gdbinit/MachOView gdbinit/MachOView

  • Stars
    star
    2,495
  • Rank 18,413 (Top 0.4 %)
  • Language
    C
  • License
    MIT License
  • Created about 12 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gdbinit/MachOView
github

gdbinit

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MachOView fork 
   _____                .__     ____________   ____.__               
  /     \ _____    ____ |  |__  \_____  \   \ /   /|__| ______  _  __
 /  \ /  \\__  \ _/ ___\|  |  \  /   |   \   Y   / |  |/ __ \ \/ \/ /
/    Y    \/ __ \\  \___|   Y  \/    |    \     /  |  \  ___/\     / 
\____|__  (____  /\___  >___|  /\_______  /\___/   |__|\___  >\/\_/  
        \/     \/     \/     \/         \/                 \/

Update - 16/05/2023

This code has return from the dead and updated to version 3.0.

Version 3.0 is now a x86_64/arm64 universal binary, with 10.13+ as the minimum version.

Building has been tested with Xcode 13 or higher. The best option is to build with latest available Xcode (14.3) and SDK since I stopped including local copies of latest headers and using the system ones as much as possible. It's annoying to have to use latest version to have all features, but also annoying to keep those headers in sync. This time opting for latest version way.

Besides the universal binary, some bug fixes and small updates were merged, warnings were fixed (and then I found psaghelyi had also done this modernization effort 4 years ago), and Capstone has been updated to next branch to benefit from aarch64 updates. I haven't merged the modern Objective-C syntax since I find it a bit meh. Something I'm thinking of changing is the indent since I'm not a fan of 2 spaces.

What's the future for this fork and project?

Over the last years I have been puzzled how people kept forking and staring this project on my GitHub despite being dead. I'm using Apple Silicon more often and missed this tool so decided to give it some love again.

There is still a lot of work ahead to make it better, mostly adding parsing for new and old commands that doesn't exist, and more important for me, making the mach-o parsing way more robust than it is.

I'm still divided on the latter. Blacktop has a nice Go based mach-o parser called go-macho and some months ago I was working on my own fork of it, where I changed the API a bit according to personal taste and more important made the parser a lot more robust (most of the time I'm dealing with potentially hostile binaries so parser security is very important to me). I'm thinking about the possibility of using a sandboxed Go backend and remove all the parsing code from the current codebase. This would be a more secure design and avoid the tedious and error-prone work of fixing the current code. Plus it has the benefit of using a modern codebase that can parse a lot more than the engine being used here right now.

I also have to think about providing binary builds or not since I don't own right now a developer certificate and not counting on getting one and pay Apple's developer tax.

Have fun,
fG!

A fork from MachOView to update and fix some bugs, mostly Mountain Lion & iOS 6 related.
Also some small changes to the original behaviour.

Original MachOView by psaghelyi at machoview.
Thanks to psaghelyi for his great work :-)

Latest versions are Lion+ only.
The LLVM disassembler was replaced with Capstone. This eliminates Clang/LLVM packages requirements.
The downside is that Capstone stops disassembling on bad instructions which means that for now data in code and jump tables data will create problems and __text section disassembly might be incomplete in binaries that contain such data.
Capstone improved disassembly on error but data in code locations are available in header so this can and should be improved.

A static Capstone library extracted from the official DMG is included in the repo.
If you want to be safe you should download Capstone and compile it yourself.

Now features the attach option to analyse headers of a running process.
To use this feature you will need to codesign the binary.
Follow this LLDB guide to create the certificate and then codesign MachOView binary.

The necessary entitlements are already added to Info.plist.

Be warned that this allows MachOView to have task_for_pid() privs under current under and control every process from user running it.
The whole Mach-O parsing code needs to be reviewed and made more robust.

Enjoy,
fG!

Note: This repo is frozen in time and there are kinda active forks out there.
The main problem of this codebase is that the Mach-O parser has quite some problems and needs a significant overhaul to make it more robust and secure.
I do have much better code but it's under NDAs etc and I don't have energy to reinvent the wheel once again. Secure executable binary parsing is a ton of work in C/C++.
It's possible but it's exhausting.

More Repositories

1

Gdbinit

Gdbinit for OS X, iOS and others - x86, x86_64 and ARM
1,596
star
2

lldbinit

A gdbinit clone for LLDB
Python
325
star
3

firmware_vault

A repo for all Apple EFI firmware files
255
star
4

readmem

A small OS X/iOS userland util to dump processes memory
C
218
star
5

onyx-the-black-cat

Kernel extension to disable anti-debug tricks and other useful XNU "features"
C
209
star
6

rootfool

A small tool to dynamically disable and enable SIP in El Capitan
C
163
star
7

EFISwissKnife

An IDA plugin to improve (U)EFI reversing
C++
142
star
8

HexRaysDeob

Hex-Rays OLLVM Deobfuscator and MicroCode Explorer
C++
118
star
9

hydra

A kernel extension and userland daemon to patch applications
C
104
star
10

otool-ng

Some improvements to Apple's otool.
C
100
star
11

gopher

A OS X crypto ransomware PoC
C
90
star
12

mach_race

Exploit code for CVE-2016-1757
C
81
star
13

efi_dxe_emulator

EFI DXE Emulator and Interactive Debugger
C
79
star
14

pydbg64

PyDBG64 - OS X PyDbg with 64 bits support
C
68
star
15

osx_boubou

A PoC Mach-O infector via library injection
C
64
star
16

mpress_dumper

MPRESS dumper for OS X
Assembly
64
star
17

gimmedebugah

A small utility to inject a Info.plist into binaries.
C
57
star
18

gdb-ng

Apple's gdb fork with some fixes and enhancements
C
54
star
19

ExtractMachO

IDA plugin to extract Mach-O binaries located in the disassembly or data
C
54
star
20

