Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to obtain mach-O symbol stub information? #377

Open
mstange opened this issue Sep 12, 2021 · 5 comments
Open

How to obtain mach-O symbol stub information? #377

mstange opened this issue Sep 12, 2021 · 5 comments

Comments

@mstange
Copy link
Contributor

mstange commented Sep 12, 2021

I'm trying to look up address 0x77d58 in the arm64 object in this libmozglue.dylib.

This address was sampled by a profiler. According to Hopper, it is inside a symbol stub for OSSpinLockUnlock:

        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================


                     imp___stubs__OSSpinLockUnlock:        // OSSpinLockUnlock
0000000000077d54         nop
0000000000077d58         ldr        x16, #_OSSpinLockUnlock_ptr                 ; _OSSpinLockUnlock
0000000000077d5c         br         x16                                         ; _OSSpinLockUnlock
                        ; endp

Is there a way I can get the address and name for imp___stubs__OSSpinLockUnlock using object?
@mstange mstange mentioned this issue Sep 12, 2021
Open
@bjorn3
Copy link
Contributor

bjorn3 commented Sep 12, 2021

Object is an object file parsing crate. The mach-O files don't directly encode at which offset in the __stubs sections which symbol exists. Hopper likely uses heuristics to match them. This stack overflow question seems at least somewhat useful: https://reverseengineering.stackexchange.com/questions/8163/in-a-mach-o-executable-how-can-i-find-which-function-a-stub-targets#8170

@philipc
Copy link
Contributor

philipc commented Sep 12, 2021

As stated in the link from bjorn3, you'll need to parse more load commands for this. object doesn't currently parse all the Mach-O load commands, but support for that would be welcome. src/macho.rs should already have their definitions.

It might also make sense to add a method to Object to expose these (or maybe extend Object::imports, not sure). For example, it can be useful to know about relocations for symbols in ELF PLT stubs, and the address of the PE IAT entry for an import.

@mstange
Copy link
Contributor Author

mstange commented Sep 13, 2021

Thank you! It'll probably be a while before I'll have time to pursue this, but now I know where to start looking.

@philipc
Copy link
Contributor

philipc commented Sep 13, 2021

BTW, it doesn't appear that dump_syms uses this crate (instead it uses symbolic and goblin).

@mstange
Copy link
Contributor Author

mstange commented Apr 8, 2022

I've made some progress on this now. Code is here: https://github.com/mstange/macho-stubs/blob/6dbb225e43002afe97a539682bbba731029c0fc9/src/main.rs#L140-L298
This gives me the addresses in the __DATA segment for the pointers that are updated. But it doesn't give me the addresses in the __stubs section of the stub functions that read those pointers. bjorn3 is probably right and I do need some heuristics to match them up.

@mstange mstange mentioned this issue Nov 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@philipc @mstange @bjorn3