/*

Copyright (c) 2014. The YARA Authors. All Rights Reserved.

Redistribution and use in source and binary forms, with or without modification,

are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this

list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,

this list of conditions and the following disclaimer in the documentation and/or

other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors

may be used to endorse or promote products derived from this software without

specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR

ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON

ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*/

#include <yara/endian.h>

#include <yara/macho.h>

#include <yara/mem.h>

#include <yara/modules.h>

#define MODULE_NAME macho

// Check for Mach-O binary magic constant.

int is_macho_file_block(const uint32_t* magic)

{

  return *magic == MH_MAGIC || *magic == MH_CIGAM || *magic == MH_MAGIC_64 ||

         *magic == MH_CIGAM_64;

}

// Check if file is for 32-bit architecture.

int macho_is_32(uint32_t magic)

{

  return magic == MH_MAGIC || magic == MH_CIGAM;

}

// Check for Mach-O fat binary magic constant.

int is_fat_macho_file_block(const uint32_t* magic)

{

  return *magic == FAT_MAGIC || *magic == FAT_CIGAM || *magic == FAT_MAGIC_64 ||

         *magic == FAT_CIGAM_64;

}

// Check if file is 32-bit fat file.

int macho_fat_is_32(const uint32_t* magic)

{

  return yr_be32toh(*magic) == FAT_MAGIC;

}

static int should_swap_bytes(const uint32_t magic)

{

// In big-endian platforms byte swapping is needed for little-endian files

// but in little-endian platforms the files that need swapping are the

// the big-endian ones.

#if defined(WORDS_BIGENDIAN)

  return magic == MH_CIGAM || magic == MH_CIGAM_64 || magic == FAT_CIGAM ||

         magic == FAT_CIGAM_64;

#else

  return magic == MH_MAGIC || magic == MH_MAGIC_64 || magic == FAT_MAGIC ||

         magic == FAT_MAGIC_64;

#endif

}

static void swap_mach_header(yr_mach_header_64_t* mh)

{

  // Don't swap the magic number so we can tell if swapping is needed

  mh->cputype = yr_bswap32(mh->cputype);

  mh->cpusubtype = yr_bswap32(mh->cpusubtype);

  mh->filetype = yr_bswap32(mh->filetype);

  mh->ncmds = yr_bswap32(mh->ncmds);

  mh->sizeofcmds = yr_bswap32(mh->sizeofcmds);

  mh->flags = yr_bswap32(mh->flags);

  if (!macho_is_32(mh->magic))

    mh->reserved = yr_bswap32(mh->reserved);

}

static void swap_load_command(yr_load_command_t* lc)

{

  lc->cmd = yr_bswap32(lc->cmd);

  lc->cmdsize = yr_bswap32(lc->cmdsize);

}

static void swap_segment_command(yr_segment_command_32_t* sg)

{

  sg->cmd = yr_bswap32(sg->cmd);

  sg->cmdsize = yr_bswap32(sg->cmdsize);

  sg->vmaddr = yr_bswap32(sg->vmaddr);

  sg->vmsize = yr_bswap32(sg->vmsize);

  sg->fileoff = yr_bswap32(sg->fileoff);

  sg->filesize = yr_bswap32(sg->filesize);

  sg->maxprot = yr_bswap32(sg->maxprot);

  sg->initprot = yr_bswap32(sg->initprot);

  sg->nsects = yr_bswap32(sg->nsects);

  sg->flags = yr_bswap32(sg->flags);

}

static void swap_segment_command_64(yr_segment_command_64_t* sg)

{

  sg->cmd = yr_bswap32(sg->cmd);

  sg->cmdsize = yr_bswap32(sg->cmdsize);

  sg->vmaddr = yr_bswap64(sg->vmaddr);

  sg->vmsize = yr_bswap64(sg->vmsize);

  sg->fileoff = yr_bswap64(sg->fileoff);

  sg->filesize = yr_bswap64(sg->filesize);

  sg->maxprot = yr_bswap32(sg->maxprot);

  sg->initprot = yr_bswap32(sg->initprot);

  sg->nsects = yr_bswap32(sg->nsects);

  sg->flags = yr_bswap32(sg->flags);

}

static void swap_section(yr_section_32_t* sec)

