The system package

Modules of this package implement all classes that relate to operating system specific operations as well as userland stubs or high-level language structures.

system/core.py

This module defines all task/process core classes related to binary format and execution inherited by all system specific execution classes of the amoco.system package.

class system.core.CoreExec(p, cpu=None)[source]

This class implements the base class for Task(s). CoreExec or Tasks are used to represent a memory mapped binary executable program, providing the generic instruction or data fetchers and the mandatory API for amoco.emu or amoco.sa analysis classes. Most of the amoco.system modules use this base class to implement a OS-specific Task class (see Linux/x86, Win32/x86, etc).

bin

the program executable format object. Currently supported formats are provided in system.elf (Elf32/64), system.pe (PE) and system.utils (HEX/SREC).

cpu

reference to the architecture cpu module, which provides a generic access to the PC() program counter and obviously the CPU registers and disassembler.

OS

optional reference to the OS associated to the child Task.

state

the mapper instance that represents the current state of the executable program, including mapping of registers as well as the MemoryMap instance that represents the virtual memory of the program.

read_data(vaddr, size)[source]

fetch size data bytes at virtual address vaddr, returned as a list of items being either raw bytes or symbolic expressions.

read_instruction(vaddr, **kargs)[source]

fetch instruction at virtual address vaddr, returned as an cpu.instruction instance or cpu.ext in case an external expression is found at vaddr or vaddr is an external symbol.

Raises MemoryError in case vaddr is not mapped, and returns None if disassembler fails to decode bytes at vaddr.

Note: Returning a cpu.ext expression means that this instruction starts an external stub function. It is the responsibility of the fetcher (emulator or analyzer) to eventually call the stub to modify the state mapper.

getx(loc, size=8, sign=False)[source]

high level method to get the expressions value associated to left-value loc (register or address). The returned value is an integer if the expression is constant or a symbolic expression instance. The input loc is either a register string, an integer address, or associated expressions’ instances. Optionally, the returned expression sign flag can be adjusted by the sign argument.

setx(loc, val, size=0)[source]

high level method to set the expressions value associated to left-value loc (register or address). The value is possibly an integer or a symbolic expression instance. The input loc is either a register string, an integer address, or associated expressions’ instances. Optionally, the size of the loc expression can be adjusted by the size argument.

get_int64(loc)[source]

get 64-bit int expression of current state(loc)

get_uint64(loc)[source]

get 64-bit unsigned int expression of current state(loc)

get_int32(loc)[source]

get 32-bit int expression of current state(loc)

get_uint32(loc)[source]

get 32-bit unsigned int expression of current state(loc)

get_int16(loc)[source]

get 16-bit int expression of current state(loc)

get_uint16(loc)[source]

get 16-bit unsigned int expression of current state(loc)

get_int8(loc)[source]

get 8-bit int expression of current state(loc)

get_uint8(loc)[source]

get 8-bit unsigned int expression of current state(loc)

get_cstr(loc)[source]

get null-terminated unsigned char array of current state(loc)

class system.core.DefineStub(obj, refname, default=False)[source]

decorator to define a stub for the given ‘refname’ library function.

class system.core.BinFormat[source]

Base class for binary format API, just to define default attributes and recommended properties. See elf.py, pe.py and macho.py for example of child classes.

class system.core.shellcode(dataio)[source]

This is the most basic file format for executable binary code. It provides zero information about the targeted architecture, entrypoints, or any other data or code dependencies.

class system.core.DataIO(f)[source]

This class simply wraps a binary file or a bytes string and implements both the file and bytes interface. It allows an input to be provided as files of bytes and manipulated as either a file or a bytes object.

system.core.read_program(filename)[source]

Identifies the program header and returns an ELF, PE, Mach-O or DataIO.

Parameters:filename (str) – the program to read.
Returns:an instance of currently supported program format (ELF, PE, Mach-O, HEX, SREC)
class system.core.DefineLoader(fmt, name='')[source]

A decorator that allows to register a system-specific loader while it is implemented. All loaders are stored in the class global LOADERS dict.

Example

@DefineLoader(‘elf’,elf.EM_386) def loader_x86(p):

Here, a reference to function loader_x86 is stored in LOADERS[‘elf’][elf.EM_386].

system.core.load_program(f, cpu=None)[source]

Detects program format header (ELF/PE/Mach-O/HEX/SREC), and maps the program in abstract memory, loading the associated “system” (linux/win) and “arch” (x86/arm), based header informations.

