Expand description
Mach-O definitions.
These definitions are independent of read/write support, although we do implement some traits useful for those.
This module is based heavily on header files from MacOSX11.1.sdk.
Structs
The dyld cache header.
Corresponds to struct dyld_cache_header from dyld_cache_format.h.
This header has grown over time. Only the fields up to and including dyld_base_address
are guaranteed to be present. For all other fields, check the header size before
accessing the field. The header size is stored in mapping_offset; the mappings start
right after the theader.
Corresponds to struct dyld_cache_image_info from dyld_cache_format.h.
Corresponds to struct dyld_cache_mapping_info from dyld_cache_format.h.
Corresponds to a struct whose source code has not been published as of Nov 2021.
Added in the dyld cache version which shipped with macOS 12 / iOS 15.
A variable length string in a load command.
Common fields at the start of every load command.
The 32-bit mach header.
The 64-bit mach header.
A relocation entry.
32-bit section.
64-bit section.
32-bit segment load command.
64-bit segment load command.
Constants
must be followed by PAGE21 or PAGEOFF12
a B/BL instruction with 26-bit displacement
pc-rel distance to page of GOT slot
offset within page of GOT slot, scaled by r_length
pc-rel distance to page of target
offset within page, scaled by r_length
for pointers to GOT slots
must be followed by a ARM64_RELOC_UNSIGNED
pc-rel distance to page of TLVP slot
offset within page of TLVP slot, scaled by r_length
for pointers
24 bit branch displacement (to a word address)
like ARM_RELOC_SECTDIFF, but the symbol referenced was local.
the second relocation entry of a pair
prebound lazy pointer
a PAIR follows with subtract symbol value
generic relocation as discribed above
obsolete - a thumb 32-bit branch instruction possibly needing page-spanning branch workaround
22 bit branch displacement (to a half-word address)
64 bit ABI
ABI for 64-bit hardware with 32-bit types; LP32
mask for architecture bits
When selecting a slice, ANY will pick the slice with the best
grading for the selected cpu_type_t, unlike the “ALL” subtypes,
which are the slices that can run on any hardware for that cpu type.
Not meant to be run under xnu
ARMv7-A and ARMv7-R
Not meant to be run under xnu
Cortex A9
Not meant to be run under xnu
Swift
Not meant to be run under xnu
64 bit libraries
mask for feature flags
pointer authentication with versioned ABI
Haswell feature subset
NXSwapLong(FAT_MAGIC)
NXSwapLong(FAT_MAGIC_64)
Only follows a GENERIC_RELOC_SECTDIFF
prebound lazy pointer
thread local variables
generic relocation as discribed above
build for platform min OS version
local of code signature
table of non-instructions in __text
used with
LinkeditDataCommandstring for dyld to treat like environment variable
used with
LinkeditDataCommand, payload is triecompressed dyld information
compressed dyld information only
Code signing DRs copied from linked dylibs
dynamic link-edit symbol table info
encrypted segment information
64-bit encrypted segment information
used with
FilesetEntryCommandcompressed table of function start addresses
fixed VM file inclusion (internal use)
object identification info (obsolete)
fixed VM shared library identification
dynamically linked shared lib ident
dynamic linker identification
delay load of dylib until first use
optimization hints in MH_OBJECT files
linker options in MH_OBJECT files
load a specified fixed VM shared library
load a dynamically linked shared library
load a dynamic linker
load upward dylib
load a dynamically linked shared library that is allowed to be missing
(all symbols are weak imported).
replacement for LC_UNIXTHREAD
arbitrary data included within a Mach-O file
prebind checksum
modules prebound for a dynamically linked shared library
prepage command (internal use)
load and re-export dylib
image routines
64-bit image routines
runpath additions
segment of this file to be mapped
64-bit segment of this file to be mapped
local of info to split segments
source version used to build binary
sub client
sub framework
sub library
sub umbrella
link-edit gdb symbol table info (obsolete)
link-edit stab symbol table info
thread
two-level namespace lookup hints
unix thread (includes a stack)
the uuid
build for iPhoneOS min OS version
build for MacOSX min OS version
build for AppleTV min OS version
build for Watch min OS version
1 thru 255 inclusive
indicates that this binary binds to all two-level namespace modules of its dependent libraries. only used when MH_PREBINDABLE and MH_TWOLEVEL are both set.