{

  sec->addr = yr_bswap32(sec->addr);

  sec->size = yr_bswap32(sec->size);

  sec->offset = yr_bswap32(sec->offset);

  sec->align = yr_bswap32(sec->align);

  sec->reloff = yr_bswap32(sec->reloff);

  sec->nreloc = yr_bswap32(sec->nreloc);

  sec->flags = yr_bswap32(sec->flags);

  sec->reserved1 = yr_bswap32(sec->reserved1);

  sec->reserved2 = yr_bswap32(sec->reserved2);

}

static void swap_section_64(yr_section_64_t* sec)

{

  sec->addr = yr_bswap64(sec->addr);

  sec->size = yr_bswap64(sec->size);

  sec->offset = yr_bswap32(sec->offset);

  sec->align = yr_bswap32(sec->align);

  sec->reloff = yr_bswap32(sec->reloff);

  sec->nreloc = yr_bswap32(sec->nreloc);

  sec->flags = yr_bswap32(sec->flags);

  sec->reserved1 = yr_bswap32(sec->reserved1);

  sec->reserved2 = yr_bswap32(sec->reserved2);

  sec->reserved3 = yr_bswap32(sec->reserved3);

}

static void swap_entry_point_command(yr_entry_point_command_t* ep_command)

{

  ep_command->cmd = yr_bswap32(ep_command->cmd);

  ep_command->cmdsize = yr_bswap32(ep_command->cmdsize);

  ep_command->entryoff = yr_bswap64(ep_command->entryoff);

  ep_command->stacksize = yr_bswap64(ep_command->stacksize);

}

// Convert virtual address to file offset. Segments have to be already loaded.

bool macho_rva_to_offset(uint64_t address, uint64_t* result, YR_OBJECT* object)

{

  uint64_t segment_count = yr_get_integer(object, "number_of_segments");

  for (int i = 0; i < segment_count; i++)

  {

    uint64_t start = yr_get_integer(object, "segments[%i].vmaddr", i);

    uint64_t end = start + yr_get_integer(object, "segments[%i].vmsize", i);

    if (address >= start && address < end)

    {

      uint64_t fileoff = yr_get_integer(object, "segments[%i].fileoff", i);

      *result = fileoff + (address - start);

      return true;

    }

  }

  return false;

}

// Convert file offset to virtual address. Segments have to be already loaded.

int macho_offset_to_rva(uint64_t offset, uint64_t* result, YR_OBJECT* object)

{

  uint64_t segment_count = yr_get_integer(object, "number_of_segments");

  for (int i = 0; i < segment_count; i++)

  {

    uint64_t start = yr_get_integer(object, "segments[%i].fileoff", i);

    uint64_t end = start + yr_get_integer(object, "segments[%i].fsize", i);

    if (offset >= start && offset < end)

    {

      uint64_t vmaddr = yr_get_integer(object, "segments[%i].vmaddr", i);

      *result = vmaddr + (offset - start);

      return true;

    }

  }

  return false;

}

// Get entry point address from LC_UNIXTHREAD load command.

void macho_handle_unixthread(

    const uint8_t* data,

    size_t size,

    uint64_t base_address,

    YR_OBJECT* object,

    YR_SCAN_CONTEXT* context)

{

  int should_swap = should_swap_bytes(yr_get_integer(object, "magic"));

  bool is64 = false;

  if (size < sizeof(yr_thread_command_t))

    return;

  // command_size is the size indicated in yr_thread_command_t structure, but

  // limited to the data's size because we can't rely on the structure having

  // a valid size.

  uint32_t command_size = yr_min(size, ((yr_thread_command_t*) data)->cmdsize);

  // command_size should be at least the size of yr_thread_command_t.

  if (command_size < sizeof(yr_thread_command_t))

    return;

  // command_size includes the size of yr_thread_command_t and the thread

  // state structure that follows, let's compute the size of the thread state

  // structure.

  size_t thread_state_size = command_size - sizeof(yr_thread_command_t);

  // The structure that contains the thread state starts where

  // yr_thread_command_t ends.

  const void* thread_state = data + sizeof(yr_thread_command_t);

  uint64_t address = 0;

  switch (yr_get_integer(object, "cputype"))

  {

  case CPU_TYPE_MC680X0:

