Post

MachXplorer

Mach-O Binary Loader & Analyzer.

Posted
By Dede
2 min read
MachXplorer
graph TD
    A[Mach-O Binary] --> B(otool)
    B --> C[otool Integration]
    B --> D[Obfuscation Detector]
    B --> E[Disassembler]
    B --> F[Symbol Resolver]
    
    C --> G[Header Parser]
    C --> H[Segment Analyzer]
    
    D --> I[String Obfuscation Detection]
    D --> J[Control Flow Obfuscation Detection]
    D --> K[Anti-Disassembly Detection]
    
    E --> L[ARM64 Disassembly]
    E --> M[x86_64 Disassembly]
    
    F --> N[Symbol Table Analysis]
    
    G --> O[Report Generator]
    H --> O
    I --> O
    J --> O
    K --> O
    L --> O
    M --> O
    N --> O
    
    O --> P[HTML/JSON/CSV Reports]

GitHub Stars License: MIT

Analyze Mach-O binaries using otool as core engine, with a specific focus on macOS malware analysis and obfuscation detection.

🗺 Roadmap

  • Mach-O header analysis (-h, --header)
  • Segment/section inspection (-s, --segment)
  • Basic symbol analysis (-y, --symbol)
  • Hex dump & string extraction (-x, --hex)
  • Binary comparison (-c, --compare)
  • CMake build system

🚧 In Progress

  • ARM64 disassembly module (-d, --disassembly)
  • otool integration pipeline
  • Obfuscation detection framework (-o, --obfuscation)
  • HTML report generation

⏳ Upcoming

  • Universal binary (fat Mach-O) support
  • Entitlements analysis module
  • JSON/CSV export options
  • IDA Pro integration plugin

🔮 Future Vision

  • Dyld shared cache analysis
  • Automated anti-debugging detection
  • Machine learning anomaly scoring

  • Cross-platform (Windows/Linux) support

  • Universal binary support
  • Automated suspicious pattern detection
  • IDA Pro integration plugin
  • Entitlements analysis module

🛠 Features

OptionFlagDescription
Header Analysis-h, --headerInspect Mach-O headers, load commands, and entry points
Segment Analysis-s, --segmentAnalyze memory layout, permissions, and unusual flags
Symbol Analysis-y, --symbolDetect hidden functions and stripped symbols
Disassembly-d, --disassemblyExamine executable sections with ARM64 disassembly
Obfuscation Detection-o, --obfuscationIdentify common obfuscation patterns
Hex & Strings-x, --hexGenerate formatted hex dumps with string extraction
Binary Comparison-c, --compareDiff two Mach-O binaries for integrity checks

📦 Installation

Prerequisites

  • macOS (ARM64 compatible)
  • Xcode Command Line Tools
  • otool and llvm-objdump (install via Homebrew):

🚀 Usage

1
2
3
4
5
6
7
8

# Basic header inspection
./MachXplorer -h suspiciousBinary.macho

# Full analysis workflow
./MachXplorer -hsydo complexBinary.macho

# Compare two versions
./MachXplorer -c original.macho modified.macho

🔍 Resource Guide

Key macOS Headers

  • /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/mach-o/

    Header FilePurpose
    loader.hMach-O load command structures
    nlist.hSymbol table entry definitions
    fat.hUniversal binary format

🤝 Contributing

I am open to contributions:

  • Issue reporting
  • Pull requests
  • Feature proposals

Source Code

This post is licensed under CC BY 4.0 by the author.