Previously, we looked at the Mach-O file format at a high level, covered differences between standard and universal binaries and discussed the header and load commands parts in detail. Now, lets continue our descent into details of the Mach-O file format and talk about the Data part.

The Data part of a Mach-O file is comprised of segments and sections, as described by the LC_SEGMENT_64 load commands. It is a crucial part of a Mach-O binary and stores actual code, variables, constants, and linking-related information. The standard naming convention uses uppercase with a double underscore prefix for segments (e.g., __TEXT), while sections are named in lowercase with a double underscore prefix (e.g., __text).

Following are common segments and sections found in this part:

• __PAGEZERO - A full virtual memory page (4096 bytes or addresses 0–0x1000) positioned at the start of the address space with no assigned protection rights. Any attempt to access a null pointer results in a crash. Since it contains no data, it takes up no space in the file, making its file size zero.

• __TEXT - It contains read-only data and executable code necessary for program execution. It plays a similar role to the .text and .rodata sections in ELF (Linux) or the .text section in PE (Windows). Since this segment is marked as read-only and executable, it cannot be modified during runtime. This segment is also made up of multiple sections. Common sections found within this segment include :

  • __text - This section contains the compiled code that the CPU executes. For example, if a program has a function like void hello() { printf("Hello, world!"); }, the compiled machine code for this function will be stored in the __text section.It is marked as read-only and executable (RX), preventing modifications to the code during runtime.

  • __stubs and __stubs_helper - These sections facilitate dynamic linking by acting as placeholders for functions in dynamic libraries. When an external function (like printf() from libc) is called, the function address is resolved dynamically using these sections. The __stubs section contains trampolines, which are small pieces of code that jump to the actual function address. The __stub_helper section assists in resolving function addresses when first used, improving efficiency.

  • __const - This section holds read-only constant variables such as const int x = 5; Any data that should not be altered during execution is stored here.

  • __cstring - This section stores constant string literals used in the program. Any string defined in the source code, such as printf("Hello, World!");, is stored here as a null-terminated string. Since it is read-only, modifying string literals at runtime leads to a crash.

• __DATA - It primarily contains writable data and is made up of multiple sections, each serving a specific purpose:

  • __data - The __data section holds global variables that have been initialized, meaning variables with assigned values before the program runs. For example, if a program defines int x = 10;, the value 10 is stored in this section.

  • __bss - The __bss section contains static variables, meaning variables declared but not assigned a value, such as int y;. This section does not take up space in the Mach-O file but is allocated when the program executes.

  • __dyld - The __dyld section stores runtime information needed by dyld for linking and execution.

• __OBJC - Stores metadata for Objective-C classes, methods, and properties.

• __IMPORT - This segment contains symbol stubs and non-lazy pointers to symbols not defined in the executable. This segment is generated only for executables targeted for the IA-32 architecture.

• __LINKEDIT - This segment contains raw data used by the dynamic linker, such as symbol, string, and relocation table entries.

Red Team Notes
- The Data part of a Mach-O file is comprised of segments and sections, and stores actual code, variables, constants, and linking-related information. Common segments include, __PAGEZERO, __TEXT, __DATA, __OBJC, __IMPORT and __LINKEDIT.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

References

• OS X ABI Mach-O File Format Reference

• Understanding the Mach-O File Format

• Chapter 5: Binary Triage