A graphical Mach-O viewer for macOS. Powered by Mach-O Kit.

Related tags

Utility mach-o macho machoexplorer machoview
Overview

Mach-O Explorer is a graphical Mach-O viewer for macOS. It aims to provide an interface and feature set that are similar to the venerable MachOView application. Parsing is handled by Mach-O Kit. Mach-O Explorer leverages Mach-O Kit's rich description system to present the parsed data using very little code.

Screenshot

Mach-O Explorer should deploy back to OS X 10.11 (and possibly further) but is currently only being actively tested on macOS 10.14.

Limitations

  • Mach-O Explorer does not include a disassembler. This may be added in the future.
  • Mach-O Explorer can not attach to a running process to analyze its headers. This may be added in the future once support in Mach-O Kit improves.
  • Mach-O Explorer does not support editing Mach-O files and there are no plans to add this feature.

Getting Started

Requirements

  • Xcode 11.0 or later to build

Compiling

Use a recursive git clone.

git clone --recursive https://github.com/DeVaukz/MachO-Explorer

Open the MachOExplorer.xcodeproj file, select the MachOExplorer target and click Run.

License

Mach-O Explorer is released under the MIT license. See LICENSE.md.

Comments
  • is not working,UINSServiceViewController requires Marzipan

    is not working,UINSServiceViewController requires Marzipan 

    2020-03-19 18:45:43.350509+0800 MachOExplorer[72513:9264819] *** Assertion failure in +[UINSServiceViewController initialize], /BuildRoot/Library/Caches/com.apple.xbs/Sources/ViewBridge/ViewBridge-464.1/UINSServiceViewController.m:203
2020-03-19 18:45:43.350695+0800 MachOExplorer[72513:9264819] [General] UINSServiceViewController requires Marzipan
2020-03-19 18:45:43.353536+0800 MachOExplorer[72513:9264819] [General] (
	0   CoreFoundation                      0x00007fff38ac38ab __exceptionPreprocess + 250
	1   libobjc.A.dylib                     0x00007fff6ebe4805 objc_exception_throw + 48
	2   CoreFoundation                      0x00007fff38aecd10 +[NSException raise:format:arguments:] + 88
	3   Foundation                          0x00007fff3b1e5241 -[NSAssertionHandler handleFailureInMethod:object:file:lineNumber:description:] + 191
	4   ViewBridge                          0x00007fff6b2f4d25 +[UINSServiceViewController initialize] + 175
	5   libobjc.A.dylib                     0x00007fff6ebe6985 CALLING_SOME_+initialize_METHOD + 17
	6   libobjc.A.dylib                     0x00007fff6ebe72bc initializeNonMetaClass + 638
	7   libobjc.A.dylib                     0x00007fff6ebe7991 _ZL24initializeAndMaybeRelockP10objc_classP11objc_objectR8mutex_ttILb0EEb + 214
	8   libobjc.A.dylib                     0x00007fff6ebd93db lookUpImpOrForward + 969
	9   libobjc.A.dylib                     0x00007fff6ebd8b99 _objc_msgSend_uncached + 73
	10  MachOKit                            0x000000010051b1ab +[MKNode subclasses] + 571
	11  MachOKit                            0x000000010051b425 +[MKNode bestSubclassWithRanking:] + 37
	12  MachOKit                            0x0000000100498ba3 +[MKLoadCommand classForCommandID:] + 99
	13  MachOKit                            0x0000000100499454 +[MKLoadCommand loadCommandAtOffset:fromParent:error:] + 500
	14  MachOKit                            0x00000001004fa62a -[MKMachOImage initWithName:flags:atAddress:inMapping:error:] + 2426
