feat: add macho fat parser

arthomas · arthomas · commit cc34b9e38978 · 2024-09-25T10:27:31.000+01:00
diff --git a/scripts/extractors/kaitai/mach_o_fat.py b/scripts/extractors/kaitai/mach_o_fat.py
@@ -0,0 +1,63 @@
+# This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild
+
+import kaitaistruct
+from kaitaistruct import KaitaiStruct, KaitaiStream, BytesIO
+
+
+if getattr(kaitaistruct, 'API_VERSION', (0, 9)) < (0, 9):
+    raise Exception("Incompatible Kaitai Struct Python API: 0.9 or later is required, but you have %s" % (kaitaistruct.__version__))
+
+from scripts.extractors.kaitai.mach_o import MachO
+class MachOFat(KaitaiStruct):
+    """This is a simple container format that encapsulates multiple Mach-O files,
+    each generally for a different architecture. XNU can execute these files just
+    like single-arch Mach-Os and will pick the appropriate entry.
+    
+    .. seealso::
+       Source - https://opensource.apple.com/source/xnu/xnu-7195.121.3/EXTERNAL_HEADERS/mach-o/fat.h.auto.html
+    """
+    def __init__(self, _io, _parent=None, _root=None):
+        self._io = _io
+        self._parent = _parent
+        self._root = _root if _root else self
+        self._read()
+
+    def _read(self):
+        self.magic = self._io.read_bytes(4)
+        if not self.magic == b"\xCA\xFE\xBA\xBE":
+            raise kaitaistruct.ValidationNotEqualError(b"\xCA\xFE\xBA\xBE", self.magic, self._io, u"/seq/0")
+        self.num_fat_arch = self._io.read_u4be()
+        self.fat_archs = []
+        for i in range(self.num_fat_arch):
+            self.fat_archs.append(MachOFat.FatArch(self._io, self, self._root))
+
+
+    class FatArch(KaitaiStruct):
+        def __init__(self, _io, _parent=None, _root=None):
+            self._io = _io
+            self._parent = _parent
+            self._root = _root if _root else self
+            self._read()
+
+        def _read(self):
+            self.cpu_type = KaitaiStream.resolve_enum(MachO.CpuType, self._io.read_u4be())
+            self.cpu_subtype = self._io.read_u4be()
+            self.ofs_object = self._io.read_u4be()
+            self.len_object = self._io.read_u4be()
+            self.align = self._io.read_u4be()
+
+        @property
+        def object(self):
+            if hasattr(self, '_m_object'):
+                return self._m_object
+
+            _pos = self._io.pos()
+            self._io.seek(self.ofs_object)
+            self._raw__m_object = self._io.read_bytes(self.len_object)
+            _io__raw__m_object = KaitaiStream(BytesIO(self._raw__m_object))
+            self._m_object = MachO(_io__raw__m_object)
+            self._io.seek(_pos)
+            return getattr(self, '_m_object', None)
+
+
+
diff --git a/scripts/macho_fat_parser.py b/scripts/macho_fat_parser.py
@@ -0,0 +1,43 @@
+"""!
+@brief uses Kaitai (https://github.com/kaitai-io/kaitai_struct_compiler) to parse Mach-o Fat files.
+@details Can supply a section name to extract out of the Mach-o Fat.
+By default runs macho_parser_misc() from macho_parser plugin
+"""
+from deject.plugins import Deject
+from kaitaistruct import KaitaiStream, BytesIO
+from scripts.extractors.kaitai.mach_o_fat import MachOFat
+import scripts.macho_parser
+from typer import secho,colors
+from enum import Flag
+
+@Deject.plugin
+def macho_fat_parser():
+    """Used to parse information from a Mach-o file"""
+    data = MachOFat.from_file(Deject.file_path)
+    args = str(Deject.plugin_args).split(" ")
+    if args[0] == "False":
+        secho(f"Please select a CPU Arch from the following: {[x.cpu_type.name for x in data.fat_archs]})")
+        return
+    args.append("")
+    for archs in data.fat_archs:
+        if archs.cpu_type.name == args[0]:
+            match args[1]:
+                case "extract":
+                    result = scripts.macho_parser.macho_parser_extract(archs.object,args[2])
+                case "sections":
+                    result = scripts.macho_parser.macho_parser_sections(archs.object)
+                case _:
+                    result = scripts.macho_parser.macho_parser_misc(archs.object)
+    return result
+
+def help():
+    print("""
+Mach-o Fat Parser plugin
+
+SYNOPSIS <filename> "[options]"
+
+Select the Architecture to get information about, running without the architechure will print available architectures in the file.
+
+Uses the Mach-o Fat parser from Kaitai to read information from a Mach-o Fat file.
+If extract and a section name is added, extract data from that section (enclose additional options in quotes).
+""")
