set, the binary declares it is safe for use in processes when issetugid() is true

Allow LC_MIN_VERSION_MACOS and LC_BUILD_VERSION load commands with the platforms macOS, iOSMac, iOSSimulator, tvOSSimulator and watchOSSimulator.

the file has its read-only and read-write segments split

safe to divide up the sections into sub-sections via symbols for dead code stripping

the image is using two-level name space bindings

the final linked image contains external weak symbols

symbol is not in any section

absolute, n_sect == NO_SECT

symbol is a Thumb function (ARM)

AST file path: name,,NO_SECT,0,0

begin common: name,,NO_SECT,0,0

include file beginning: name,,NO_SECT,0,sum

begin nsect sym: 0,,n_sect,0,address

symbol is discarded

end common (local name): 0,,n_sect,0,address

end common: name,,n_sect,0,0

include file end: name,,NO_SECT,0,0

end nsect sym: 0,,n_sect,0,address

alternate entry: name,,n_sect,linenumber,address

deleted include file: name,,NO_SECT,0,sum

external symbol bit, set for external symbols

procedure name (f77 kludge): name,,NO_SECT,0,0

procedure: name,,n_sect,linenumber,address

global symbol: name,,NO_SECT,type,0

indirect

left bracket: 0,,NO_SECT,nesting level,address

.lcomm symbol: name,,n_sect,type,address

second stab entry with length information

local sym: name,,NO_SECT,type,offset

symbol is not to be dead stripped

compiler -O level: name,,NO_SECT,0,0

emitted with gcc2_compiled and in gcc source

object file name: name,,0,0,st_mtime

compiler parameters: name,,NO_SECT,0,0

prebound undefined (defined in a dylib)

global pascal symbol: name,,NO_SECT,subtype,line

private external symbol bit

parameter: name,,NO_SECT,type,offset

right bracket: 0,,NO_SECT,nesting level,address

reference to a weak symbol

register sym: name,,NO_SECT,type,register

defined in section number n_sect

src line: 0,,n_sect,linenumber,address

source file name: name,,n_sect,0,address

#included file name: name,,n_sect,0,address

structure elt: name,,NO_SECT,type,struct_offset

if any of these bits set, a symbolic debugging entry

static symbol: name,,n_sect,type,address

mask for the type bits

undefined, n_sect == NO_SECT

compiler version: name,,NO_SECT,0,0

coalesed symbol is a weak definition

symbol is weak referenced

14 bit branch displacement (to a word address)

24 bit branch displacement (to a word address)

Same as the RELOC_HI16 except the low 16 bits and the high 16 bits are added together with the low 16 bits sign extened first. This means if bit 15 of the low 16 bits is set the high 16 bits stored in the instruction will be adjusted.

a PAIR follows with the low half

section difference forms of above. a PAIR

Same as the LO16 except that the low 2 bits are not stored in the instruction and are always zero. This is used in double word load/store instructions.

a PAIR follows with the high half

follows these with subtract symbol value

like PPC_RELOC_SECTDIFF, but the symbol referenced was local.

the second relocation entry of a pair

prebound lazy pointer

a PAIR follows with subtract symbol value

generic relocation as discribed above

absolute relocation type for Mach-O files

Bit set in Relocation::r_word0 for scattered relocations.

24 section attributes

system setable attributes

User setable attributes

256 section types

the real uninitialized data section no padding

the section common symbols are allocated in by the link editor

the real initialized data section no padding, no bss overlap

the fvmlib initialization section

the section following the fvmlib initialization section

the icon headers

the icons in tiff format

module information

string table

string table

symbol table

the real text part of the text section no headers, and no padding

the tradition UNIX data segment

the icon segment

the segment for the self (dyld) modifing code stubs that has read, write and execute permissions

the segment containing all structs created and maintained by the link editor. Created with -seglinkedit option to ld(1) for MH_EXECUTE and FVMLIB file types only

the segment overlapping with linkedit containing linking information

objective-C runtime segment

the pagezero segment which has no protections and catches NULL references for MH_EXECUTE files

the tradition UNIX text segment

the unix stack segment

this segment is the VM that is allocated by a fixed VM library, for overlap checking in the link editor

the file contents for this segment is for the high part of the VM space, the low part is zero filled (for stacks in core files)

this segment has nothing that was relocated in it and nothing relocated to it, that is it maybe safely replaced without relocation

This segment is protected. If the segment starts at file offset 0, the first page of the segment is not protected. All other pages of the segment are protected.

This segment is made read-only after fixups

section with only 4 byte literals

section with only 8 byte literals

section with only 16 byte literals

a debug section

section has external relocation entries

blocks are live if they reference live blocks

section has local relocation entries

no dead stripping

section contains coalesced symbols that are not to be in a ranlib table of contents

section contains only true machine instructions

Used with i386 code stubs written on by dyld

section contains some machine instructions

ok to strip static symbols in this section in files with the MH_DYLDLINK flag

section contains symbols that are to be coalesced

section with only literal C strings

section contains DTrace Object Format

zero fill on demand section (that can be larger than 4 gigabytes)

32-bit offsets to initializers

section with only pairs of function pointers for interposing

section with only lazy symbol pointers to lazy loaded dylibs

section with only lazy symbol pointers

section with only pointers to literals

section with only function pointers for initialization

section with only function pointers for termination

section with only non-lazy symbol pointers

regular section

section with only symbol stubs, byte size of stub in the reserved2 field

functions to call to initialize TLV values

template of initial values for TLVs

TLV descriptors

pointers to TLV descriptors

template of initial values for TLVs

zero fill on demand section

execute permission

read permission

write permission

a CALL/JMP instruction with 32-bit displacement

other GOT references

a MOVQ load of a GOT entry

for signed 32-bit displacement

for signed 32-bit displacement with a -1 addend

for signed 32-bit displacement with a -2 addend

for signed 32-bit displacement with a -4 addend

must be followed by a X86_64_RELOC_UNSIGNED

for thread local variables

for absolute addresses

Functions