Parameters:f (str) – the program filename or string of bytes.
Returns:a Task, ELF/PE (old CoreExec interfaces) or RawExec instance.

system/memory.py

This module defines all Memory related classes.

The main class of amoco’s Memory model is MemoryMap. It provides a way to represent both concrete and abstract symbolic values located in the virtual memory space of a process. In order to allow addresses to be symbolic as well, the MemoryMap is organised as a collection of MemoryZone. A zone holds values located at addresses that are integer offsets related to a symbolic expression. A default zone with related address set to None holds values at concrete (virtual) addresses in every MemoryMap.

class system.memory.MemoryMap[source]

Provides a way to represent concrete and abstract symbolic values located in the virtual memory space of a process. A MemoryMap is organised as a collection of MemoryZone.

_zones

dictionary of zones, keys are the related address expressions.

newzone(label)[source]

creates a new memory zone with the given label related expression.

locate(address)

returns the memory object that maps the provided address expression.

reference(address)[source]

returns a couple (rel,offset) based on the given address, an integer, a string or an expression allowing to find a candidate zone within memory.

read(address, l)[source]

reads l bytes at address. returns a list of datadiv values.

write(address, expr, endian=1)[source]

writes given expression at given (possibly symbolic) address. Default endianness is ‘little’. Use endian=-1 to indicate big endian convention.

restruct()[source]

optimize all zones to merge contiguous raw bytes into single mo objects.

grep(pattern)[source]

find all occurences of the given regular expression in the raw bytes objects of all memory zones.

merge(other)[source]

update this MemoryMap with a new MemoryMap, merging overlapping zones with values from the new map.

class system.memory.MemoryZone(rel=None)[source]

A MemoryZone contains mo objects at addresses that are integer offsets related to a symbolic expression. A default zone with related address set to None holds values at concrete addresses in every MemoryMap.

Parameters:rel (exp) – the relative symbolic expression, defaults to None.
rel

the relative symbolic expression, or None.

_map

the ordered list of mo objects of this zone.

range()[source]

returns the lowest and highest addresses currently used by mo objects of this zone.

locate(vaddr)[source]

if the given address is within range, return the index of the corresponding mo object in _map, otherwise return None.

read(vaddr, l)[source]

reads l bytes starting at vaddr. returns a list of datadiv values, unmapped areas are returned as bottom exp.

write(vaddr, data)[source]

writes data expression or bytes at given (offset) address.

addtomap(z)[source]

add (possibly overlapping) mo object z to the _map, eventually adjusting other objects.

restruct()[source]

optimize the zone to merge contiguous raw bytes into single mo objects.

shift(offset)[source]

shift all mo objects by a given offset.

grep(pattern)[source]

find all occurences of the given regular expression in the raw bytes objects of the zone.

class system.memory.mo(vaddr, data, endian=1)[source]

A mo object essentially associates a datadiv with a memory offset, and provides methods to detect if an address is located within this object, to read or write bytes at a given address. The offset is relative to the start of the MemoryZone in which the mo object is stored.

vaddr

a python integer that represents the offset within the memory zone that contains this memory object (mo).

data

the datadiv object located at this offset.

trim(vaddr)[source]

if this mo contains data at given offset, cut out this data and points current object to this offset. Note that a trim is generally the result of data being overwritten by another mo.

read(vaddr, l)[source]

returns the list of datadiv objects at given offset so that the total length is at most l, and the number of bytes missing if the total length is less than l.

write(vaddr, data)[source]

updates current mo to reflect the writing of data at given offset and returns the list of possibly new mo objects to be inserted in the zone.

class system.memory.datadiv(data, endian)[source]

A datadiv represents any data within memory, including symbolic expressions.

Parameters:
  • data – either a string of bytes or an amoco expression.
  • endian – either [-1,1], used when data is any symbolic expression. 1 is for little-endian, -1 for big-endian.
val

the reference to the data object.

