goblin_experimental/mach/

header.rs

//! A header contains minimal architecture information, the binary kind, the number of load commands, as well as an endianness hint

use core::fmt;
use plain::Plain;
use scroll::ctx;
use scroll::ctx::SizeWith;
use scroll::{Pread, Pwrite, SizeWith};

use crate::container::{self, Container};
use crate::error;
use crate::mach::constants::cputype::{CpuSubType, CpuType, CPU_SUBTYPE_MASK};

// Constants for the flags field of the mach_header
/// the object file has no undefined references
pub const MH_NOUNDEFS: u32 = 0x1;
/// the object file is the output of an incremental link against a base file and can't be
/// link edited again
pub const MH_INCRLINK: u32 = 0x2;
/// the object file is input for the dynamic linker and can't be staticly link edited again
pub const MH_DYLDLINK: u32 = 0x4;
/// the object file's undefined references are bound by the dynamic linker when loaded.
pub const MH_BINDATLOAD: u32 = 0x8;
/// the file has its dynamic undefined references prebound.
pub const MH_PREBOUND: u32 = 0x10;
/// the file has its read-only and read-write segments split
pub const MH_SPLIT_SEGS: u32 = 0x20;
/// the shared library init routine is to be run lazily via catching memory faults to its writeable
/// segments (obsolete)
pub const MH_LAZY_INIT: u32 = 0x40;
/// the image is using two-level name space bindings
pub const MH_TWOLEVEL: u32 = 0x80;
/// the executable is forcing all images to use flat name space bindings
pub const MH_FORCE_FLAT: u32 = 0x100;
/// this umbrella guarantees no multiple defintions of symbols in its sub-images so the
/// two-level namespace hints can always be used.
pub const MH_NOMULTIDEFS: u32 = 0x200;
/// do not have dyld notify the prebinding agent about this executable
pub const MH_NOFIXPREBINDING: u32 = 0x400;
/// the binary is not prebound but can have its prebinding redone. only used when MH_PREBOUND is not set.
pub const MH_PREBINDABLE: u32 = 0x800;
/// indicates that this binary binds to all two-level namespace modules of its dependent libraries.
/// Only used when MH_PREBINDABLE and MH_TWOLEVEL are both set.
pub const MH_ALLMODSBOUND: u32 = 0x1000;
/// safe to divide up the sections into sub-sections via symbols for dead code stripping
pub const MH_SUBSECTIONS_VIA_SYMBOLS: u32 = 0x2000;
/// the binary has been canonicalized via the unprebind operation
pub const MH_CANONICAL: u32 = 0x4000;
/// the final linked image contains external weak symbols
pub const MH_WEAK_DEFINES: u32 = 0x8000;
/// the final linked image uses weak symbols
pub const MH_BINDS_TO_WEAK: u32 = 0x10000;
/// When this bit is set, all stacks in the task will be given stack execution privilege.
/// Only used in MH_EXECUTE filetypes.
pub const MH_ALLOW_STACK_EXECUTION: u32 = 0x20000;
/// When this bit is set, the binary declares it is safe for use in processes with uid zero
pub const MH_ROOT_SAFE: u32 = 0x40000;
/// When this bit is set, the binary declares it is safe for use in processes when issetugid() is true
pub const MH_SETUID_SAFE: u32 = 0x80000;
/// When this bit is set on a dylib,  the static linker does not need to examine dependent dylibs to
/// see if any are re-exported
pub const MH_NO_REEXPORTED_DYLIBS: u32 = 0x0010_0000;
/// When this bit is set, the OS will load the main executable at a random address.
/// Only used in MH_EXECUTE filetypes.
pub const MH_PIE: u32 = 0x0020_0000;
/// Only for use on dylibs.  When linking against a dylib that has this bit set, the static linker
/// will automatically not create a LC_LOAD_DYLIB load command to the dylib if no symbols are being
/// referenced from the dylib.
pub const MH_DEAD_STRIPPABLE_DYLIB: u32 = 0x0040_0000;
/// Contains a section of type S_THREAD_LOCAL_VARIABLES
pub const MH_HAS_TLV_DESCRIPTORS: u32 = 0x0080_0000;
/// When this bit is set, the OS will run the main executable with a non-executable heap even on
/// platforms (e.g. i386) that don't require it. Only used in MH_EXECUTE filetypes.
pub const MH_NO_HEAP_EXECUTION: u32 = 0x0100_0000;

