I need some functions that operates on Mach-O files (x86/x64). I don’t know much about the Mach-O file format, but hopefully the following functionality can be implemented (I have this functionality for PE files):
Function 1: AppendToLastSection
This function will receive a filename, and a pointer to a buffer and its size that will be appended to the last section of the given Mach-O filename.
Function 2: GetRVAtoAppendToLastSection
This function returns the RVA of the last memory address (+1) in the last section. So, we can know at which RVA will start our buffer that will be appended to the last section
Function 3: GetRAWtoAppendToLastSection
This function returns the RAW file offset of the last byte (+1) in last section. So, we can know at which RAW address where it will start our buffer that will be appended to the last section
Function 4: AppendToNewSection
This function is the same as Function1 but instead of appending the buffer to the last section it will create a new section in the Mach-O file and copy the buffer on the new section.
Function 5: GetRVAtoAppendToNewSection
This function is the same as Function2 but for the new section
Function 6: GetRAWtoAppendToLastSection
This function is the same as Function3 but for the new section
Function 7: RedirectEntryPoint
This function will redirect the entry point of a given filename to a given RVA. So, we can for example redirect the entry point to the buffer that we have copied into the last or new section.
Function 8: GetRVAsCallToAPI
The idea of this function is that we can detect where in the code sections a specific API is called. So, you have to examine in all code sections where a CALL instruction (0xE8 or 0xFF15 opcodes) is located and check if it points to the given API name.
This function receives:
Filename: Name of the Mach-O file
APIName: Name of the API to search
BufferRVAout: This is a buffer that it will contain all RVAs (DWORDs) found in the file that points to the API and the type of CALL found (if it was from a “CALL API_Name (0xe8 opcode)” or “CALL [API_NAME (0xFF15 opcode). BufferRVAout is an array of structures like:
typedef struct sAPIinfo
Function 9: DestroyCodeAtRVA
This function receives a filename (Mach-O) and an RVA and size to destroy in the file. The function will write random values in the file at the offsets that corresponds to RVA and RVA+size.
Function 10: StripLibrary
This functions removes from the import table in a given Mach-O file the linking with a specific library. So, after calling that function, the file won’t require that given library to run.
1) Please, provide working examples to check the functions (under Windows)
2) The solutions must be coded in Visual Studio in either C or C++
3) Please, provide well designed code (modular, commented…)
4) Please, if you are not able to implement any of the functions or it’s not possible to do it in Mach-O file format, please, let me know. I don’t want to start a project and in the middle of the implementation you say that any of the above functions is not possible to implement for Mach-O (x86/x64)