  {

    if (thread_state_size < sizeof(yr_m68k_thread_state_t))

      return;

    address = ((yr_m68k_thread_state_t*) thread_state)->pc;

    break;

  }

  case CPU_TYPE_MC88000:

  {

    if (thread_state_size < sizeof(yr_m88k_thread_state_t))

      return;

    address = ((yr_m88k_thread_state_t*) thread_state)->xip;

    break;

  }

  case CPU_TYPE_SPARC:

  {

    if (thread_state_size < sizeof(yr_sparc_thread_state_t))

      return;

    address = ((yr_sparc_thread_state_t*) thread_state)->pc;

    break;

  }

  case CPU_TYPE_POWERPC:

  {

    if (thread_state_size < sizeof(yr_ppc_thread_state_t))

      return;

    address = ((yr_ppc_thread_state_t*) thread_state)->srr0;

    break;

  }

  case CPU_TYPE_X86:

  {

    if (thread_state_size < sizeof(yr_x86_thread_state_t))

      return;

    address = ((yr_x86_thread_state_t*) thread_state)->eip;

    break;

  }

  case CPU_TYPE_ARM:

  {

    if (thread_state_size < sizeof(yr_arm_thread_state_t))

      return;

    address = ((yr_arm_thread_state_t*) thread_state)->pc;

    break;

  }

  case CPU_TYPE_X86_64:

  {

    if (thread_state_size < sizeof(yr_x86_thread_state64_t))

      return;

    address = ((yr_x86_thread_state64_t*) thread_state)->rip;

    is64 = true;

    break;

  }

  case CPU_TYPE_ARM64:

  {

    if (thread_state_size < sizeof(yr_arm_thread_state64_t))

      return;

    address = ((yr_arm_thread_state64_t*) thread_state)->pc;

    is64 = true;

    break;

  }

  case CPU_TYPE_POWERPC64:

  {

    if (thread_state_size < sizeof(yr_ppc_thread_state64_t))

      return;

    address = ((yr_ppc_thread_state64_t*) thread_state)->srr0;

    is64 = true;

    break;

  }

  default:

    return;

  }

  if (should_swap)

  {

    if (is64)

      address = yr_bswap64(address);

    else

      address = yr_bswap32(address);

  }

  if (context->flags & SCAN_FLAGS_PROCESS_MEMORY)

  {

    yr_set_integer(base_address + address, object, "entry_point");

  }

  else

  {

    uint64_t offset = 0;

    if (macho_rva_to_offset(address, &offset, object))

    {

      yr_set_integer(offset, object, "entry_point");

    }

  }

}

// Get entry point offset and stack-size from LC_MAIN load command.

void macho_handle_main(

    void* data,

    size_t size,

    YR_OBJECT* object,

    YR_SCAN_CONTEXT* context)

{

  yr_entry_point_command_t ep_command;

  if (size < sizeof(yr_entry_point_command_t))

    return;

  memcpy(&ep_command, data, sizeof(yr_entry_point_command_t));

  if (should_swap_bytes(yr_get_integer(object, "magic")))

    swap_entry_point_command(&ep_command);

  if (context->flags & SCAN_FLAGS_PROCESS_MEMORY)

  {

    uint64_t address = 0;

    if (macho_offset_to_rva(ep_command.entryoff, &address, object))

    {

      yr_set_integer(address, object, "entry_point");

    }

  }

  else

  {

    yr_set_integer(ep_command.entryoff, object, "entry_point");

  }

  yr_set_integer(ep_command.stacksize, object, "stack_size");

}

// Load segment and its sections.

void macho_handle_segment(

    const uint8_t* data,

    size_t size,

    const unsigned i,

    YR_OBJECT* object)