// TODO: verify this number is correct, it was previously 0x02000000 which could indicate a typo/data entry error
/// The code was linked for use in an application extension.
pub const MH_APP_EXTENSION_SAFE: u32 = 0x0200_0000;

#[inline(always)]
pub fn flag_to_str(flag: u32) -> &'static str {
    match flag {
        MH_NOUNDEFS => "MH_NOUNDEFS",
        MH_INCRLINK => "MH_INCRLINK",
        MH_DYLDLINK => "MH_DYLDLINK",
        MH_BINDATLOAD => "MH_BINDATLOAD",
        MH_PREBOUND => "MH_PREBOUND",
        MH_SPLIT_SEGS => "MH_SPLIT_SEGS",
        MH_LAZY_INIT => "MH_LAZY_INIT",
        MH_TWOLEVEL => "MH_TWOLEVEL",
        MH_FORCE_FLAT => "MH_FORCE_FLAT",
        MH_NOMULTIDEFS => "MH_NOMULTIDEFS",
        MH_NOFIXPREBINDING => "MH_NOFIXPREBINDING",
        MH_PREBINDABLE => "MH_PREBINDABLE ",
        MH_ALLMODSBOUND => "MH_ALLMODSBOUND",
        MH_SUBSECTIONS_VIA_SYMBOLS => "MH_SUBSECTIONS_VIA_SYMBOLS",
        MH_CANONICAL => "MH_CANONICAL",
        MH_WEAK_DEFINES => "MH_WEAK_DEFINES",
        MH_BINDS_TO_WEAK => "MH_BINDS_TO_WEAK",
        MH_ALLOW_STACK_EXECUTION => "MH_ALLOW_STACK_EXECUTION",
        MH_ROOT_SAFE => "MH_ROOT_SAFE",
        MH_SETUID_SAFE => "MH_SETUID_SAFE",
        MH_NO_REEXPORTED_DYLIBS => "MH_NO_REEXPORTED_DYLIBS",
        MH_PIE => "MH_PIE",
        MH_DEAD_STRIPPABLE_DYLIB => "MH_DEAD_STRIPPABLE_DYLIB",
        MH_HAS_TLV_DESCRIPTORS => "MH_HAS_TLV_DESCRIPTORS",
        MH_NO_HEAP_EXECUTION => "MH_NO_HEAP_EXECUTION",
        MH_APP_EXTENSION_SAFE => "MH_APP_EXTENSION_SAFE",
        _ => "UNKNOWN FLAG",
    }
}

/// Mach Header magic constant
pub const MH_MAGIC: u32 = 0xfeed_face;
pub const MH_CIGAM: u32 = 0xcefa_edfe;
/// Mach Header magic constant for 64-bit
pub const MH_MAGIC_64: u32 = 0xfeed_facf;
pub const MH_CIGAM_64: u32 = 0xcffa_edfe;

// Constants for the filetype field of the mach_header
/// relocatable object file
pub const MH_OBJECT: u32 = 0x1;
/// demand paged executable file
pub const MH_EXECUTE: u32 = 0x2;
/// fixed VM shared library file
pub const MH_FVMLIB: u32 = 0x3;
/// core file
pub const MH_CORE: u32 = 0x4;
/// preloaded executable file
pub const MH_PRELOAD: u32 = 0x5;
/// dynamically bound shared library
pub const MH_DYLIB: u32 = 0x6;
/// dynamic link editor
pub const MH_DYLINKER: u32 = 0x7;
/// dynamically bound bundle file
pub const MH_BUNDLE: u32 = 0x8;
/// shared library stub for static linking only, no section contents
pub const MH_DYLIB_STUB: u32 = 0x9;
/// companion file with only debug sections
pub const MH_DSYM: u32 = 0xa;
/// x86_64 kexts
pub const MH_KEXT_BUNDLE: u32 = 0xb;
/// set of mach-o's
pub const MH_FILESET: u32 = 0xc;

pub fn filetype_to_str(filetype: u32) -> &'static str {
    match filetype {
        MH_OBJECT => "OBJECT",
        MH_EXECUTE => "EXECUTE",
        MH_FVMLIB => "FVMLIB",
        MH_CORE => "CORE",
        MH_PRELOAD => "PRELOAD",
        MH_DYLIB => "DYLIB",
        MH_DYLINKER => "DYLINKER",
        MH_BUNDLE => "BUNDLE",
        MH_DYLIB_STUB => "DYLIB_STUB",
        MH_DSYM => "DSYM",
        MH_KEXT_BUNDLE => "KEXT_BUNDLE",
        MH_FILESET => "FILESET",
        _ => "UNKNOWN FILETYPE",
    }
}