Gatekeerper

A kernel extension to mitigate Gatekeeper bypasses
C
48
star
21

kextstat_aslr

Implementation of kexstat via /dev/kmem with kernel ASLR support
C
38
star
22

can_I_suid

A TrustedBSD module to control execution of binaries with suid bit set
C
37
star
23

crackme_nr1

fG!'s crackme #1 source code
C
36
star
24

bruteforcesysent

Small util to discover OS X sysent via bruteforce
C
33
star
25

tcplognke

Apple's tcplognke code sample
C
29
star
26

TELoader

A TE executable format loader for IDA
C
28
star
27

unicorn_string_deobfuscator

A Unicorn based emulator to deobfuscate Equation Group string XOR obfuscation
C
27
star
28

mario

The kernel component of rootpipe fix for Mavericks
C
27
star
29

adium-ng-preview

Repo to dump some preview info and builds for adium-ng
27
star
30

MicrocodeExplorer

Hex-Rays MicrocodeExplorer
C++
26
star
31

readkmem

small utility to dump kernel memory
C
25
star
32

rex_versus_the_romans

Anti Hacking Team TrustedBSD module
C
25
star
33

readphysmem

A small utility to read and write to Macs physical memory using default AppleHWAccess.kext.
Objective-C
25
star
34

llvmpatches

Misc llvm patches
CMake
22
star
35

hello_santa_bye_santa

Bypass Google's Santa
C
21
star
36

fixobjc

IDA IDC script to improve Objective-C disassembly output
21
star
37

checkidt

Small util to dump the IDT table of a running OS X system with kmem enabled
C
20
star
38

armorysandbox

A USB armory based USB sandbox
Makefile
20
star
39

MachOPlugin

IDA plugin to Display Mach-O headers
C
19
star
40

icetheguardianv2

A TrustedBSD module PoC to monitor writes to Daemons and Agents folders
C
19
star
41

diagnostic_service

OS X rootkit loader version #1
C++
18
star
42

kgmacros

Fixed kgmacros to work with VMware kernel gdb stub
17
star
43

ExtractMacho2

IDA plugin to extract Mach-O binaries located in the disassembly or data
C++
17
star
44

syscall-benchmark

macOS syscall performance benchmark
Assembly
16
star
45

av-monster

PoC kext to disable OS X anti-virus software
C
15
star
46

luigi

The userland component of rootpipe fix for Mavericks
Objective-C
14
star
47

carbon_copy_cloner_keychaingen

A keygen for Carbon Copy Cloner private keychain
Objective-C
14
star
48

Crisis-Analysis-Tools

Scripts and other material related to OS.X/Crisis malware analysis
C
13
star
49

diagnostic_service2

OS X rootkit loader version #2
C++
12
star
50

calcspace

Small util to calculate available free space in mach-o binaries for code injection
C
12
star
51

idc-scripts

Random collection of IDA's IDC scripts
11
star
52

Disable-m3u

iTunes plugin to disable creation of m3u playlists
C
11
star
53

rexthewonderdog

A lazy PoC for implementing backdoors in OS X TrustedBSD Mac framework.
C
10
star
54

fuckyouilfak

A IDA Pro 9.0 Beta 2 macOS x86 Fix Loader
C
10
star
55

delambert

GreenLambert macOS IDA plugin to deobfuscate strings
C++
10
star
56

GiveMeHex

A quick IDA hack to get addresses with 0x prefix
C++
9
star
57

twitterwipe

A Go utillty to delete your Twitter history
Go
9
star
58

how_crap_is_ida

An IDA plugin to compare IDA detected functions output versus LC_FUNCTION_STARTS information
C++
9
star
59

evilquest_stats

Small utility to hash EvilQuest code and cstrings sections
Go
7
star
60

keygen_CrackMe_nr1_qwertyoruiop

Keygen for qwertyoruiop's CrackMe nr1
C
7
star
61

spiflash

Very fast reader for SPI flashes for Teensy 2.x.
C
7
star
62

bpf_dbg_output

Small tool to convert bpf binary bytecode to bpf_dbg format
C
7
star
63

evilquest_deobfuscator

EvilQuest/ThiefQuest malware strings decrypter/deobfuscator
Go
6
star
64

icetheguardian

A PoC to protect critical OS X files using TrustedBSD Mac framework.
C
5
star
65

SMBIOSKeygen

macserial and GenSMBIOS merged and ported to Go
Go
4
star
66

yage

An age fork with internal Yubikeys support
Go
2
star
67

snake_queue_parser

A decryptor for Snake/Turla configuration files
Objective-C
2
star
68

Mach-O-Lib

Library to access and manipulate Mach-O headers
1
star
69

macserial

macserial Go module
1
star