binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

macOS Type Libraries

Open CouleeApps opened this issue 4 years ago • 3 comments

After #1495 we should also generate type libraries for macOS, at least for the most relevant binaries. Here is a list of libraries:

  • libSystem.dylib
  • dyld
  • libc++abi.dylib
  • Foundation.framework
  • Kernel.framework
  • IOKit.framework
  • Anything in /usr/lib/system

CouleeApps avatar Oct 22 '21 19:10 CouleeApps

Latest revisions of MacOS do not have the actual binaries laying around. There are some tools claiming they can grab them from the cache but I have not tried them yet.

https://mjtsai.com/blog/2020/06/26/reverse-engineering-macos-11-0/

thanasisk avatar Jun 28 '23 08:06 thanasisk

There are some tools claiming they can grab them from the cache but I have not tried them yet.

mjtsai.com/blog/2020/06/26/reverse-engineering-macos-11-0

From that link:

Update (2024-02-01): Wade Tregaskis:

The good news for Hopper is that it has since been updated to work around this – you can access the Apple framework binaries through File > Read File from DYLD Cache… There’s also tools like dyld-shared-cache-extractor which can resurrect the binaries from the cache.

Note also that in Sonoma, at least, the cache lives at /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/ (in previous macOS releases it was apparently in /System/Library/dyld/).

0xdevalias avatar Apr 08 '24 06:04 0xdevalias

Hey, thanks for the interest in this issue. But, this is not tracking better support for loading the dyld shared cache. That issue is #290.

This issue is tracking having a type library (.bntl) file with the types from the SDK that can be applied to any analysis database that loads a system-provided shared library on macOS. The corresponding issue for iOS is #2736.

We did some work towards this for the last release (Dorsai, 4.0), but didn't have anything we could definitively ship. We just had a prototype type library built from files ripped out of an old shared cache and correlated with type information provided from the SDK that hadn't been verified at all. But, we're actively working on this as a feature for our next release (Elysium, 4.1) and will hopefully have something available on the dev branch soon.

fuzyll avatar Apr 08 '24 19:04 fuzyll

Resolved in dev builds >= 4.1.5601

0cyn avatar Jul 03 '24 17:07 0cyn

I was hoping a bit more love here, like the standard C types for example: stdlib.h, curl/curl.h, etc.

And also some constants that are #define'd in those headers and, as such, won't get imported, ex:

#pragma mark - unistd.h

// confstr(3)
enum conf_vars: int {
    _CS_DARWIN_USER_DIR = 65536,
    _CS_DARWIN_USER_TEMP_DIR = 65537,
    _CS_DARWIN_USER_CACHE_DIR = 65538,
};

melomac avatar Jul 06 '24 04:07 melomac