When this bit is set, all stacks in the task will be given stack execution privilege. Only used in MH_EXECUTE filetypes.
The code was linked for use in an application extension.
the object file’s undefined references are bound by the dynamic linker when loaded.
the final linked image uses weak symbols
dynamically bound bundle file
the binary has been canonicalized via the unprebind operation
NXSwapInt(MH_MAGIC)
NXSwapInt(MH_MAGIC_64)
core file
Only for use on dylibs. When linking against a dylib that has this bit set, the static linker will automatically not create a LC_LOAD_DYLIB load command to the dylib if no symbols are being referenced from the dylib.
companion file with only debug sections
the object file is input for the dynamic linker and can’t be staticly link edited again
dynamically bound shared library
Only for use on dylibs. When this bit is set, the dylib is part of the dyld
shared cache, rather than loose in the filesystem.
shared library stub for static linking only, no section contents
dynamic link editor
demand paged executable file
set of mach-o’s
the executable is forcing all images to use flat name space bindings
fixed VM shared library file
Contains a section of type S_THREAD_LOCAL_VARIABLES
the object file is the output of an incremental link against a base file and can’t be link edited again
x86_64 kexts
the shared library init routine is to be run lazily via catching memory faults to its writeable segments (obsolete)
the mach magic number
the 64-bit mach magic number
The external symbols listed in the nlist symbol table do not include all the symbols listed in the dyld info.
do not have dyld notify the prebinding agent about this executable
this umbrella guarantees no multiple defintions of symbols in its sub-images so the two-level namespace hints can always be used.
the object file has no undefined references
When this bit is set, the OS will run the main executable with a non-executable heap even on platforms (e.g. i386) that don’t require it. Only used in MH_EXECUTE filetypes.
When this bit is set on a dylib, the static linker does not need to examine dependent dylibs to see if any are re-exported
relocatable object file
When this bit is set, the OS will load the main executable at a random address. Only used in MH_EXECUTE filetypes.
the binary is not prebound but can have its prebinding redone. only used when MH_PREBOUND is not set.
the file has its dynamic undefined references prebound.
preloaded executable file
When this bit is set, the binary declares it is safe for use in processes with uid zero
When this bit is set, the binary declares it is safe for use in processes when issetugid() is true
Allow LC_MIN_VERSION_MACOS and LC_BUILD_VERSION load commands with
the platforms macOS, iOSMac, iOSSimulator, tvOSSimulator and watchOSSimulator.
the file has its read-only and read-write segments split
safe to divide up the sections into sub-sections via symbols for dead code stripping
the image is using two-level name space bindings
the final linked image contains external weak symbols
symbol is not in any section
absolute, n_sect == NO_SECT
symbol is a Thumb function (ARM)
AST file path: name,,NO_SECT,0,0
begin common: name,,NO_SECT,0,0
include file beginning: name,,NO_SECT,0,sum
begin nsect sym: 0,,n_sect,0,address
symbol is discarded
end common (local name): 0,,n_sect,0,address
end common: name,,n_sect,0,0
include file end: name,,NO_SECT,0,0
end nsect sym: 0,,n_sect,0,address
alternate entry: name,,n_sect,linenumber,address
deleted include file: name,,NO_SECT,0,sum
external symbol bit, set for external symbols
procedure name (f77 kludge): name,,NO_SECT,0,0
procedure: name,,n_sect,linenumber,address
global symbol: name,,NO_SECT,type,0
indirect
left bracket: 0,,NO_SECT,nesting level,address
.lcomm symbol: name,,n_sect,type,address
second stab entry with length information
local sym: name,,NO_SECT,type,offset
symbol is not to be dead stripped
compiler -O level: name,,NO_SECT,0,0
emitted with gcc2_compiled and in gcc source
object file name: name,,0,0,st_mtime
compiler parameters: name,,NO_SECT,0,0
prebound undefined (defined in a dylib)
global pascal symbol: name,,NO_SECT,subtype,line
private external symbol bit
parameter: name,,NO_SECT,type,offset
right bracket: 0,,NO_SECT,nesting level,address
reference to a weak symbol
register sym: name,,NO_SECT,type,register
defined in section number n_sect
src line: 0,,n_sect,linenumber,address
source file name: name,,n_sect,0,address
#included file name: name,,n_sect,0,address
structure elt: name,,NO_SECT,type,struct_offset
if any of these bits set, a symbolic debugging entry
static symbol: name,,n_sect,type,address
mask for the type bits
undefined, n_sect == NO_SECT
compiler version: name,,NO_SECT,0,0
coalesed symbol is a weak definition
symbol is weak referenced
14 bit branch displacement (to a word address)
24 bit branch displacement (to a word address)
Same as the RELOC_HI16 except the low 16 bits and the high 16 bits are added together
with the low 16 bits sign extened first. This means if bit 15 of the low 16 bits is
set the high 16 bits stored in the instruction will be adjusted.