{

  if (size < sizeof(yr_segment_command_32_t))

    return;

  yr_segment_command_32_t sg;

  memcpy(&sg, data, sizeof(yr_segment_command_32_t));

  int should_swap = should_swap_bytes(yr_get_integer(object, "magic"));

  if (should_swap)

    swap_segment_command(&sg);

  yr_set_sized_string(

      sg.segname, strnlen(sg.segname, 16), object, "segments[%i].segname", i);

  yr_set_integer(sg.vmaddr, object, "segments[%i].vmaddr", i);

  yr_set_integer(sg.vmsize, object, "segments[%i].vmsize", i);

  yr_set_integer(sg.fileoff, object, "segments[%i].fileoff", i);

  yr_set_integer(sg.filesize, object, "segments[%i].fsize", i);

  yr_set_integer(sg.maxprot, object, "segments[%i].maxprot", i);

  yr_set_integer(sg.initprot, object, "segments[%i].initprot", i);

  yr_set_integer(sg.nsects, object, "segments[%i].nsects", i);

  yr_set_integer(sg.flags, object, "segments[%i].flags", i);

  uint64_t parsed_size = sizeof(yr_segment_command_32_t);

  // The array of yr_section_32_t starts where yr_segment_command_32_t ends.

  yr_section_32_t* sections =

      (yr_section_32_t*) (data + sizeof(yr_segment_command_32_t));

  for (unsigned j = 0; j < sg.nsects; ++j)

  {

    yr_section_32_t sec;

    parsed_size += sizeof(yr_section_32_t);

    if (sg.cmdsize < parsed_size)

      break;

    memcpy(&sec, &sections[j], sizeof(yr_section_32_t));

    if (should_swap)

      swap_section(&sec);

    yr_set_sized_string(

        sec.segname,

        strnlen(sec.segname, 16),

        object,

        "segments[%i].sections[%i].segname",

        i,

        j);

    yr_set_sized_string(

        sec.sectname,

        strnlen(sec.sectname, 16),

        object,

        "segments[%i].sections[%i].sectname",

        i,

        j);

    yr_set_integer(sec.addr, object, "segments[%i].sections[%i].addr", i, j);

    yr_set_integer(sec.size, object, "segments[%i].sections[%i].size", i, j);

    yr_set_integer(

        sec.offset, object, "segments[%i].sections[%i].offset", i, j);

    yr_set_integer(sec.align, object, "segments[%i].sections[%i].align", i, j);

    yr_set_integer(

        sec.reloff, object, "segments[%i].sections[%i].reloff", i, j);

    yr_set_integer(

        sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j);

    yr_set_integer(sec.flags, object, "segments[%i].sections[%i].flags", i, j);

    yr_set_integer(

        sec.reserved1, object, "segments[%i].sections[%i].reserved1", i, j);

    yr_set_integer(

        sec.reserved2, object, "segments[%i].sections[%i].reserved2", i, j);

  }

}

void macho_handle_segment_64(

    const uint8_t* data,

    size_t size,

    const unsigned i,

    YR_OBJECT* object)

{

  if (size < sizeof(yr_segment_command_64_t))

    return;

  yr_segment_command_64_t sg;

  memcpy(&sg, data, sizeof(yr_segment_command_64_t));

  int should_swap = should_swap_bytes(yr_get_integer(object, "magic"));

  if (should_swap)

    swap_segment_command_64(&sg);

  yr_set_sized_string(

      sg.segname, strnlen(sg.segname, 16), object, "segments[%i].segname", i);

  yr_set_integer(sg.vmaddr, object, "segments[%i].vmaddr", i);

  yr_set_integer(sg.vmsize, object, "segments[%i].vmsize", i);

  yr_set_integer(sg.fileoff, object, "segments[%i].fileoff", i);

  yr_set_integer(sg.filesize, object, "segments[%i].fsize", i);

  yr_set_integer(sg.maxprot, object, "segments[%i].maxprot", i);

  yr_set_integer(sg.initprot, object, "segments[%i].initprot", i);

  yr_set_integer(sg.nsects, object, "segments[%i].nsects", i);

  yr_set_integer(sg.flags, object, "segments[%i].flags", i);

  uint64_t parsed_size = sizeof(yr_segment_command_64_t);

  yr_section_64_t sec;

  for (unsigned j = 0; j < sg.nsects; ++j)

