Fix section type identifing in mach-o view #7842
Conversation
Based on opensource code [`loader.h`](https://github.com/apple-oss-distributions/xnu/blob/f6217f891ac0bb64f3d375211650a4c1ff8ca1ea/EXTERNAL_HEADERS/mach-o/loader.h#L470) and [`dyld`](https://github.com/apple-oss-distributions/dyld), the lowest byte in `sect.flags` stands for section type. | section name | section type | value | | :---------------------: | :------------------------: | :---: | | `__auth_got` or `__got` | S_NON_LAZY_SYMBOL_POINTERS | 0x6 | | `__init_offsets` | S_INIT_FUNC_OFFSETS | 0x16 | The problem for `sect.flags & S_NON_LAZY_SYMBOL_POINTERS` is that if `flags` is `S_INIT_FUNC_OFFSETS`, mach-o view will confuse `__init_offsets` with `__auth_got`(or `__got`). The checks for other section types have also been improved.
|
|
|
Thank you for sending this PR. The change seems correct, but I do want to look into why this existing code was matching on section names before I merge it. Is there a particular Mach-O binary on which you noticed the incorrect section type handling causing a problem? |
|
The mach-o I analyzed is a 2023 iOS in-the-wild (ITW) malware sample called Predator. It was uploaded and shared by Google GTIG/TAG; their blog post is available here. The sample can be downloaded here. I loaded the sample into Binary Ninja and noticed that the entire Support for the One more issue is that I missed |
3 participants
The patch is only tested on 5.2.8614.
Based on opensource code
loader.handdyld, the lowest byte insect.flagsstands for section type.__auth_gotor__got__init_offsetsThe problem for
sect.flags & S_NON_LAZY_SYMBOL_POINTERSis that ifflagsisS_INIT_FUNC_OFFSETS, mach-o view will confuse__init_offsetswith__auth_got(or__got). The checks for other section types have also been improved.