a PAIR follows with the low half
section difference forms of above. a PAIR
Same as the LO16 except that the low 2 bits are not stored in the instruction and are
always zero. This is used in double word load/store instructions.
a PAIR follows with the high half
follows these with subtract symbol value
like PPC_RELOC_SECTDIFF, but the symbol referenced was local.
the second relocation entry of a pair
prebound lazy pointer
a PAIR follows with subtract symbol value
generic relocation as discribed above
absolute relocation type for Mach-O files
Bit set in
Relocation::r_word0 for scattered relocations.24 section attributes
system setable attributes
User setable attributes
256 section types
the real uninitialized data section no padding
the section common symbols are allocated in by the link editor
the real initialized data section no padding, no bss overlap
the fvmlib initialization section
the section following the fvmlib initialization section
the icon headers
the icons in tiff format
module information
string table
string table
symbol table
the real text part of the text section no headers, and no padding
the tradition UNIX data segment
the icon segment
the segment for the self (dyld) modifing code stubs that has read, write and execute permissions
the segment containing all structs created and maintained by the link editor. Created with -seglinkedit option to ld(1) for MH_EXECUTE and FVMLIB file types only
the segment overlapping with linkedit containing linking information
objective-C runtime segment
the pagezero segment which has no protections and catches NULL references for MH_EXECUTE files
the tradition UNIX text segment
the unix stack segment
this segment is the VM that is allocated by a fixed VM library, for overlap checking in the link editor
the file contents for this segment is for the high part of the VM space, the low part is zero filled (for stacks in core files)
this segment has nothing that was relocated in it and nothing relocated to it, that is it maybe safely replaced without relocation
This segment is protected. If the segment starts at file offset 0, the first page of the segment is not protected. All other pages of the segment are protected.
This segment is made read-only after fixups
section with only 4 byte literals
section with only 8 byte literals
section with only 16 byte literals
a debug section
section has external relocation entries
blocks are live if they reference live blocks
section has local relocation entries
no dead stripping
section contains coalesced symbols that are not to be in a ranlib table of contents
section contains only true machine instructions
Used with i386 code stubs written on by dyld
section contains some machine instructions
ok to strip static symbols in this section in files with the MH_DYLDLINK flag
section contains symbols that are to be coalesced
section with only literal C strings
section contains DTrace Object Format
zero fill on demand section (that can be larger than 4 gigabytes)
32-bit offsets to initializers
section with only pairs of function pointers for interposing
section with only lazy symbol pointers to lazy loaded dylibs
section with only lazy symbol pointers
section with only pointers to literals
section with only function pointers for initialization
section with only function pointers for termination
section with only non-lazy symbol pointers
regular section
section with only symbol stubs, byte size of stub in the reserved2 field
functions to call to initialize TLV values
template of initial values for TLVs
TLV descriptors
pointers to TLV descriptors
template of initial values for TLVs
zero fill on demand section
execute permission
read permission
write permission
a CALL/JMP instruction with 32-bit displacement
other GOT references
a MOVQ load of a GOT entry
for signed 32-bit displacement
for signed 32-bit displacement with a -1 addend
for signed 32-bit displacement with a -2 addend
for signed 32-bit displacement with a -4 addend
must be followed by a X86_64_RELOC_UNSIGNED
for thread local variables
for absolute addresses