LinkEdit section base address in memory

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

LinkEdit section base address in memory

Postby Travolter » Mon Dec 03, 2018 3:36 pm

I am tryin to understand how the Xnu kernel loads Mach-O binaries in to memory. When I was looking Fishhook I saw the following line of code:
Code: Select all
uintptr_t linkedit_base = (uintptr_t)slide + linkedit_segment->vmaddr - linkedit_segment->fileoff;
( ... ook.c#L148).

I have tried to look everywhere in the mach_loader.c file to understand why you have to substract the fileoff from the vmaddr, but I can't seem to understand it. Intuïtively I would think that the vmaddr just points to the right place, which I thought was the same place as the fileoff(set) + start of the Mach-O header. But clearly this is not true, because in some cases when I dump a Mach-O from memory and try to look at it in a dissassembler, this address is indeed not correct and I have to do the calculation that I found in fishhook.

My assumption was that this would have something to do with alignment or aslr but that doesn't seem to be the case. Does anyone know how this works? Or is it that I don't understand the meaning of the fields in the segment_command struct?
Posts: 1
Joined: Mon Dec 03, 2018 1:24 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests