Skip to content

Instantly share code, notes, and snippets.

@shellcromancer

shellcromancer/macho_debug_info.txt

Last active January 27, 2023 14:00
Show Gist options
  • Save shellcromancer/c49919e094f270afc499ec56688879af to your computer and use it in GitHub Desktop.
Save shellcromancer/c49919e094f270afc499ec56688879af to your computer and use it in GitHub Desktop.
Download ZIP
Output from "yara -D info_macho_control_flow.yar ~/malware/macOS/backdoor/greenlambert/GreenLambert/GrowlHelper"
Raw
macho_debug_info.txt
macho
file
fat_arch
nfat_arch = YR_UNDEFINED
fat_magic = YR_UNDEFINED
stack_size = YR_UNDEFINED
entry_point = 7384
segments
[0]
segname = "__PAGEZERO"
vmaddr = 0
vmsize = 4096
fileoff = 0
fsize = 0
maxprot = 0
initprot = 0
nsects = 0
flags = 0
sections
[1]
segname = "__TEXT"
vmaddr = 4096
vmsize = 192512
fileoff = 0
fsize = 192512
maxprot = 7
initprot = 5
nsects = 4
flags = 0
sections
[0]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 2147484672
nreloc = 0
reloff = 0
align = 2
offset = 5608
size = 173363
addr = 9704
segname = "__TEXT"
sectname = "__text"
[1]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 2
nreloc = 0
reloff = 0
align = 2
offset = 178972
size = 10242
addr = 183068
segname = "__TEXT"
sectname = "__cstring"
[2]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 0
nreloc = 0
reloff = 0
align = 5
offset = 189216
size = 3200
addr = 193312
segname = "__TEXT"
sectname = "__const"
[3]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 0
nreloc = 0
reloff = 0
align = 4
offset = 192416
size = 72
addr = 196512
segname = "__TEXT"
sectname = "__unwind_info"
[2]
segname = "__DATA"
vmaddr = 196608
vmsize = 12288
fileoff = 192512
fsize = 4096
maxprot = 7
initprot = 3
nsects = 6
flags = 0
sections
[0]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 0
nreloc = 0
reloff = 0
align = 2
offset = 192512
size = 8
addr = 196608
segname = "__DATA"
sectname = "__dyld"
[1]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 9
nreloc = 0
reloff = 0
align = 2
offset = 192520
size = 84
addr = 196616
segname = "__DATA"
sectname = "__mod_init_func"
[2]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 0
nreloc = 0
reloff = 0
align = 5
offset = 192608
size = 264
addr = 196704
segname = "__DATA"
sectname = "__const"
[3]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 0
nreloc = 0
reloff = 0
align = 5
offset = 192896
size = 2844
addr = 196992
segname = "__DATA"
sectname = "__data"
[4]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 1
nreloc = 0
reloff = 0
align = 5