_is_raw

a flag indicating that the data object is a string of bytes.

cut(l)[source]

cut out the first l bytes of the current data, keeping only the remaining part of the data.

setlen(l)[source]

cut out trailing bytes of the current data, keeping only the first l bytes.

getpart(o, l)[source]

returns a pair (result, counter) where result is a part of data of length at most l located at offset o (relative to the beginning of the data bytes), and counter is the number of bytes missing (l-len(result)) if the current data length is less than l.

setpart(o, data)[source]

returns a list of contiguous datadiv objects that correspond to overwriting self with data at offset o (possibly extending the current datadiv length).

system.memory.mergeparts(P)[source]

This function will detect every contiguous raw datadiv objects in the input list P, and will return a new list where these objects have been merged into a single raw datadiv object.

Parameters:P (list) – input list of datadiv objects.
Returns:the list after raw datadiv objects have been merged.
Return type:list

system/structs.py

The system structs module implements classes that allow to easily define, encode and decode C structures (or unions) as well as formatters to print various fields according to given types like hex numbers, dates, defined constants, etc. This module extends capabilities of struct by allowing formats to include more than just the basic types and add named fields. It extends ctypes as well by allowing formatted printing and “non-static” decoding where the way a field is decoded depends on previously decoded fields.

Module system.imx6 uses these classes to decode HAB structures and thus allow for precise verifications on how the boot stages are verified. For example, the HAB Header class is defined with:

@StructDefine("""
B :  tag
H :> length
B :  version
""")
class HAB_Header(StructFormatter):
    def __init__(self,data="",offset=0):
        self.name_formatter('tag')
        self.func_formatter(version=self.token_ver_format)
        if data:
            self.unpack(data,offset)
    @staticmethod
    def token_ver_format(k,x,cls=None):
        return highlight([(Token.Literal,"%d.%d"%(x>>4,x&0xf))])

Here, the StructDefine decorator is used to provide the definition of fields of the HAB Header structure to the HAB_Header class.

The tag Field is an unsigned byte and the StructFormatter utilities inherited by the class set it as a name_formatter() allow the decoded byte value from data to be represented by its constant name. This name is obtained from constants defined with:

with Consts('tag'):
    HAB_TAG_IVT = 0xd1
    HAB_TAG_DCD = 0xd2
    HAB_TAG_CSF = 0xd4
    HAB_TAG_CRT = 0xd7
    HAB_TAG_SIG = 0xd8
    HAB_TAG_EVT = 0xdb
    HAB_TAG_RVT = 0xdd
    HAB_TAG_WRP = 0x81
    HAB_TAG_MAC = 0xac

The length field is a bigendian short integer with default formatter, and the version field is an unsigned byte with a dedicated formatter function that extracts major/minor versions from the byte nibbles.

This allows to decode and print the structure from provided data:

In [3]: h = HAB_Header('\xd1\x00\x0a\x40')
In [4]: print(h)
[HAB_Header]
tag                 :HAB_TAG_IVT
length              :10
version             :4.0
class system.structs.Consts(name)[source]

Provides a contextmanager to map constant values with their names in order to build the associated reverse-dictionary.

All revers-dict are stored inside the Consts class definition. For example if you declare variables in a Consts(‘example’) with-scope, the reverse-dict will be stored in Consts.All[‘example’]. When StructFormatter will lookup a variable name matching a given value for the attribute ‘example’, it will get Consts.All[‘example’][value].

Note: To avoid attribute name conflicts, the lookup is always prepended the stucture class name (or the ‘alt’ field of the structure class). Hence, the above ‘tag’ constants could have been defined as:

with Consts('HAB_header.tag'):
    HAB_TAG_IVT = 0xd1
    HAB_TAG_DCD = 0xd2
    HAB_TAG_CSF = 0xd4
    HAB_TAG_CRT = 0xd7
    HAB_TAG_SIG = 0xd8
    HAB_TAG_EVT = 0xdb
    HAB_TAG_RVT = 0xdd
    HAB_TAG_WRP = 0x81
    HAB_TAG_MAC = 0xac

Or the structure definition could have define an ‘alt’ attribute:

@StructDefine("""
B :  tag
H :> length
B :  version
""")
class HAB_Header(StructFormatter):
    alt = 'hab'
    [...]

in which case the variables could have been defined with:

with Consts('hab.tag'):
[...]
system.structs.token_default_fmt(k, x, cls=None, fmt=None)[source]

