Skip to main content

FatMacho

malwaredb_types::exec::macho::fat

Struct FatMacho 

Source 
pub struct FatMacho<'a> {
    pub binaries: Vec<Macho<'a>>,
    pub has_overlay: Option<bool>,
    pub contents: &'a [u8],
}
Available on crate feature macho only.
Expand description

Fat Mach-O files contain executable code for more than one architecture, allowing the same binary to be run on different hardware, such as the same file working on Power PC, Intel, and Apple Silicon machines.

This format is an array of Mach-O files. However, the magic number is also used for Java class files, so we need to make sure the amount of stored binaries makes sense. Too high, and it’s probably the Java class version and not the number of contained Mach Objects.

Fields§

§binaries: Vec<Macho<'a>>

The embedded Mach-O files within

§has_overlay: Option<bool>

If the binary has extra data after the last section, could be used to hide something

§contents: &'a [u8]

The array containing the raw bytes used to parse this program

Implementations§

Source§

impl<'a> FatMacho<'a>

Source

pub fn from(contents: &'a [u8]) -> Result<Self>

Fat Mach-O parsed from a sequence of bytes

§Errors

Returns an error if parsing fails.

Trait Implementations§

Source§

impl<'a> Clone for FatMacho<'a>

Source§

fn clone(&self) -> FatMacho<'a>

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<'a> Debug for FatMacho<'a>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for FatMacho<'_>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl ExecutableFile for FatMacho<'_>

Source§

fn architecture(&self) -> Option<Architecture>

Get the architecture type
Source§

fn pointer_size(&self) -> usize

Get the pointer size, 32- or 64-bit
Source§

fn operating_system(&self) -> OperatingSystem

Get the operating system type for a binary
Source§

fn compiled_timestamp(&self) -> Option<DateTime<Utc>>

Get the compilation timestamp, if available
Source§

fn num_sections(&self) -> u32

Number of sections for a binary
Source§

fn sections(&self) -> Option<&Vec<Section<'_>>>

Vec of sections for the binary
Source§

fn import_hash(&self) -> Option<Uuid>

Import hash of the binary
Source§

fn fuzzy_imports(&self) -> Option<String>

SSDeep fuzzy hash of the binary
Source§

impl SpecimenFile for FatMacho<'_>

Source§

const MAGIC: &'static [&'static [u8]]

Magic number, the bytes at the beginning of the file, which identify the file format Some file types have more than one possible magic number
Source§

fn type_name(&self) -> &'static str

Common name for a specific file type

Auto Trait Implementations§

§

impl<'a> Freeze for FatMacho<'a>

§

impl<'a> RefUnwindSafe for FatMacho<'a>

§

impl<'a> Send for FatMacho<'a>

§

impl<'a> Sync for FatMacho<'a>

§

impl<'a> Unpin for FatMacho<'a>

§

impl<'a> UnwindSafe for FatMacho<'a>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more