  {

    parsed_size += sizeof(yr_section_64_t);

    if (sg.cmdsize < parsed_size)

      break;

    memcpy(

        &sec,

        data + sizeof(yr_segment_command_64_t) + (j * sizeof(yr_section_64_t)),

        sizeof(yr_section_64_t));

    if (should_swap)

      swap_section_64(&sec);

    yr_set_sized_string(

        sec.segname,

        strnlen(sec.segname, 16),

        object,

        "segments[%i].sections[%i].segname",

        i,

        j);

    yr_set_sized_string(

        sec.sectname,

        strnlen(sec.sectname, 16),

        object,

        "segments[%i].sections[%i].sectname",

        i,

        j);

    yr_set_integer(sec.addr, object, "segments[%i].sections[%i].addr", i, j);

    yr_set_integer(sec.size, object, "segments[%i].sections[%i].size", i, j);

    yr_set_integer(

        sec.offset, object, "segments[%i].sections[%i].offset", i, j);

    yr_set_integer(sec.align, object, "segments[%i].sections[%i].align", i, j);

    yr_set_integer(

        sec.reloff, object, "segments[%i].sections[%i].reloff", i, j);

    yr_set_integer(

        sec.nreloc, object, "segments[%i].sections[%i].nreloc", i, j);

    yr_set_integer(sec.flags, object, "segments[%i].sections[%i].flags", i, j);

    yr_set_integer(

        sec.reserved1, object, "segments[%i].sections[%i].reserved1", i, j);

    yr_set_integer(

        sec.reserved2, object, "segments[%i].sections[%i].reserved2", i, j);

    yr_set_integer(

        sec.reserved3, object, "segments[%i].sections[%i].reserved3", i, j);

  }

}

// Parse Mach-O file.

void macho_parse_file(

    const uint8_t* data,

    const uint64_t size,

    const uint64_t base_address,

    YR_OBJECT* object,

    YR_SCAN_CONTEXT* context)

{

  // Size must be large enough the hold yr_mach_header_64_t, which is larger

  // than yr_mach_header_32_t.

  if (size < sizeof(yr_mach_header_64_t))

    return;

  // yr_mach_header_64_t is used for storing the header for both for 32-bits

  // and 64-bits files. yr_mach_header_64_t is exactly like

  // yr_mach_header_32_t but with an extra "reserved" field at the end.

  yr_mach_header_64_t header;

  memcpy(&header, data, sizeof(yr_mach_header_64_t));

  // The magic number is always handled as big-endian. If the magic bytes are

  // CA FE BA BE, then header.magic is 0xCAFEBABE.

  header.magic = yr_be32toh(header.magic);

  size_t header_size = (header.magic == MH_MAGIC || header.magic == MH_CIGAM)

                           ? sizeof(yr_mach_header_32_t)

                           : sizeof(yr_mach_header_64_t);

  int should_swap = should_swap_bytes(header.magic);

  if (should_swap)

    swap_mach_header(&header);

  yr_set_integer(header.magic, object, "magic");

  yr_set_integer(header.cputype, object, "cputype");

  yr_set_integer(header.cpusubtype, object, "cpusubtype");

  yr_set_integer(header.filetype, object, "filetype");

  yr_set_integer(header.ncmds, object, "ncmds");

  yr_set_integer(header.sizeofcmds, object, "sizeofcmds");

  yr_set_integer(header.flags, object, "flags");

  // The "reserved" field exists only in 64 bits files.

  if (!macho_is_32(header.magic))

    yr_set_integer(header.reserved, object, "reserved");

  // The first command parsing pass handles only segments.

  uint64_t seg_count = 0;

  uint64_t parsed_size = header_size;

  uint8_t* command = (uint8_t*) (data + header_size);

  yr_load_command_t command_struct;

  for (unsigned i = 0; i < header.ncmds; i++)

  {

    if (data + size < command + sizeof(yr_load_command_t))

      break;

    memcpy(&command_struct, command, sizeof(yr_load_command_t));

    if (should_swap)

      swap_load_command(&command_struct);

    if (size - parsed_size < command_struct.cmdsize)

      break;

    if (command_struct.cmdsize < sizeof(yr_load_command_t))

      break;

    switch (command_struct.cmd)

    {

    case LC_SEGMENT:

      macho_handle_segment(command, size - parsed_size, seg_count++, object);

      break;

    case LC_SEGMENT_64:

      macho_handle_segment_64(command, size - parsed_size, seg_count++, object);

      break;

    }

    command += command_struct.cmdsize;

    parsed_size += command_struct.cmdsize;

  }

  yr_set_integer(seg_count, object, "number_of_segments");