The default formatter just prints value ‘x’ of attribute ‘k’ as a literal token python string

system.structs.token_address_fmt(k, x, cls=None, fmt=None)[source]

The address formatter prints value ‘x’ of attribute ‘k’ as a address token hexadecimal value

system.structs.token_constant_fmt(k, x, cls=None, fmt=None)[source]

The constant formatter prints value ‘x’ of attribute ‘k’ as a constant token decimal value

system.structs.token_mask_fmt(k, x, cls=None, fmt=None)[source]

The mask formatter prints value ‘x’ of attribute ‘k’ as a constant token hexadecimal value

system.structs.token_name_fmt(k, x, cls=None, fmt=None)[source]

The name formatter prints value ‘x’ of attribute ‘k’ as a name token variable symbol matching the value

system.structs.token_flag_fmt(k, x, cls, fmt=None)[source]

The flag formatter prints value ‘x’ of attribute ‘k’ as a name token variable series of symbols matching the flag value

system.structs.token_datetime_fmt(k, x, cls=None, fmt=None)[source]

The date formatter prints value ‘x’ of attribute ‘k’ as a date token UTC datetime string from timestamp value

class system.structs.Field(ftype, fcount=0, fname=None, forder=None, falign=0, fcomment='')[source]

A Field object defines an element of a structure, associating a name to a structure typename and a count. A count of 0 means that the element is an object of type typename, a count>0 means that the element is a list of objects of type typename of length count.

typename

name of a Structure type for this field.

Type:str
count

A count of 0 means that the element is an object of type typename, a count>0 means that the element is a list of length count of objects of type typename

Type:int=0
name

the name associated to this field.

Type:str
type

getter for the type associated with the field’s typename.

Type:StructFormatter
comment

comment, useful for pretty printing field usage

Type:str
order

forces the endianness of this field.

Type:str
size()[source]

number of bytes eaten by this field.

format()[source]

format string that allows to struct.(un)pack the field as a string of bytes.

unpack(data, offset=0)[source]

unpacks a data from given offset using the field internal byte ordering. Returns the object (if count is 0) or the list of objects of type typename.

get(data, offset=0)[source]

returns the field name and the unpacked value for this field.

pack(value)[source]

packs the value with the internal order and returns the byte string according to type typename.

format()[source]

a (non-Raw)Field format is always returned as matching a finite-length string.

unpack(data, offset=0)[source]

returns a (sequence of count) element(s) of its self.type

class system.structs.RawField(ftype, fcount=0, fname=None, forder=None, falign=0, fcomment='')[source]

A RawField is a Field associated to a raw type, i.e. an internal type matching a standard C type (u)int8/16/32/64, floats/double, (u)char. Contrarily to a generic Field which essentially forward the unpack call to its subtype, a RawField relies on the struct package to return the raw unpacked value.

format()[source]

a (non-Raw)Field format is always returned as matching a finite-length string.

unpack(data, offset=0)[source]

returns a (sequence of count) element(s) of its self.type

class system.structs.BitField(ftype, fcount=0, fname=None, forder=None, falign=0, fcomment='')[source]

A BitField is a 0-count RawField with additional subnames and subsizes to allow unpack the raw type into several named values each of given bit sizes.

unpack(data, offset=0)[source]

returns a (sequence of count) element(s) of its self.type

class system.structs.VarField(ftype, fcount=0, fname=None, forder=None, falign=0, fcomment='')[source]

A VarField is a RawField with variable length, associated with a termination condition that will end the unpack method. An instance of VarField has an infinite size() unless it has been unpacked with data.

format()[source]

a (non-Raw)Field format is always returned as matching a finite-length string.

unpack(data, offset=0)[source]

returns a (sequence of count) element(s) of its self.type

class system.structs.CntField(ftype, fcount=0, fname=None, forder=None, falign=0, fcomment='')[source]

A CntField is a RawField where the amount of elements to unpack is provided as first bytes, encoded as either a byte/word/dword.

format()[source]

a (non-Raw)Field format is always returned as matching a finite-length string.

unpack(data, offset=0)[source]

returns a (sequence of count) element(s) of its self.type

class system.structs.StructDefine(fmt, **kargs)[source]

StructDefine is a decorator class used for defining structures by parsing a simple intermediate language input decorating a StructFormatter class.

class system.structs.UnionDefine(fmt, **kargs)[source]

UnionDefine is a decorator class based on StructDefine, used for defining unions.

class system.structs.StructCore[source]

StructCore is a ParentClass for all user-defined structures based on a StructDefine format. This class contains essentially the packing and unpacking logic of the structure.

