binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

MIG support for macOS/iOS binaries

Open theevilbit opened this issue 2 months ago • 0 comments

What is the feature you'd like to have? It would be nice if BN would support Apple's MIG structures, namely NDR records, which are stored in the Mach-O header. These are well defined structures defined in: https://github.com/apple-oss-distributions/xnu/blob/f6217f891ac0bb64f3d375211650a4c1ff8ca1ea/osfmk/mach/ndr.h#L4

It would allow recognizing MIG function calls, and BN could name them accordingly if no other symbol information is available. Also the NDR structure could be displayed nicely

Is your feature request related to a problem? If applicable, please provide a clear and concise description of what the problem is.

Are any alternative solutions acceptable? I can use a script/plugin, but out-of-the-box support would be nice.

Scott Knight made a script for Hopper: https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py

and I redone it for BN (attached), although it's not perfect, sometimes it doesn't find structures and sometimes it finds those that are not there. Still working on it.

bn_find_mig.py

Additional Information: N/A

theevilbit avatar Nov 21 '25 08:11 theevilbit