{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Lonely孤独者° 的问题《What is required for a Mach-O executable to load?》','https://www.manongdao.com/q-327799.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am attempting to hand-write a Mach-O executable. There are three load commands:
LC_SEGMENT_64loading__PAGEZEROLC_SEGMENT_64loading__TEXT, with a single__textsectionLC_UNIXTHREADwith an appropriately-setrip
Every command matches the structs in mach/loader.h and related headers. otool -l lists the information as expected and doesn't report any errors. By all accounts it is a well-formed object file — yet OS X 10.10.5 terminates the task (SIGKILL).
What features of a Mach-O executable are checked before OS X will load it? Where is this information located? Do these features change version-to-version? (The often-cited "OS X ABI Mach-O Reference" is apparently missing.)
Here is a partially annotated hexdump of the binary.
otool sanity check (excerpted):
$ otool -l machtest
machtest:
Load command 0
cmd LC_SEGMENT_64
cmdsize 72
segname __PAGEZERO
…
Load command 1
cmd LC_SEGMENT_64
cmdsize 152
segname __TEXT
…
Section
sectname __text
segname __TEXT
…
Load command 2
cmd LC_UNIXTHREAD
…
Not 100% sure but you will need
LC_LOAD_DYLINKERload command to run dyld before your executable, I am pretty certain OSX does not automatically maps to/usr/lib/dyldif that load command is not available.Do you need
/usr/lib/libSystem.B.dylibwithLC_LOAD_DYLIBload command? I don't think so but that's a good to have either and does not cost much.Since 10.10.5 Yosemite, the executable file must be at least 4096 bytes long (
PAGE_SIZE), or it will be killed immediately. The relevant code found by @Siguza in theXNU kernelexec_activate_imagefunction https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/kern/kern_exec.c#L1456Without dyld
Assuming you want a 64-bit macOS executable using only system calls, you need:
LC_SEGMENT_64__PAGEZERO(with nonzero size, name can be anything)LC_SEGMENT_64__TEXT(name can be anything; must be readable and executable; sections are optional)LC_UNIXTHREADHere is my example for this case.
With dyld
You can't do much without dyld though, so if you want to use it the minimal set is:
LC_SEGMENT_64__PAGEZERO(with nonzero size)LC_SEGMENT_64__TEXT(name can be anything; must be readable and executable; sections are optional)LC_SEGMENT_64__LINKEDIT(must be writable because dyld requires a writable segment, in aldlinked binary the writable segment typically would be__DATA)LC_DYLD_INFO_ONLY(specifies where the actualdyldload commands physically are in the executable, typically they will be found__LINKEDITbut there's no limitation on this) or interestinglyLC_SYMTABinstead, which would make the actualdyldimpossible to use withoutLC_DYLD_INFO_ONLY.LC_DYSYMTAB(this can be empty)LC_LOAD_DYLINKERLC_MAINorLC_UNIXTHREADLC_LOAD_DYLIB(at least one actual dylib to load forLC_MAINto work)LC_UNIXTHREADandLC_MAINIn modern executables (since 10.7 Mountain Lion),
LC_UNIXTHREADis replaced byLC_MAIN, which requiresdyld— butLC_UNIXTHREADis still supported for any executable as of 10.12 Sierra (and it should be in future MacOS versions, because it's utilised bydyldexecutable itself to actually start).For
dyldto work the extra steps depend on type of binding:bind at loadis the least effort approach , whereLC_DYLD_INFO_ONLYpointing to validdyld load commandspointing to writable segment will do the trick.lazy bindingadditionally requires extra platform specific code in__TEXTwhich utilises binded at load timedyld_stub_binderto lazy load address of adyldloaded function.There are other types of
dyld bindingwhich I don't cover here.Further details can be found here: https://github.com/opensource-apple/dyld/blob/master/src/ImageLoaderMachO.cpp