Note: It is mandatory that any class that inherits from StructCore can be instanciated with no arguments.

class system.structs.StructFormatter[source]

StructFormatter is the Parent Class for all user-defined structures based on a StructDefine format. It inherits the core logic from StructCore Parent and provides all formatting facilities to pretty print the structures based on wether the field is declared as a named constant, an integer of hex value, a pointer address, a string or a date.

Note: Since it inherits from StructCore, it is mandatory that any child class can be instanciated with no arguments.

class system.structs.StructMaker[source]

The StructMaker class is a StructFormatter equipped with methods that allow to interactively define and adjust fields at some given offsets or when some given sample bytes match a given value.

system.structs.StructFactory(name, fmt, **kargs)[source]

Returns a StructFormatter class build with name and format

system.structs.UnionFactory(name, fmt, **kargs)[source]

Returns a StructFormatter (union) class build with name and format

exception system.structs.StructureError(message)[source]

system/elf.py

The system elf module implements Elf classes for both 32/64bits executable format.

exception system.elf.ElfError(message)[source]

ElfError is raised whenever Elf object instance fails to decode required structures.

class system.elf.Elf(f)[source]

This class takes a DataIO object (ie an opened file of BytesIO instance) and decodes all ELF structures found in it.

entrypoints

list of entrypoint addresses.

Type:list of int
filename

binary file name.

Type:str
Ehdr

the ELF header structure.

Type:Ehdr
Phdr

the list of ELF Program header structures.

Type:list of Phdr
Shdr

the list of ELF Section header structures.

Type:list of Shdr
dynamic

True if the binary wants to load dynamic libs.

Type:Bool
basemap

base address for this ELF image.

Type:int
functions

a list of function names gathered from internal definitions (if not stripped) and import names.

Type:list
variables

a list of global variables’ names (if found.)

Type:list
getsize()[source]

total file size of all the Program headers

getinfo(target)[source]

target is either an address provided as str or int, or a symbol str searched in the functions dictionary.

Returns a triplet with:
  • section index (0 is error, -1 is a dynamic call)
  • offset into section (idem)
  • base virtual address (0 for dynamic calls)
data(target, size)[source]

returns ‘size’ bytes located at target virtual address

getfileoffset(target)[source]

converts given target virtual address back to offset in file

readsegment(S)[source]

returns segment S data padded to S.p_memsz

loadsegment(S, pagesize=None)[source]

If S is of type PT_LOAD, returns a dict {base: bytes} indicating that segment data bytes (extended to pagesize boundary) need to be mapped at virtual base address. (Returns None if not a PT_LOAD segment.)

readsection(sect)[source]

returns the given section data bytes from file.

checksec()[source]

check for usual security features.

class system.elf.IDENT(data=None)[source]
class system.elf.Ehdr(data=None)[source]
class system.elf.Shdr(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Sym(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Rel(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Rela(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Phdr(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Note(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Dyn(data=None, offset=0, order=None, x64=False)[source]
class system.elf.Lib(data=None, offset=0, order=None, x64=False)[source]

system/pe.py

The system pe module implements the PE class which support both 32 and 64 bits executable formats.

exception system.pe.PEError(message)[source]

PEError is raised whenever PE object instance fails to decode required structures.

class system.pe.PE(data)[source]

This class takes a DataIO object (ie an opened file of BytesIO instance) and decodes all PE structures found in it.

data

a reference to the input data file/bytes object.

Type:DataIO
entrypoints

list of entrypoint addresses.

Type:list of int
filename

binary file name.

Type:str
DOS

the DOS Header (only if present.)

Type:DOSHdr,optional
NT

the PE header.

Type:COFFHdr
Opt

the Optional Header

Type:OptionalHdr
basemap

base address for this ELF image.

Type:int
sections

list of PE sections.

Type:list of SectionHdr
functions

a list of function names gathered from internal definitions (if not stripped) and import names.

Type:list
variables

a list of global variables’ names (if found.)

Type:list
tls

the Thead local Storage table (or None.)