  // The second command parsing pass handles others, who use segment count.

  parsed_size = header_size;

  command = (uint8_t*) (data + header_size);

  for (unsigned i = 0; i < header.ncmds; i++)

  {

    if (data + size < command + sizeof(yr_load_command_t))

      break;

    memcpy(&command_struct, command, sizeof(yr_load_command_t));

    if (should_swap)

      swap_load_command(&command_struct);

    if (size - parsed_size < command_struct.cmdsize)

      break;

    if (command_struct.cmdsize < sizeof(yr_load_command_t))

      break;

    switch (command_struct.cmd)

    {

    case LC_UNIXTHREAD:

      macho_handle_unixthread(

          command, size - parsed_size, base_address, object, context);

      break;

    case LC_MAIN:

      macho_handle_main(command, size - parsed_size, object, context);

      break;

    }

    command += command_struct.cmdsize;

    parsed_size += command_struct.cmdsize;

  }

}

// Parse Mach-O fat file.

void macho_load_fat_arch_header(

    const uint8_t* data,

    const uint64_t size,

    uint32_t num,

    yr_fat_arch_64_t* arch)

{

  if (macho_fat_is_32((uint32_t*) data))

  {

    yr_fat_arch_32_t* arch32 =

        (yr_fat_arch_32_t*) (data + sizeof(yr_fat_header_t) +

                             (num * sizeof(yr_fat_arch_32_t)));

    arch->cputype = yr_be32toh(arch32->cputype);

    arch->cpusubtype = yr_be32toh(arch32->cpusubtype);

    arch->offset = yr_be32toh(arch32->offset);

    arch->size = yr_be32toh(arch32->size);

    arch->align = yr_be32toh(arch32->align);

    arch->reserved = 0;

  }

  else

  {

    yr_fat_arch_64_t* arch64 =

        (yr_fat_arch_64_t*) (data + sizeof(yr_fat_header_t) +

                             (num * sizeof(yr_fat_arch_64_t)));

    arch->cputype = yr_be32toh(arch64->cputype);

    arch->cpusubtype = yr_be32toh(arch64->cpusubtype);

    arch->offset = yr_be64toh(arch64->offset);

    arch->size = yr_be64toh(arch64->size);

    arch->align = yr_be32toh(arch64->align);

    arch->reserved = yr_be32toh(arch64->reserved);

  }

}

void macho_parse_fat_file(

    const uint8_t* data,

    const uint64_t size,

    const uint64_t base_address,

    YR_OBJECT* object,

    YR_SCAN_CONTEXT* context)

{

  size_t fat_arch_sz = sizeof(yr_fat_arch_64_t);

  if (macho_fat_is_32((uint32_t*) data))

    fat_arch_sz = sizeof(yr_fat_arch_32_t);

  if (size < sizeof(yr_fat_header_t))

    return;

  /* All data in Mach-O fat binary headers are in big-endian byte order. */

  const yr_fat_header_t* header = (yr_fat_header_t*) data;

  yr_set_integer(yr_be32toh(header->magic), object, "fat_magic");

  uint32_t count = yr_be32toh(header->nfat_arch);

  yr_set_integer(count, object, "nfat_arch");

  if (size < sizeof(yr_fat_header_t) + count * fat_arch_sz)

    return;

  yr_fat_arch_64_t arch;

  for (uint32_t i = 0; i < count; i++)

  {

    macho_load_fat_arch_header(data, size, i, &arch);

    yr_set_integer(arch.cputype, object, "fat_arch[%i].cputype", i);

    yr_set_integer(arch.cpusubtype, object, "fat_arch[%i].cpusubtype", i);

    yr_set_integer(arch.offset, object, "fat_arch[%i].offset", i);

    yr_set_integer(arch.size, object, "fat_arch[%i].size", i);

    yr_set_integer(arch.align, object, "fat_arch[%i].align", i);

    yr_set_integer(arch.reserved, object, "fat_arch[%i].reserved", i);

    // Check for integer overflow.

    if (arch.offset + arch.size < arch.offset)

      continue;

    if (size < arch.offset + arch.size)

      continue;

    // Force 'file' array entry creation.

    yr_set_integer(YR_UNDEFINED, object, "file[%i].magic", i);

    // Get specific Mach-O file data.

