MachOKit

🔬 A Swift library for parsing mach-o files to obtain various information.

Generate Convert Improve

Install / Use

/learn @p-x9/MachOKit

About this skill

Quality Score

0/100

README

MachOKit

Library for parsing MachO files to obtain various information.

In addition to file reading, parsing of images in memory by _dyld_get_image_header is also supported.

Features

parse load commands
symbol list
get all cstrings
rebase operations
binding operations
export tries
...

Usage

Load from memory

For reading from memory, use the MachOImage structure.

It can be initialized by using the Mach-O Header pointer obtained by _dyld_get_image_header.

guard let mh = _dyld_get_image_header(0) else { return }
let machO = MachOImage(ptr: mh)

Alternatively, it can be initialized using the name.

// /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
guard let machO = MachOImage(name: "Foundation") else { return }

Load from file

For reading from file, use the MachOFile structure.

Reading from a file can be as follows. There is a case of a Fat file and a single MachO file, so a conditional branching process is required.

let path = "Path to MachO file"
let url = URL(string: path)

let file = try MachOKit.loadFromFile(url: url)

switch file {
case .machO(let machOFile): // single MachO file
    print(machOFile)
case .fat(let fatFile): // Fat file
    let machOFiles = try fatFile.machOFiles()
    print(machOFiles)
}

Main properties and methods

Both MachOImage and MachOFile can use essentially the same properties and methods. The available methods are defined in the following file as the MachORepresentable protocol.

MachORepresentable

Dyld Cache

Loading of dyld_shared_cache is also supported.

The available methods are defined in the following file as the DyldCacheRepresentable protocol.

DyldCacheRepresentable

Dyld Cache (File)

let path = "/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e"
let url = URL(fileURLWithPath: path)

let cache = try! DyldCache(url: url)

It is also possible to extract machO information contained in dyld_shared_cache. The machO extracted is of type MachOFile. As with reading from a single MachO file, various analyses are possible.

let machOs = cache.machOFiles()
for machO in machOs {
    print(
        String(machO.headerStartOffsetInCache, radix: 16),
        machO.imagePath,
        machO.header.ncmds
    )
}

// 5c000 /usr/lib/libobjc.A.dylib 22
// 98000 /usr/lib/dyld 15
// 131000 /usr/lib/system/libsystem_blocks.dylib 24
// ...

Full Dyld Cache (File)

In addition to DyldCache, FullDyldCache can be used to handle multiple dyld cache files (main cache and subcaches) as a single unified cache.

let path = "/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e"
let url = URL(fileURLWithPath: path)

let fullCache = try! FullDyldCache(url: url)

// Access all Mach-O files across main and subcaches
let machOs = fullCache.machOFiles()
for machO in machOs {
    print(
        String(machO.headerStartOffsetInCache, radix: 16),
        machO.imagePath,
        machO.header.ncmds
    )
}

The FullDyldCache type provides properties like mainCache, subCaches, allCaches, and urls to access each component cache file.

Dyld Cache (on memory)

On the Apple platform, the dyld cache is deployed in memory.

var size = 0
guard let ptr = _dyld_get_shared_cache_range(&size) else {
    return
}
let cache = try! DyldCacheLoaded(ptr: ptr)

It is also possible to extract machO information contained in dyld_shared_cache. The machO extracted is of type MachOImage. As with reading from a single MachO image, various analyses are possible.

let machOs = cache.machOImages()
for machO in machOs {
    print(
        String(Int(bitPattern: machO.ptr), radix: 16),
        machO.path!,
        machO.header.ncmds
    )
}

// 193438000 /usr/lib/libobjc.A.dylib 24
// 193489000 /usr/lib/dyld 15
// 193513000 /usr/lib/system/libsystem_blocks.dylib 24
// ...

Example Codes

There are a variety of uses, but most show a basic example that prints output to the Test directory.

Load from memory

The following file contains sample code. MachOPrintTests

Load from file

The following file contains sample code. MachOFilePrintTests

Dyld Cache (file)

The following file contains sample code. DyldCachePrintTests

Dyld Cache (on memory)

The following file contains sample code. DyldCacheLoadedPrintTests

Related Projects

MachOKitSPM Pre-built version of MachOKit
SwiftHook ⚓️ A Swift Library for hooking swift methods and functions.
FishHook Re-implementation of facebook/fishhook with Swift using MachOKit
AntiFishHook A Swift library to deactivate fishhook. (Anti-FishHook)

Other binary type

ELFKit Elf format

License

MachOKit is released under the MIT License. See LICENSE

Related Skills

node-connect

328.6k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

80.9k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

328.6k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

commit-push-pr

80.9k

Commit, push, and open a PR