Type:TlsTable
locate(addr, absolute=False)[source]
returns a tuple with:
  • the section that holds addr (rva or absolute), or 0 or None.
  • the offset within the section (or addr or 0).

Note

If returned section is 0, then addr is within SizeOfImage, but is not found within any sections. Then offset is addr. If returned section is None, then addr is not mapped at all, and offset is set to 0.

getdata(addr, absolute=False)[source]

get section bytes from given virtual address to end of mapped section.

loadsegment(S, pagesize=0, raw=False)[source]

returns a dict {base: bytes} (or only bytes if optional arg raw is True,) indicating that section S data bytes (padded and extended to pagesize bounds) need to be mapped at virtual base address.

Note

If S is 0, returns base=0 and the first Opt.SizeOfHeaders bytes.

getfileoffset(addr)[source]

converts given address back to offset in file

class system.pe.DOSHdr(data=None)[source]
class system.pe.COFFHdr(data=None, offset=0)[source]
class system.pe.OptionalHdr(data=None, offset=0)[source]
class system.pe.DataDirectory(data=None, offset=0)[source]
class system.pe.SectionHdr(data=None, offset=0)[source]
class system.pe.COFFRelocation(data=None, offset=0)[source]
class system.pe.COFFLineNumber(data=None, offset=0)[source]
class system.pe.StdSymbolRecord(data=None, offset=0)[source]
class system.pe.AuxSymbolRecord(data=None, offset=0)[source]
class system.pe.AuxFunctionDefinition(data=None, offset=0)[source]
class system.pe.Aux_bf_ef(data=None, offset=0)[source]
class system.pe.AuxWeakExternal(data=None, offset=0)[source]
class system.pe.AuxFile(data=None, offset=0)[source]
class system.pe.AuxSectionDefinition(data=None, offset=0)[source]
class system.pe.AttributeCertificate[source]
class system.pe.DelayLoadDirectoryTable(data=None, offset=0)[source]
class system.pe.ExportTable(data=None, offset=0)[source]
class system.pe.ImportTableEntry(data=None, offset=0)[source]
class system.pe.TLSTable(data, magic)[source]
class system.pe.LoadConfigTable(data, magic)[source]

system/macho.py

The system macho module implements the Mach-O executable format parser.

exception system.macho.MachOError(message)[source]

MachOError is raised whenever MachO object instance fails to decode required structures.

class system.macho.MachO(f)[source]

This class takes a DataIO object (ie an opened file of BytesIO instance) and decodes all Mach-O structures found in it.

entrypoints

list of entrypoint addresses.

Type:list of int
filename

binary file name.

Type:str
header

the Mach header structure.

Type:struct_mach_header
archs

the list of MachO instances in case the provided binary file is a “fat” format.

Type:list of MachO
cmds

the list of all “command” structures.

Type:list
dynamic

True if the binary wants to load dynamic libs.

Type:Bool
basemap

Base address of the binary (or None.)

Type:int
symtab

the symbol table.

Type:list
dysymtab

the dynamic symbol table.

Type:list
dyld_info

a container with dyld_info attributes rebase, bind, weak_bind, lazy_bind and export.

Type:container
function_starts

list of function start addresses.

Type:list,optional
la_symbol_ptr

address to lazy symbol bindings

Type:dict
nl_symbol_ptr

address to non-lazy symbol bindings

Type:dict
read_fat_arch(a)[source]

takes a struct_fat_arch instance and sets its ‘bin’ attribute to the corresponding MachO instance.

read_commands(offset)[source]

returns the list of struct_load_command starting from given offset

getsize()[source]

total size of LC_SEGMENT/64 commands

getinfo(target)[source]

getinfo return a triplet (s,off,vaddr) with segment, offset into segment, and segment virtual base address that contains the target argument.

checksec()[source]

check for usual OSX security features.