    macho_parse_file(

        data + arch.offset,

        arch.size,

        base_address,

        yr_get_object(object, "file[%i]", i),

        context);

  }

}

// Sets all necessary Mach-O constants and definitions.

void macho_set_definitions(YR_OBJECT* object)

{

  // Magic constants

  yr_set_integer(MH_MAGIC, object, "MH_MAGIC");

  yr_set_integer(MH_CIGAM, object, "MH_CIGAM");

  yr_set_integer(MH_MAGIC_64, object, "MH_MAGIC_64");

  yr_set_integer(MH_CIGAM_64, object, "MH_CIGAM_64");

  // Fat magic constants

  yr_set_integer(FAT_MAGIC, object, "FAT_MAGIC");

  yr_set_integer(FAT_CIGAM, object, "FAT_CIGAM");

  yr_set_integer(FAT_MAGIC_64, object, "FAT_MAGIC_64");

  yr_set_integer(FAT_CIGAM_64, object, "FAT_CIGAM_64");

  // 64-bit masks

  yr_set_integer(CPU_ARCH_ABI64, object, "CPU_ARCH_ABI64");

  yr_set_integer(CPU_SUBTYPE_LIB64, object, "CPU_SUBTYPE_LIB64");

  // CPU types

  yr_set_integer(CPU_TYPE_MC680X0, object, "CPU_TYPE_MC680X0");

  yr_set_integer(CPU_TYPE_X86, object, "CPU_TYPE_X86");

  yr_set_integer(CPU_TYPE_X86, object, "CPU_TYPE_I386");

  yr_set_integer(CPU_TYPE_X86_64, object, "CPU_TYPE_X86_64");

  yr_set_integer(CPU_TYPE_MIPS, object, "CPU_TYPE_MIPS");

  yr_set_integer(CPU_TYPE_MC98000, object, "CPU_TYPE_MC98000");

  yr_set_integer(CPU_TYPE_ARM, object, "CPU_TYPE_ARM");

  yr_set_integer(CPU_TYPE_ARM64, object, "CPU_TYPE_ARM64");

  yr_set_integer(CPU_TYPE_MC88000, object, "CPU_TYPE_MC88000");

  yr_set_integer(CPU_TYPE_SPARC, object, "CPU_TYPE_SPARC");

  yr_set_integer(CPU_TYPE_POWERPC, object, "CPU_TYPE_POWERPC");

  yr_set_integer(CPU_TYPE_POWERPC64, object, "CPU_TYPE_POWERPC64");

  // CPU sub-types

  yr_set_integer(

      CPU_SUBTYPE_INTEL_MODEL_ALL, object, "CPU_SUBTYPE_INTEL_MODEL_ALL");

  yr_set_integer(CPU_SUBTYPE_386, object, "CPU_SUBTYPE_386");

  yr_set_integer(CPU_SUBTYPE_386, object, "CPU_SUBTYPE_I386_ALL");

  yr_set_integer(CPU_SUBTYPE_386, object, "CPU_SUBTYPE_X86_64_ALL");

  yr_set_integer(CPU_SUBTYPE_486, object, "CPU_SUBTYPE_486");

  yr_set_integer(CPU_SUBTYPE_486SX, object, "CPU_SUBTYPE_486SX");

  yr_set_integer(CPU_SUBTYPE_586, object, "CPU_SUBTYPE_586");

  yr_set_integer(CPU_SUBTYPE_PENT, object, "CPU_SUBTYPE_PENT");

  yr_set_integer(CPU_SUBTYPE_PENTPRO, object, "CPU_SUBTYPE_PENTPRO");

  yr_set_integer(CPU_SUBTYPE_PENTII_M3, object, "CPU_SUBTYPE_PENTII_M3");

  yr_set_integer(CPU_SUBTYPE_PENTII_M5, object, "CPU_SUBTYPE_PENTII_M5");

  yr_set_integer(CPU_SUBTYPE_CELERON, object, "CPU_SUBTYPE_CELERON");

  yr_set_integer(

      CPU_SUBTYPE_CELERON_MOBILE, object, "CPU_SUBTYPE_CELERON_MOBILE");

  yr_set_integer(CPU_SUBTYPE_PENTIUM_3, object, "CPU_SUBTYPE_PENTIUM_3");