#[repr(C)]
#[derive(Clone, Copy, Default, Debug, Pread, Pwrite, SizeWith)]
/// A 32-bit Mach-o header
pub struct Header32 {
    /// mach magic number identifier
    pub magic: u32,
    /// cpu specifier
    pub cputype: u32,
    /// machine specifier
    pub cpusubtype: u32,
    /// type of file
    pub filetype: u32,
    /// number of load commands
    pub ncmds: u32,
    /// the size of all the load commands
    pub sizeofcmds: u32,
    /// flags
    pub flags: u32,
}

pub const SIZEOF_HEADER_32: usize = 0x1c;

unsafe impl Plain for Header32 {}

impl Header32 {
    /// Transmutes the given byte array into the corresponding 32-bit Mach-o header
    pub fn from_bytes(bytes: &[u8; SIZEOF_HEADER_32]) -> &Self {
        plain::from_bytes(bytes).unwrap()
    }
    pub fn size(&self) -> usize {
        SIZEOF_HEADER_32
    }
}

#[repr(C)]
#[derive(Clone, Copy, Default, Debug, Pread, Pwrite, SizeWith)]
/// A 64-bit Mach-o header
pub struct Header64 {
    /// mach magic number identifier
    pub magic: u32,
    /// cpu specifier
    pub cputype: u32,
    /// machine specifier
    pub cpusubtype: u32,
    /// type of file
    pub filetype: u32,
    /// number of load commands
    pub ncmds: u32,
    /// the size of all the load commands
    pub sizeofcmds: u32,
    /// flags
    pub flags: u32,
    pub reserved: u32,
}

unsafe impl Plain for Header64 {}

pub const SIZEOF_HEADER_64: usize = 32;

impl Header64 {
    /// Transmutes the given byte array into the corresponding 64-bit Mach-o header
    pub fn from_bytes(bytes: &[u8; SIZEOF_HEADER_64]) -> &Self {
        plain::from_bytes(bytes).unwrap()
    }
    pub fn size(&self) -> usize {
        SIZEOF_HEADER_64
    }
}

#[repr(C)]
#[derive(Clone, Copy, Default)]
/// Generic sized header
pub struct Header {
    pub magic: u32,
    pub cputype: u32,
    pub cpusubtype: u32,
    /// type of file
    pub filetype: u32,
    /// number of load commands
    pub ncmds: usize,
    /// the size of all the load commands
    pub sizeofcmds: u32,
    /// flags
    pub flags: u32,
    pub reserved: u32,
}

impl fmt::Debug for Header {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        f.debug_struct("Header")
            .field("magic", &format_args!("0x{:x}", self.magic))
            .field("cputype", &self.cputype())
            .field("cpusubtype", &format_args!("0x{:x}", self.cpusubtype()))
            .field("filetype", &filetype_to_str(self.filetype))
            .field("ncmds", &self.ncmds)
            .field("sizeofcmds", &self.sizeofcmds)
            .field("flags", &format_args!("0x{:x}", self.flags))
            .field("reserved", &format_args!("0x{:x}", self.reserved))
            .finish()
    }
}

impl From<Header32> for Header {
    fn from(header: Header32) -> Self {
        Header {
            magic: header.magic,
            cputype: header.cputype,
            cpusubtype: header.cpusubtype,
            filetype: header.filetype,
            ncmds: header.ncmds as usize,
            sizeofcmds: header.sizeofcmds,
            flags: header.flags,
            reserved: 0,
        }
    }
}

impl From<Header> for Header32 {
    fn from(header: Header) -> Self {
        Header32 {
            magic: header.magic,
            cputype: header.cputype,
            cpusubtype: header.cpusubtype,
            filetype: header.filetype,
            ncmds: header.ncmds as u32,
            sizeofcmds: header.sizeofcmds,
            flags: header.flags,
        }
    }
}

impl From<Header64> for Header {
    fn from(header: Header64) -> Self {
        Header {
            magic: header.magic,
            cputype: header.cputype,
            cpusubtype: header.cpusubtype,
            filetype: header.filetype,
            ncmds: header.ncmds as usize,
            sizeofcmds: header.sizeofcmds,
            flags: header.flags,
            reserved: header.reserved,
        }
    }
}