	15  MachOExplorer                       0x000000010001eb27 $sSo12MKMachOImageC4name5flags9atAddress9inMappingABSPys4Int8VGSg_So0aB5FlagsVs6UInt64VSo11MKMemoryMapCtKcfcTO + 183
	16  MachOExplorer                       0x000000010001e221 $sSo12MKMachOImageC4name5flags9atAddress9inMappingABSPys4Int8VGSg_So0aB5FlagsVs6UInt64VSo11MKMemoryMapCtKcfC + 81
	17  MachOExplorer                       0x000000010001d4ab $s13MachOExplorer0A9ODocumentC4read4from6ofTypey10Foundation3URLV_SStKF + 971
	18  MachOExplorer                       0x000000010001e3bc $s13MachOExplorer0A9ODocumentC4read4from6ofTypey10Foundation3URLV_SStKFTo + 236
	19  AppKit                              0x00007fff35f4cdb9 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
	20  AppKit                              0x00007fff35f4cca2 -[NSDocument initWithContentsOfURL:ofType:error:] + 231
	21  AppKit                              0x00007fff35fbb68a -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 619
	22  AppKit                              0x00007fff361b691c __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 91
	23  AppKit                              0x00007fff361b68b6 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 160
	24  AppKit                              0x00007fff35fba8e2 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 839
	25  AppKit                              0x00007fff361b5ab8 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 31
	26  AppKit                              0x00007fff361b5e0e __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.872 + 177
	27  AppKit                              0x00007fff361b5cf7 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.871 + 153
	28  AppKit                              0x00007fff361b5c0b __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.869 + 243
	29  AppKit                              0x00007fff361c22bf ___NSMainRunLoopPerformBlockInModes_block_invoke + 25
	30  CoreFoundation                      0x00007fff38a477ab __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
	31  CoreFoundation                      0x00007fff38a476ed __CFRunLoopDoBlocks + 379
	32  CoreFoundation                      0x00007fff38a46d30 __CFRunLoopRun + 2792
	33  CoreFoundation                      0x00007fff38a45bd3 CFRunLoopRunSpecific + 499
	34  HIToolbox                           0x00007fff3759b65d RunCurrentEventLoopInMode + 292
	35  HIToolbox                           0x00007fff3759b39d ReceiveNextEventCommon + 600
	36  HIToolbox                           0x00007fff3759b127 _BlockUntilNextEventMatchingListInModeWithFilter + 64
	37  AppKit                              0x00007fff35c0bba4 _DPSNextEvent + 990
	38  AppKit                              0x00007fff35c0a380 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1352
	39  AppKit                              0x00007fff35bfc09e -[NSApplication run] + 658
	40  AppKit                              0x00007fff35bce465 NSApplicationMain + 777
	41  MachOExplorer                       0x0000000100047a8d main + 13
	42  libdyld.dylib                       0x00007fff6ff527fd start + 1
    opened by zhuamaodeyu 2
  • Crashes after closing the window

    Crashes after closing the window

    There are crashes I sometimes catch after closing the MachOExplorer window. The problem is similar to https://github.com/DeVaukz/MachO-Explorer/issues/10, but the crash log looks different to me.

    Here is an example stack trace:

    Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib               	0x00007fff203a0fc2 objc_opt_class + 24
1   com.apple.Foundation          	0x00007fff213408c4 _NSKeyValueObservationInfoGetObservances + 246
2   com.apple.Foundation          	0x00007fff213317ac -[NSObject(NSKeyValueObservingPrivate) _changeValueForKeys:count:maybeOldValuesDict:maybeNewValuesDict:usingBlock:] + 260
3   com.apple.Foundation          	0x00007fff2135cad6 -[NSObject(NSKeyValueObservingPrivate) _changeValueForKey:key:key:usingBlock:] + 68
4   com.apple.Foundation          	0x00007fff21379dfb _NSSetObjectValueAndNotify + 269
5   com.apple.AppKit              	0x00007fff22e2bcf4 -[NSView removeFromSuperview] + 218
6   com.apple.AppKit              	0x00007fff22eab9e6 -[NSView removeFromSuperviewWithoutNeedingDisplay] + 36
7   com.apple.AppKit              	0x00007fff22e32215 -[NSView _finalize] + 965
8   com.apple.AppKit              	0x00007fff22e31d14 -[NSView dealloc] + 119
9   com.apple.AppKit              	0x00007fff2378ebaf -[_NSSplitViewItemViewWrapper dealloc] + 144
10  com.apple.CoreFoundation      	0x00007fff205a0953 -[__NSArrayI dealloc] + 73
11  libobjc.A.dylib               	0x00007fff203a120f AutoreleasePoolPage::releaseUntil(objc_object**) + 167
12  libobjc.A.dylib               	0x00007fff20383e30 objc_autoreleasePoolPop + 161
13  com.apple.AppKit              	0x00007fff22eb6ead NSDisplayCycleObserverInvoke + 163
14  com.apple.AppKit              	0x00007fff22eb6a30 NSDisplayCycleFlush + 953
15  com.apple.QuartzCore          	0x00007fff26d4cc86 CA::Transaction::run_commit_handlers(CATransactionPhase) + 92
16  com.apple.QuartzCore          	0x00007fff26d4ba1d CA::Transaction::commit() + 375
17  com.apple.AppKit              	0x00007fff22f6686c __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke + 285
18  com.apple.AppKit              	0x00007fff236bc332 ___NSRunLoopObserverCreateWithHandler_block_invoke + 41
19  com.apple.CoreFoundation      	0x00007fff205da671 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
20  com.apple.CoreFoundation      	0x00007fff205da505 __CFRunLoopDoObservers + 543
21  com.apple.CoreFoundation      	0x00007fff205d9998 __CFRunLoopRun + 841
22  com.apple.CoreFoundation      	0x00007fff205d8f8c CFRunLoopRunSpecific + 563
23  com.apple.HIToolbox           	0x00007fff288211f3 RunCurrentEventLoopInMode + 292
24  com.apple.HIToolbox           	0x00007fff28820e26 ReceiveNextEventCommon + 284
25  com.apple.HIToolbox           	0x00007fff28820cf3 _BlockUntilNextEventMatchingListInModeWithFilter + 70
26  com.apple.AppKit              	0x00007fff22de2172 _DPSNextEvent + 864
27  com.apple.AppKit              	0x00007fff22de0945 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1364
28  com.apple.AppKit              	0x00007fff22dd2c69 -[NSApplication run] + 586
29  com.apple.AppKit              	0x00007fff22da6e6c NSApplicationMain + 816
30  net.devaukz.macho.explorer    	0x0000000108288509 0x108281000 + 29961
31  libdyld.dylib                 	0x00007fff204fef3d start + 1

    MachOExplorer_2021-09-14-192202_C02ZV4HGMD6R.crash.txt MachOExplorer_2021-09-18-221407_C02ZV4HGMD6R.crash.txt

    opened by azarovalex 2
  • Does not parse LC_UNIXTHREAD

    Does not parse LC_UNIXTHREAD

    MachO-Explorer seems not to parse LC_UNIXTHREAD load command as in the figure below. スクリーンショット 2020-07-08 17 39 05

    Note that the file to be analyzed is a malware binary. otool command can parse it.

    Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777223          3  0x80           2     5        496 0x00000085
Load command 0
      cmd LC_SEGMENT_64
  cmdsize 72
  segname __PAGEZERO
   vmaddr 0x0000000000000000
   vmsize 0x00000000f0000000
  fileoff 0
 filesize 0
  maxprot 0x00000000
 initprot 0x00000000
   nsects 0
    flags 0x0
Load command 1
      cmd LC_SEGMENT_64
  cmdsize 152
  segname __TEXT
   vmaddr 0x00000000f0000000
   vmsize 0x000000000000b000
  fileoff 0
 filesize 45056
  maxprot 0x00000007
 initprot 0x00000005
   nsects 1
    flags 0x0
Section
  sectname __cfstring
   segname __TEXT
      addr 0x00000000f00008fd
      size 0x000000000000a703
    offset 2301
     align 2^0 (1)
    reloff 0
    nreloc 0
     flags 0x80000400
 reserved1 0
 reserved2 0
Load command 2
      cmd LC_SEGMENT_64
  cmdsize 72
  segname __LINKEDIT
   vmaddr 0x00000000f000b000
   vmsize 0x0000000000001000
  fileoff 45056
 filesize 2888
  maxprot 0x00000007
 initprot 0x00000005
   nsects 0
    flags 0x0
Load command 3
      cmd LC_VERSION_MIN_MACOSX
  cmdsize 16
  version 10.6
      sdk 10.6
Load command 4
        cmd LC_UNIXTHREAD
    cmdsize 184
     flavor x86_THREAD_STATE64
      count x86_THREAD_STATE64_COUNT
   rax  0x0000000000000000 rbx 0x0000000000000000 rcx  0x0000000000000000
   rdx  0x0000000000000000 rdi 0x0000000000000000 rsi  0x0000000000000000
   rbp  0x0000000000000000 rsp 0x0000000000000000 r8   0x0000000000000000
    r9  0x0000000000000000 r10 0x0000000000000000 r11  0x0000000000000000
   r12  0x0000000000000000 r13 0x0000000000000000 r14  0x0000000000000000
   r15  0x0000000000000000 rip 0x00000000f0000e44
rflags  0x0000000000000000 cs  0x0000000000000000 fs   0x0000000000000000
    gs  0x0000000000000000
    opened by mnrkbys 3
  • Crash using close shortcut app on 10.15.4

    Crash using close shortcut app on 10.15.4

    Process: MachOExplorer [3221] Path: /Applications/MachOExplorer.swift.app/Contents/MacOS/MachOExplorer Identifier: net.devaukz.macho.explorer Version: 1.0 (1) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: MachOExplorer [3221] User ID: 501

    Date/Time: 2020-05-23 18:42:50.052 +0800 OS Version: Mac OS X 10.15.4 (19E287) Report Version: 12 Bridge OS Version: 3.0 (14Y908) Anonymous UUID: A51BFD28-ADEE-66EC-5994-E51EB09BD482

    opened by ccworld1000 5
  • Instructions in ReadMe.md are ambiguous or out-of-date.

    Instructions in ReadMe.md are ambiguous or out-of-date.

    The quick start instructions in ReadMe.md are either ambiguous or out of date; i.e., I attempted to follow them, but could not get it to run. It appears to want some code signing, which seems surprising for something that does not attach to other processes.

    Or, I misunderstood the instructions. Assume I never used XCode to build something before today, and notice that there are (at least) two things claiming to be MachOExplorer in the left sidebar, as well as a "Product" named MachOExplorer.app (in an alarming red font) at the bottom of that pane. I do not (to my knowledge) have a "development team", nor do I have a "provisioning profile". Those seem to be required.

    I have, OTOH, successfully cloned gdb from sources and built it and run it, including code-signing it. Same for Delve.

    opened by dr2chase 1
Owner
Devin
Devin
GitHub
Swift library and command line tool that interacts with the mach-o file format.

MachO-Reader Playground project to learn more about the Mach-O file format. How to run swift run MachO-Reader <path-to-binary> You should see a simila

Gonzalo 5 Jun 25, 2022
ParserCombinators - String Parser Construction Kit

ParserCombinators provides a set of elementary building blocks for deriving stru

Marcel Tesch 0 Jan 7, 2022
.DS_Store file parser/viewer.

.DS_Store file parser/viewer.