  yr_set_integer(CPU_SUBTYPE_PENTIUM_3_M, object, "CPU_SUBTYPE_PENTIUM_3_M");

  yr_set_integer(

      CPU_SUBTYPE_PENTIUM_3_XEON, object, "CPU_SUBTYPE_PENTIUM_3_XEON");

  yr_set_integer(CPU_SUBTYPE_PENTIUM_M, object, "CPU_SUBTYPE_PENTIUM_M");

  yr_set_integer(CPU_SUBTYPE_PENTIUM_4, object, "CPU_SUBTYPE_PENTIUM_4");

  yr_set_integer(CPU_SUBTYPE_PENTIUM_4_M, object, "CPU_SUBTYPE_PENTIUM_4_M");

  yr_set_integer(CPU_SUBTYPE_ITANIUM, object, "CPU_SUBTYPE_ITANIUM");

  yr_set_integer(CPU_SUBTYPE_ITANIUM_2, object, "CPU_SUBTYPE_ITANIUM_2");

  yr_set_integer(CPU_SUBTYPE_XEON, object, "CPU_SUBTYPE_XEON");

  yr_set_integer(CPU_SUBTYPE_XEON_MP, object, "CPU_SUBTYPE_XEON_MP");

  yr_set_integer(CPU_SUBTYPE_ARM_ALL, object, "CPU_SUBTYPE_ARM_ALL");

  yr_set_integer(CPU_SUBTYPE_ARM_V4T, object, "CPU_SUBTYPE_ARM_V4T");

  yr_set_integer(CPU_SUBTYPE_ARM_V6, object, "CPU_SUBTYPE_ARM_V6");

  yr_set_integer(CPU_SUBTYPE_ARM_V5, object, "CPU_SUBTYPE_ARM_V5");

  yr_set_integer(CPU_SUBTYPE_ARM_V5TEJ, object, "CPU_SUBTYPE_ARM_V5TEJ");

  yr_set_integer(CPU_SUBTYPE_ARM_XSCALE, object, "CPU_SUBTYPE_ARM_XSCALE");

  yr_set_integer(CPU_SUBTYPE_ARM_V7, object, "CPU_SUBTYPE_ARM_V7");

  yr_set_integer(CPU_SUBTYPE_ARM_V7F, object, "CPU_SUBTYPE_ARM_V7F");

  yr_set_integer(CPU_SUBTYPE_ARM_V7S, object, "CPU_SUBTYPE_ARM_V7S");

  yr_set_integer(CPU_SUBTYPE_ARM_V7K, object, "CPU_SUBTYPE_ARM_V7K");

  yr_set_integer(CPU_SUBTYPE_ARM_V6M, object, "CPU_SUBTYPE_ARM_V6M");

  yr_set_integer(CPU_SUBTYPE_ARM_V7M, object, "CPU_SUBTYPE_ARM_V7M");

  yr_set_integer(CPU_SUBTYPE_ARM_V7EM, object, "CPU_SUBTYPE_ARM_V7EM");

  yr_set_integer(CPU_SUBTYPE_ARM64_ALL, object, "CPU_SUBTYPE_ARM64_ALL");

  yr_set_integer(CPU_SUBTYPE_SPARC_ALL, object, "CPU_SUBTYPE_SPARC_ALL");

  yr_set_integer(CPU_SUBTYPE_POWERPC_ALL, object, "CPU_SUBTYPE_POWERPC_ALL");

  yr_set_integer(CPU_SUBTYPE_MC980000_ALL, object, "CPU_SUBTYPE_MC980000_ALL");

  yr_set_integer(CPU_SUBTYPE_POWERPC_601, object, "CPU_SUBTYPE_POWERPC_601");

  yr_set_integer(CPU_SUBTYPE_MC98601, object, "CPU_SUBTYPE_MC98601");

  yr_set_integer(CPU_SUBTYPE_POWERPC_602, object, "CPU_SUBTYPE_POWERPC_602");

  yr_set_integer(CPU_SUBTYPE_POWERPC_603, object, "CPU_SUBTYPE_POWERPC_603");

  yr_set_integer(CPU_SUBTYPE_POWERPC_603e, object, "CPU_SUBTYPE_POWERPC_603e");