MachO
Supported formats
Mach-O
Description
Mach-O (Mach Object) files are the native binary format for executables, object code, and shared libraries in macOS and iOS operating systems. They are used by Apple's operating systems to run programs, and they function similarly to other executable formats like ELF (used in Linux/Unix) and PE (used in Windows). This backend extracts information from Mach-O files for further inspection.
info
Available in Contextal Platform 1.0 and later.
Symbols
This backend doesn't assign any symbols.
Example Metadata
{
"org": "ctx",
"object_id": "15d1afca780e2ea6ffec8c4862a3401e003b5e79ce5f9076b4eea4ab599bc4ce",
"object_type": "MachO",
"object_subtype": "LE64",
"recursion_level": 1,
"size": 20257888,
"hashes": {
"sha1": "a7c58c071996942fe7880d0dbb9475291245de8c",
"sha256": "15d1afca780e2ea6ffec8c4862a3401e003b5e79ce5f9076b4eea4ab599bc4ce",
"md5": "67105c73b8a7ee319417aff902c9c015",
"sha512": "8d507f21d49fe32085611ec7b688fb1d4d44a6a7b8cd561b427c3a0a4ce93636d92f383e49e37eba18f1eab122e3ee00e2ae67e346e1761fe39eb82e4d7228c9"
},
"ctime": 1726694928.02313,
"ok": {
"symbols": [
"INFECTED",
"INFECTED-CLAM-Osx.Infostealer.MacStealer-9998763-0"
],
"object_metadata": {
"_backend_version": "1.0.0",
"load_cmds": [
{
"cmd": 25,
"cmdsize": 72,
"cmdstr": "SEGMENT_64"
},
[...]
{
"cmd": 29,
"cmdsize": 16,
"cmdstr": "CODE_SIGNATURE"
}
],
"macho_header": {
"cpusubtype": 3,
"cputype": 16777223,
"cputypestr": "X86_64",
"filetype": 2,
"filetypestr": "EXECUTE",
"flags": 2195589,
"flagsvec": [
"NOUNDEFS",
"DYLDLINK",
"TWOLEVEL",
"WEAK_DEFINES",
"BINDS_TO_WEAK",
"PIE"
],
"magic": 4277009103,
"ncmds": 19,
"sizeofcmds": 1920
},
"sections": [
{
"addr": 4294971296,
"align": 4,
"flags": 2147484672,
"nreloc": 0,
"offset": 4000,
"reloff": 0,
"reserved1": 0,
"reserved2": 0,
"reserved3": 0,
"sectname": "__text",
"segname": "__TEXT",
"size": 13088298
},
[...]
{
"addr": 4308451328,
"align": 0,
"flags": 0,
"nreloc": 0,
"offset": 13189120,
"reloff": 0,
"reserved1": 0,
"reserved2": 0,
"reserved3": 0,
"sectname": "constants",
"segname": "constants",
"size": 5824942
}
],
"segment_cmds": [
{
"fileoff": 0,
"filesize": 0,
"flags": 0,
"initprot": 0,
"maxprot": 0,
"nsects": 0,
"segname": "__PAGEZERO",
"vmaddr": 0,
"vmsize": 4294967296
},
[...]
{
"fileoff": 19021824,
"filesize": 1236064,
"flags": 0,
"initprot": 1,
"maxprot": 1,
"nsects": 0,
"segname": "__LINKEDIT",
"vmaddr": 4314284032,
"vmsize": 1245184
}
]
},
"children": []
}
}
Example Queries
object_type == "MachO"
&& @match_object_meta($macho_header.cputypestr == "X86_64")
&& @has_symbol("INFECTED")
- This query matches a
MachOobject containing code forX86_64and detected as infected.
Configuration Options
This backend doesn't use any dedicated options.