JD Gadina 51 Dec 1, 2022
A command-line tool and Swift Package for generating class diagrams powered by PlantUML

SwiftPlantUML Generate UML class diagrams from swift code with this Command Line Interface (CLI) and Swift Package. Use one or more Swift files as inp

null 374 Jan 3, 2023
BudouX: the machine learning powered line break organizer tool

BudouX.swift BudouX Swift implementation. BudouX is the machine learning powered

griffin-stewie 39 Dec 31, 2022
Easy way to detect iOS device properties, OS versions and work with screen sizes. Powered by Swift.

Easy way to detect device environment: Device model and version Screen resolution Interface orientation iOS version Battery state Environment Helps to

Anatoliy Voropay 582 Dec 25, 2022
🕸️ Swift Concurrency-powered crawler engine on top of Actomaton.

??️ ActoCrawler ActoCrawler is a Swift Concurrency-powered crawler engine on top of Actomaton, with flexible customizability to create various HTML sc

Actomaton 18 Oct 17, 2022
Add “Launch at Login” functionality to your macOS app in seconds

LaunchAtLogin Add “Launch at Login” functionality to your macOS app in seconds It's usually quite a convoluted and error-prone process to add this. No

Sindre Sorhus 1.3k Jan 6, 2023
macOS system library in Swift

SystemKit A macOS system library in Swift based off of libtop, from Apple's top implementation. For an example usage of this library, see dshb, a macO

null 323 Jan 5, 2023
A macOS application displaying the thermal, voltage and current sensor values.

Sensors About A macOS application displaying the thermal, voltage and current sensor values. License Project is released under the terms of the MIT Li

Jean-David Gadina 82 Jan 3, 2023
macOS utility for converting fat-frameworks to SPM-compatible XCFramework with arm64-simulator support

xcframework-maker macOS utility for converting fat-frameworks to SPM-compatible XCFramework with arm64-simulator support. ?? Description make-xcframew

Dariusz Rybicki 312 Dec 22, 2022
ALO sync allows you to sync resources form an ALO endpoint to your macOS file system.

ALO sync allows you to sync resources form an ALO endpoint to your macOS file system. Prerequisites macOS 11 No support for search* No suppor

Lawrence Bensaid 2 Jan 22, 2022
Simple utility to change macOS Big Sur menu bar color by appending a solid color or gradient rectangle to a wallpaper image

Change menu bar color in macOS Big Sur Simple utility to change macOS Big Sur menu bar color by appending a solid color or gradient rectangle to a wal

Igor Kulman 876 Jan 5, 2023
A set of utilities (vmcli + vmctl) for macOS Virtualization.framework

VMCLI A set of utilities to help you manage VMs with Virtualization.framework Installation Prerequisites macOS Big Sur (11+) XCode.app installed # mak

Yifan Gu 771 Dec 24, 2022
SwiftyUpdateKit is a framework for iOS and macOS.

SwiftyUpdateKit is a framework for iOS and macOS. This framework supports for a user to update your app when new app version is released on the App Store.

Hituzi Ando 4 Aug 24, 2022
This is a Swift package with support for macOS that allows to start Java Jar's with the default or a custom JVM.

Jar.swift jar runner for macos Jar.swift is created and maintaned with ❥ by Sascha Muellner. What? This is a Swift package with support for macOS that

Swift Package Repository 1 Nov 11, 2021
A simple macOS utility that can be used to control the behaviour of Bose QC35 Headphones straight from the menu bar.

bose-macos-utility A simple macOS utility that can be used to control the behaviour of Bose QC35 Headphones straight from the menu bar. Why Have you e

Łukasz Zalewski 11 Aug 26, 2022
Hermes is a Swift 5 payload for macOS.

Hermes is a Swift 5 payload for macOS. This version currently supports Mythic 2.2.8 and will update as necessary. It will not work with Mythic 2.1 and lower.

Mythic Agents 71 Dec 6, 2022
Small app that checks focus status under macOS 12

infocus What Small app for Mac Admins that checks focus status under macOS 11 and 12 and can be used to add Do Not Disturb support to management scrip

Bart Reardon 12 Nov 8, 2022