This Binary Ninja plugin adds a command to apply the fixup information present in LC_DYLD_CHAINED_FIXUPS
for eligible ARM Mach-O files (such as M1 Kernel extensions). This plugin was written against the dev
branch of Binary Ninja API, and tested against M1 kernel extensions and M1 Kernel images.
As of macOS 12/iOS 15, a new load command (LC_DYLD_CHAINED_FIXUPS
) is used to store the linker data that dyld uses at process startup. For more information, there's a blog post by Emerge Tools here that explains it at a high level.
In short, there is a list of start locations of pointer chains for each segment. Each chain entry contains information about whether it needs to be rebased or bound, the information to do so (target or ordinal number), as well as the location of the next entry in the chain. DYLD will traverse each of these chains and apply the necessary fixups.
To apply fixups for eligible projects, use the plugin action under Tools -> Plugins -> Apply LC_DYLD_CHAINED_FIXUPS
.
Information about where fixups were applied is available in the Log
console:
[*] Fixup header at = 0x20000
[*] DYLD_CHAINED_STARTS_IN_IMAGE at = 0x20020, with 0x5 segments
[*] Imports table at 0x2006c
[*] Symbols table at 0x2090c
[*] Chain start at 0x180b4
[*] Rebasing pointer at 0x180b4
[*] Rebasing pointer at 0x180bc
[*] Rebasing pointer at 0x180c8
[*] Rebasing pointer at 0x180d0
[*] Chain start at 0x1c000
[*] Rebasing pointer at 0x1c000
[*] Chain start at 0x1d000
[*] Binding __ZN9IOService20getDeviceMemoryCountEv at 0x1d000
[*] Binding __ZN9IOService24getDeviceMemoryWithIndexEj at 0x1d008
...
[ SNIP ]
To call this plugin action from your own plugin or another script, you can use the following snippet:
ctx = plugin.PluginCommandContext(bv)
plugin_list = plugin.PluginCommand.get_valid_list(ctx)
plugin_list['Apply LC_DYLD_CHAINED_FIXUPS'].execute(ctx)