impl From<Header> for Header64 {
    fn from(header: Header) -> Self {
        Header64 {
            magic: header.magic,
            cputype: header.cputype,
            cpusubtype: header.cpusubtype,
            filetype: header.filetype,
            ncmds: header.ncmds as u32,
            sizeofcmds: header.sizeofcmds,
            flags: header.flags,
            reserved: header.reserved,
        }
    }
}

impl Header {
    pub fn new(ctx: container::Ctx) -> Self {
        let mut header = Header::default();
        header.magic = if ctx.is_big() { MH_MAGIC_64 } else { MH_MAGIC };
        header
    }
    /// Returns the cpu type
    pub fn cputype(&self) -> CpuType {
        self.cputype
    }
    /// Returns the cpu subtype with the capabilities removed
    pub fn cpusubtype(&self) -> CpuSubType {
        self.cpusubtype & !CPU_SUBTYPE_MASK
    }
    /// Returns the capabilities of the CPU
    pub fn cpu_caps(&self) -> u32 {
        (self.cpusubtype & CPU_SUBTYPE_MASK) >> 24
    }
}

impl ctx::SizeWith<container::Ctx> for Header {
    fn size_with(container: &container::Ctx) -> usize {
        match container.container {
            Container::Little => SIZEOF_HEADER_32,
            Container::Big => SIZEOF_HEADER_64,
        }
    }
}

impl ctx::SizeWith<Container> for Header {
    fn size_with(container: &Container) -> usize {
        match container {
            Container::Little => SIZEOF_HEADER_32,
            Container::Big => SIZEOF_HEADER_64,
        }
    }
}

impl<'a> ctx::TryFromCtx<'a, container::Ctx> for Header {
    type Error = crate::error::Error;
    fn try_from_ctx(
        bytes: &'a [u8],
        container::Ctx { le, container }: container::Ctx,
    ) -> error::Result<(Self, usize)> {
        let size = bytes.len();
        if size < SIZEOF_HEADER_32 || size < SIZEOF_HEADER_64 {
            let error =
                error::Error::Malformed("bytes size is smaller than a Mach-o header".into());
            Err(error)
        } else {
            match container {
                Container::Little => {
                    let header = bytes.pread_with::<Header32>(0, le)?;
                    Ok((Header::from(header), SIZEOF_HEADER_32))
                }
                Container::Big => {
                    let header = bytes.pread_with::<Header64>(0, le)?;
                    Ok((Header::from(header), SIZEOF_HEADER_64))
                }
            }
        }
    }
}

impl ctx::TryIntoCtx<container::Ctx> for Header {
    type Error = crate::error::Error;
    fn try_into_ctx(self, bytes: &mut [u8], ctx: container::Ctx) -> error::Result<usize> {
        match ctx.container {
            Container::Little => {
                bytes.pwrite_with(Header32::from(self), 0, ctx.le)?;
            }
            Container::Big => {
                bytes.pwrite_with(Header64::from(self), 0, ctx.le)?;
            }
        };
        Ok(Header::size_with(&ctx))
    }
}

impl ctx::IntoCtx<container::Ctx> for Header {
    fn into_ctx(self, bytes: &mut [u8], ctx: container::Ctx) {
        bytes.pwrite_with(self, 0, ctx).unwrap();
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::mem::size_of;

    #[test]
    fn test_parse_armv7_header() {
        use crate::mach::constants::cputype::CPU_TYPE_ARM;
        const CPU_SUBTYPE_ARM_V7: u32 = 9;
        use super::Header;
        use crate::container::{Container, Ctx, Endian};
        use scroll::Pread;
        let bytes = b"\xce\xfa\xed\xfe\x0c\x00\x00\x00\t\x00\x00\x00\n\x00\x00\x00\x06\x00\x00\x00\x8c\r\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x18\x00\x00\x00\xe0\xf7B\xbb\x1c\xf50w\xa6\xf7u\xa3\xba(";
        let header: Header = bytes
            .pread_with(0, Ctx::new(Container::Little, Endian::Little))
            .unwrap();
        assert_eq!(header.cputype, CPU_TYPE_ARM);
        assert_eq!(header.cpusubtype, CPU_SUBTYPE_ARM_V7);
    }

    #[test]
    fn sizeof_header32() {
        assert_eq!(SIZEOF_HEADER_32, size_of::<Header32>());
    }

    #[test]
    fn sizeof_header64() {
        assert_eq!(SIZEOF_HEADER_64, size_of::<Header64>());
    }
}