data(target, size)[source]

returns ‘size’ bytes located at target virtual address

getfileoffset(target)[source]

converts given target virtual address back to offset in file

readsegment(S)[source]

returns data of segment/section S

loadsegment(S, pagesize=None)[source]

returns padded & aligned data of segment/section S

readsection(sect)[source]

returns the segment/section data bytes matching given sect name

getsection(sect)[source]

returns the segment/section matching given sect name

class system.macho.struct_fat_header(data=None)[source]
class system.macho.struct_fat_arch(data=None, offset=0)[source]
class system.macho.struct_mach_header(data=None)[source]
class system.macho.struct_mach_header_64(data=None)[source]
class system.macho.struct_load_command(data=None, offset=0)[source]
class system.macho.MachoFormatter[source]
class system.macho.struct_segment_command(data=None, offset=0)[source]
class system.macho.struct_segment_command_64(data=None, offset=0)[source]
class system.macho.SFLG(data=None, offset=0)[source]
class system.macho.struct_section(data=None, offset=0)[source]
class system.macho.struct_section_64(data=None, offset=0)[source]
class system.macho.lc_str(data=None, offset=0)[source]
class system.macho.struct_fvmlib(data=None, offset=0)[source]
class system.macho.struct_fvmlib_command(data='', offset=0)[source]
class system.macho.struct_dylib(data='', offset=0)[source]
class system.macho.struct_dylib_command(data='', offset=0)[source]
class system.macho.struct_sub_framework_command(data='', offset=0)[source]
class system.macho.struct_sub_client_command(data='', offset=0)[source]
class system.macho.struct_sub_umbrella_command(data='', offset=0)[source]
class system.macho.struct_sub_library_command(data='', offset=0)[source]
class system.macho.struct_prebound_dylib_command(data='', offset=0)[source]
class system.macho.struct_dylinker_command(data='', offset=0)[source]
class system.macho.struct_thread_command(data='', offset=0)[source]
class system.macho.struct_x86_thread_state32(data='', offset=0)[source]
class system.macho.struct_x86_thread_state64(data='', offset=0)[source]
class system.macho.struct_arm_thread_state32(data='', offset=0)[source]
class system.macho.struct_arm_thread_state64(data='', offset=0)[source]
class system.macho.struct_routines_command(data='', offset=0)[source]
class system.macho.struct_routines_command_64(data='', offset=0)[source]
class system.macho.struct_symtab_command(data='', offset=0)[source]
class system.macho.struct_nlist(data='', offset=0)[source]
class system.macho.struct_nlist64(data='', offset=0)[source]
class system.macho.struct_dysymtab_command(data='', offset=0)[source]
class system.macho.struct_dylib_table_of_contents(data='', offset=0)[source]
class system.macho.struct_dylib_module(data='', offset=0)[source]
class system.macho.struct_dylib_module_64(data='', offset=0)[source]
class system.macho.struct_dylib_reference(data='', offset=0)[source]
class system.macho.struct_twolevel_hints_command(data='', offset=0)[source]
class system.macho.twolevel_hint(data='', offset=0)[source]
class system.macho.struct_prebind_cksum_command(data='', offset=0)[source]
class system.macho.struct_uuid_command(data='', offset=0)[source]
class system.macho.struct_rpath_command(data='', offset=0)[source]
class system.macho.struct_linkedit_data_command(data='', offset=0)[source]
class system.macho.struct_encryption_info_command(data='', offset=0)[source]
class system.macho.struct_dyld_info_command(data='', offset=0)[source]
class system.macho.struct_symseg_command(data='', offset=0)[source]
class system.macho.struct_ident_command(data='', offset=0)[source]
class system.macho.struct_fvmfile_command(data='', offset=0)[source]
class system.macho.struct_entry_point_command(data='', offset=0)[source]
class system.macho.struct_data_in_code_entry(data='', offset=0)[source]
class system.macho.struct_note_command(data='', offset=0)[source]
class system.macho.struct_source_version_command(data='', offset=0)[source]
class system.macho.struct_version_min_command(data='', offset=0)[source]
class system.macho.struct_build_version_command(data='', offset=0)[source]
class system.macho.struct_build_tool_version(data='', offset=0)[source]
class system.macho.struct_relocation_info(data='', offset=0)[source]
class system.macho.struct_indirect_entry(data='', offset=0)[source]
class system.raw.RawExec(p, cpu=None)[source]

system/utils.py

The system utils module implements various binary file format like Intel HEX or Motorola SREC, commonly used for programming MCU, EEPROMs, etc.

exception system.utils.FormatError(message)[source]
class system.utils.HEX(f, offset=0)[source]
class system.utils.SREC(f, offset=0)[source]