don't assume anything at all.
Samples:
- only "programs" (MACH-O Execute) do have a __PAGEZERO segment, e.g. dylibs, object files, etc. don't have a __PAGEZERO segment
The intention of the page-zero segment is, to block the first vm page on 32-bit and the lowest 4 GB on 64-bit mach-o applications. This page has no access permissions at all. So de-referencing a NULL-pointer, even with an offset (4K or 4GB) will result
in an access violation caught by the kernel causing an exception. On 64-bit the size is 4GB to fix issues, when bad implementations store pointers in a 32-bit variable and the top 32 bits get cut off.
Beside this some OS X/Darwin variants use the zero-page as trampoline to cross the boundaries between user land and kernel space. So this vm-area is not allowed to be accessed from user-land.
Obviously you only need one zero-page per process vm-space, so dylibs etc. don't have one.
- almost all segments can be named in any way you like, esp. the __TEXT segment can have any name.
Using __TEXT for this segment is just a convention used by gcc and llvm compilers/linkers. Also you can not rely on the layout of the sections inside the __TEXT segment.
- when you dig into the Mach-O file file format as deep as I did, you might see, that it is possible to tweak with segment and section declarations (and this is what the loader commands are about) a lot. On top of that, don't be sure about the contents
of the segments. Example: Skype has the Mach-O header and loader commands just the way you might expect, but the contents there is encrypted. The decryption will be performed by the module initializer function of the DRM dylib they link against. This happens
before the code in the Skype binary gets executed. It's done to avoid reverse engineering of the cryptographic schemes Skype uses for (more or less) safe communications.
Sorry, that I can't give you more details, about the stuff I am doing.
Regards,
SSB
===============================
Stefan Schmidt-Bilkenroth
Senior Software Engineer (Macintosh)
Advanced Security Team
SafeNet Germany
The load commands immediately after the mach_header will tell you where in the image the segments are. It will be much safer to use this information than simply assume that __TEXT is the first segment.
Nick
On 09/11/2011, at 4:24 AM, José Cornado wrote:
In this case: are there any changes to mach_header that let us know the non-standard segments are coming? do they have to provide the specific data types in header files?
2011/11/8 Shantonu Sen
<email@hidden>
No, it's not safe to assume that, especially with custom binaries that create custom segments (which might appear before __TEXT)
On Nov 8, 2011, at 8:40 AM, José Cornado wrote:
Is it safe to assume that after mach_header comes segment_command(page zero) then segment_command(TEXT) or probing as we read the binary is mandatory?
--
José Cornado
--
home:
http://www.efekctive.com
blog:
http://blogging.efekctive.com
----------------------
Everything has been said before, but since nobody listens we have to keep going back and beginning all over again.
Andre Gide
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
José Cornado
--
home: http://www.efekctive.com
blog: http://blogging.efekctive.com
----------------------
Everything has been said before, but since nobody listens we have to keep going back and beginning all over again.
Andre Gide
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
________________________________________________
SFNT Germany GmbH
Registered office: Gabriele-Muenter-Str. 1
D-82110 Germering, Germany
Managing director (Geschäftsführer): Gary Clark
Company Registration number: Amtsgericht Muenchen HRB 171025
________________________________________________