2

I'm working on file iterator that decide if macho file is runnable or not, and like to add quick check according to file size.

It seems like there's no real limitation about macho minimum size, but is there a lower limit valid macho size.

This means that files below this size that are identified as macho by the 0xfeedface/0xfeedfacf prefix, couldn't be executed).

According to the Macho structure, it should contain macho-headers and load-commands that may point to additional segments.

And if there's such specified limit, how can I compile/create such file whose size is the limit.

I guess that such file would contain only single load command header ,that point to the minimal code .. it wouldn't linked to any dylib, contain static data, global variables, etc.. but when I compile simple main command that return 0, it's still linked to /usr/lib/libSystem.B.dylib

rough lower boundary

thanks

Zohar81
  • 4,554
  • 5
  • 29
  • 82
  • Duplicate of: https://stackoverflow.com/a/32659692/5329717 & https://stackoverflow.com/a/42399119/5329717 . Linker by default will link with C standard library. – Kamil.S Apr 15 '18 at 11:14
  • 1
    @Kamil.S, it's written in the question "Since 10.10.5 Yosemite, the executable file must be at least 4096 bytes long, or it will be killed immediately." perhaps do you know where in the kernel code I can find this condition ? – Zohar81 Apr 15 '18 at 12:01
  • I found the limit myself empirically (identical 4095 bytes executable padded with zeroes got killed). Check this for starters: https://github.com/opensource-apple/dyld/blob/master/src/ImageLoaderMachO.cpp – Kamil.S Apr 15 '18 at 12:19
  • Interestingly Apple thoughened the Mach-o checks as a result of fixing Pangu jailbreak for iOS 8. The macho-o loader code is shared for iOS & MacOS. – Kamil.S Apr 15 '18 at 12:23
  • 3
    The kernel-enforced minimum is in [`bsd/kern/kern_exec.c`, `exec_activate_image()`](https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/kern/kern_exec.c#L1456). – Siguza Apr 15 '18 at 13:59
  • @siguza, and that's because it attempt to read PAGE_SIZE in method `error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE..` and the file is less than that, so it fail and we goto `bad`. right ? – Zohar81 Apr 15 '18 at 14:33
  • @Zohar81 Yes, precisely. – Siguza Apr 15 '18 at 14:44

1 Answers1

3

Someone wrote exactly this, tiny.s. It runs for earlier versions of OSX:

https://gist.github.com/zliuva/1084476

Olsonist
  • 2,051
  • 1
  • 20
  • 35