offset = 0
size = 224
addr = 199840
segname = "__DATA"
sectname = "__common"
[5]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 1
nreloc = 0
reloff = 0
align = 5
offset = 0
size = 8256
addr = 200064
segname = "__DATA"
sectname = "__bss"
[3]
segname = "__OBJC"
vmaddr = 208896
vmsize = 4096
fileoff = 196608
fsize = 4096
maxprot = 7
initprot = 3
nsects = 1
flags = 0
sections
[0]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 0
nreloc = 0
reloff = 0
align = 2
offset = 196608
size = 8
addr = 208896
segname = "__OBJC"
sectname = "__image_info"
[4]
segname = "__IMPORT"
vmaddr = 212992
vmsize = 4096
fileoff = 200704
fsize = 4096
maxprot = 7
initprot = 7
nsects = 2
flags = 0
sections
[0]
reserved3 = YR_UNDEFINED
reserved2 = 0
reserved1 = 0
flags = 6
nreloc = 0
reloff = 0
align = 2
offset = 200704
size = 128
addr = 212992
segname = "__IMPORT"
sectname = "__pointers"
[1]
reserved3 = YR_UNDEFINED
reserved2 = 5
reserved1 = 32
flags = 67108872
nreloc = 0
reloff = 0
align = 6
offset = 200832
size = 935
addr = 213120
segname = "__IMPORT"
sectname = "__jump_table"
[5]
segname = "__LINKEDIT"
vmaddr = 217088
vmsize = 6164
fileoff = 204800
fsize = 6164
maxprot = 7
initprot = 1
nsects = 0
flags = 0
sections
number_of_segments = 6
reserved = YR_UNDEFINED
flags = 133
sizeofcmds = 1968
ncmds = 17
filetype = 2
cpusubtype = 3
cputype = 7
magic = 4277009102
S_ATTR_LOC_RELOC = 256
S_ATTR_EXT_RELOC = 512
S_ATTR_SOME_INSTRUCTIONS = 1024
S_ATTR_DEBUG = 33554432
S_ATTR_SELF_MODIFYING_CODE = 67108864
S_ATTR_LIVE_SUPPORT = 134217728
S_ATTR_NO_DEAD_STRIP = 268435456
S_ATTR_STRIP_STATIC_SYMS = 536870912
S_ATTR_NO_TOC = 1073741824
S_ATTR_PURE_INSTRUCTIONS = 2147483648
S_THREAD_LOCAL_INIT_FUNCTION_POINTERS = 21
S_THREAD_LOCAL_VARIABLE_POINTERS = 20
S_THREAD_LOCAL_VARIABLES = 19
S_THREAD_LOCAL_ZEROFILL = 18
S_THREAD_LOCAL_REGULAR = 17
S_LAZY_DYLIB_SYMBOL_POINTERS = 16
S_DTRACE_DOF = 15
S_16BYTE_LITERALS = 14
S_INTERPOSING = 13
S_GB_ZEROFILL = 12
S_COALESCED = 11
S_MOD_TERM_FUNC_POINTERS = 10
S_MOD_INIT_FUNC_POINTERS = 9
S_SYMBOL_STUBS = 8
S_LAZY_SYMBOL_POINTERS = 7
S_NON_LAZY_SYMBOL_POINTERS = 6
S_LITERAL_POINTERS = 5
S_8BYTE_LITERALS = 4
S_4BYTE_LITERALS = 3
S_CSTRING_LITERALS = 2
S_ZEROFILL = 1
S_REGULAR = 0
SECTION_ATTRIBUTES = 4294967040
SECTION_TYPE = 255
SG_PROTECTED_VERSION_1 = 8
SG_NORELOC = 4
SG_FVMLIB = 2
SG_HIGHVM = 1
MH_APP_EXTENSION_SAFE = 33554432
MH_NO_HEAP_EXECUTION = 16777216
MH_HAS_TLV_DESCRIPTORS = 8388608
MH_DEAD_STRIPPABLE_DYLIB = 4194304
MH_PIE = 2097152
MH_NO_REEXPORTED_DYLIBS = 1048576
MH_SETUID_SAFE = 524288
MH_ROOT_SAFE = 262144
MH_ALLOW_STACK_EXECUTION = 131072
MH_BINDS_TO_WEAK = 65536
MH_WEAK_DEFINES = 32768
MH_CANONICAL = 16384
MH_SUBSECTIONS_VIA_SYMBOLS = 8192
MH_ALLMODSBOUND = 4096
MH_PREBINDABLE = 2048
MH_NOFIXPREBINDING = 1024
MH_NOMULTIDEFS = 512
MH_FORCE_FLAT = 256
MH_TWOLEVEL = 128
MH_LAZY_INIT = 64
MH_SPLIT_SEGS = 32
MH_PREBOUND = 16
MH_BINDATLOAD = 8
MH_DYLDLINK = 4
MH_INCRLINK = 2
MH_NOUNDEFS = 1
MH_KEXT_BUNDLE = 11
MH_DSYM = 10
MH_DYLIB_STUB = 9
MH_BUNDLE = 8
MH_DYLINKER = 7
MH_DYLIB = 6
MH_PRELOAD = 5
MH_CORE = 4
MH_FVMLIB = 3
MH_EXECUTE = 2
MH_OBJECT = 1
CPU_SUBTYPE_POWERPC_970 = 100
CPU_SUBTYPE_POWERPC_7450 = 11
CPU_SUBTYPE_POWERPC_7400 = 10
CPU_SUBTYPE_POWERPC_750 = 9
CPU_SUBTYPE_POWERPC_620 = 8
CPU_SUBTYPE_POWERPC_604e = 7
CPU_SUBTYPE_POWERPC_604 = 6
CPU_SUBTYPE_POWERPC_603ev = 5
CPU_SUBTYPE_POWERPC_603e = 4
CPU_SUBTYPE_POWERPC_603 = 3
CPU_SUBTYPE_POWERPC_602 = 2
CPU_SUBTYPE_MC98601 = 1
CPU_SUBTYPE_POWERPC_601 = 1
CPU_SUBTYPE_MC980000_ALL = 0
CPU_SUBTYPE_POWERPC_ALL = 0
CPU_SUBTYPE_SPARC_ALL = 0
CPU_SUBTYPE_ARM64_ALL = 0
CPU_SUBTYPE_ARM_V7EM = 16
CPU_SUBTYPE_ARM_V7M = 15
CPU_SUBTYPE_ARM_V6M = 14
CPU_SUBTYPE_ARM_V7K = 12
CPU_SUBTYPE_ARM_V7S = 11
CPU_SUBTYPE_ARM_V7F = 10
CPU_SUBTYPE_ARM_V7 = 9
CPU_SUBTYPE_ARM_XSCALE = 8
CPU_SUBTYPE_ARM_V5TEJ = 7
CPU_SUBTYPE_ARM_V5 = 7
CPU_SUBTYPE_ARM_V6 = 6
CPU_SUBTYPE_ARM_V4T = 5
CPU_SUBTYPE_ARM_ALL = 0
CPU_SUBTYPE_XEON_MP = 28
CPU_SUBTYPE_XEON = 12
CPU_SUBTYPE_ITANIUM_2 = 27
CPU_SUBTYPE_ITANIUM = 11
CPU_SUBTYPE_PENTIUM_4_M = 26
CPU_SUBTYPE_PENTIUM_4 = 10
CPU_SUBTYPE_PENTIUM_M = 9
CPU_SUBTYPE_PENTIUM_3_XEON = 40
CPU_SUBTYPE_PENTIUM_3_M = 24
CPU_SUBTYPE_PENTIUM_3 = 8
CPU_SUBTYPE_CELERON_MOBILE = 119
CPU_SUBTYPE_CELERON = 103
CPU_SUBTYPE_PENTII_M5 = 86
CPU_SUBTYPE_PENTII_M3 = 54
CPU_SUBTYPE_PENTPRO = 22
CPU_SUBTYPE_PENT = 5
CPU_SUBTYPE_586 = 5
CPU_SUBTYPE_486SX = 132
CPU_SUBTYPE_486 = 4
CPU_SUBTYPE_X86_64_ALL = 3
CPU_SUBTYPE_I386_ALL = 3
CPU_SUBTYPE_386 = 3
CPU_SUBTYPE_INTEL_MODEL_ALL = 0
CPU_TYPE_POWERPC64 = 16777234
CPU_TYPE_POWERPC = 18
CPU_TYPE_SPARC = 14
CPU_TYPE_MC88000 = 13
CPU_TYPE_ARM64 = 16777228
CPU_TYPE_ARM = 12
CPU_TYPE_MC98000 = 10
CPU_TYPE_MIPS = 8
CPU_TYPE_X86_64 = 16777223
CPU_TYPE_I386 = 7
CPU_TYPE_X86 = 7
CPU_TYPE_MC680X0 = 6
CPU_SUBTYPE_LIB64 = 2147483648
CPU_ARCH_ABI64 = 16777216
FAT_CIGAM_64 = 3216703178
FAT_MAGIC_64 = 3405691583
FAT_CIGAM = 3199925962
FAT_MAGIC = 3405691582
MH_CIGAM_64 = 3489328638
MH_MAGIC_64 = 4277009103
MH_CIGAM = 3472551422
MH_MAGIC = 4277009102
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment