[SharedCache] Apply .symbols file information when applying an image

emesare · emesare · commit b2d387ffc0e4 · 2025-04-13T00:47:36.000-04:00
This improves symbol recovery drastically on newer shared caches Related PR: #6210
diff --git a/view/sharedcache/core/MachO.cpp b/view/sharedcache/core/MachO.cpp
@@ -457,32 +457,19 @@ std::optional<SharedCacheMachOHeader> SharedCacheMachOHeader::ParseHeaderForAddr
 	return header;
 }
 
-// TODO: Support reading from .symbols file.
-// TODO: Replace view with address size?
-std::vector<CacheSymbol> SharedCacheMachOHeader::ReadSymbolTable(BinaryView& view, VirtualMemory& vm) const
+std::vector<CacheSymbol> SharedCacheMachOHeader::ReadSymbolTable(VirtualMemory& vm, const TableInfo &symbolInfo, const TableInfo &stringInfo) const
 {
-	auto addressSize = view.GetAddressSize();
-	// NOTE: The symbol table will exist within the link edit segment, the table offsets are relative to the file not
-	// the linkedit segment.
-	uint64_t symbolsAddress = GetLinkEditFileBase() + symtab.symoff;
-	uint64_t stringsAddress = GetLinkEditFileBase() + symtab.stroff;
-
-	// TODO: This needs to be passed in as an optional argument.
-	// TODO: Sometimes symbol tables are shared and we have to offset into the table for a specific header.
-	// TODO: The "shared" symbol tables are stored in .symbols files.
-	int nlistStartIndex = 0;
-
 	std::vector<CacheSymbol> symbolList;
-	for (uint64_t i = 0; i < symtab.nsyms; i++)
+	// TODO: This assumes that 95% (or more) are going to be added.
+	symbolList.reserve(symbolInfo.entries);
+	for (uint64_t entryIndex = 0; entryIndex < symbolInfo.entries; entryIndex++)
 	{
-		uint64_t entryIndex = (nlistStartIndex + i);
-
 		nlist_64 nlist = {};
-		if (addressSize == 4)
+		if (vm.GetAddressSize() == 4)
 		{
 			// 32-bit DSC
 			struct nlist nlist32 = {};
-			vm.Read(&nlist, symbolsAddress + (entryIndex * sizeof(nlist32)), sizeof(nlist32));
+			vm.Read(&nlist, symbolInfo.address + (entryIndex * sizeof(nlist32)), sizeof(nlist32));
 			nlist.n_strx = nlist32.n_strx;
 			nlist.n_type = nlist32.n_type;
 			nlist.n_sect = nlist32.n_sect;
@@ -492,24 +479,24 @@ std::vector<CacheSymbol> SharedCacheMachOHeader::ReadSymbolTable(BinaryView& vie
 		else
 		{
 			// 64-bit DSC
-			vm.Read(&nlist, symbolsAddress + (entryIndex * sizeof(nlist)), sizeof(nlist));
+			vm.Read(&nlist, symbolInfo.address + (entryIndex * sizeof(nlist)), sizeof(nlist));
 		}
 
 		auto symbolAddress = nlist.n_value;
 		if (((nlist.n_type & N_TYPE) == N_INDR) || symbolAddress == 0)
 			continue;
 
-		if (nlist.n_strx >= symtab.strsize)
+		if (nlist.n_strx >= stringInfo.entries)
 		{
 			// TODO: where logger?
 			LogError(
 				"Symbol entry at index %llu has a string offset of %u which is outside the strings buffer of size %u "
 			    "for symbol table %x",
-				entryIndex, nlist.n_strx, symtab.strsize, symtab.stroff);
+				entryIndex, nlist.n_strx, stringInfo.address, stringInfo.entries);
 			continue;
 		}
 
-		std::string symbolName = vm.ReadCString(stringsAddress + nlist.n_strx);
+		std::string symbolName = vm.ReadCString(stringInfo.address + nlist.n_strx);
 		if (symbolName == "<redacted>")
 			continue;
 
diff --git a/view/sharedcache/core/MachO.h b/view/sharedcache/core/MachO.h
@@ -7,6 +7,15 @@
 
 struct CacheSymbol;
 
+// Used when reading symbol/string table info.
+struct TableInfo
+{
+	// VM address where the reading will begin.
+	uint64_t address;
+	// Number of entries in the table.
+	uint32_t entries;
+};
+
 struct SharedCacheMachOHeader
 {
 	uint64_t textBase = 0;
@@ -61,8 +70,7 @@ struct SharedCacheMachOHeader
 	static std::optional<SharedCacheMachOHeader> ParseHeaderForAddress(
 		std::shared_ptr<VirtualMemory> vm, uint64_t address, const std::string& imagePath);
 
-	// TODO: Replace view with address size?
-	std::vector<CacheSymbol> ReadSymbolTable(BinaryNinja::BinaryView& view, VirtualMemory& vm) const;
+	std::vector<CacheSymbol> ReadSymbolTable(VirtualMemory& vm, const TableInfo &symbolInfo, const TableInfo &stringInfo) const;
 
 	bool AddExportTerminalSymbol(
 		std::vector<CacheSymbol>& symbols, const std::string& symbolName, const uint8_t* current,
diff --git a/view/sharedcache/core/MachOProcessor.cpp b/view/sharedcache/core/MachOProcessor.cpp
@@ -53,14 +53,14 @@ void SharedCacheMachOProcessor::ApplyHeader(SharedCacheMachOHeader& header)
 		auto typeLib = typeLibraryFromName(header.installName);
 		m_view->BeginBulkModifySymbols();
 
-		// TODO: Why does this need to only happen in linkeditSegment?
 		// Apply symbols from symbol table.
 		if (header.symtab.symoff != 0)
 		{
-			// Mach-O View symtab processing with
-			// a ton of stuff cut out so it can work
 			// NOTE: This table is read relative to the link edit segment file base.
-			const auto symbols = header.ReadSymbolTable(*m_view, *m_vm);
+			// NOTE: This does not handle the shared .symbols cache entry symbols, that is the responsibility of the caller.
+			TableInfo symbolInfo = { header.GetLinkEditFileBase() + header.symtab.symoff, header.symtab.nsyms };
+			TableInfo stringInfo = { header.GetLinkEditFileBase() + header.symtab.stroff, header.symtab.strsize };
+			const auto symbols = header.ReadSymbolTable(*m_vm, symbolInfo, stringInfo);
 			for (const auto& sym : symbols)
 			{
 				auto [symbol, symbolType] = sym.GetBNSymbolAndType(*m_view);
@@ -72,7 +72,6 @@ void SharedCacheMachOProcessor::ApplyHeader(SharedCacheMachOHeader& header)
 		if (header.exportTriePresent)
 		{
 			// NOTE: This table is read relative to the link edit segment file base.
-			// TODO: Remove this and use the m_symbols in the cache?
 			const auto exportSymbols = header.ReadExportSymbolTrie(*m_vm);
 			for (const auto& sym : exportSymbols)
 			{
diff --git a/view/sharedcache/core/SharedCache.cpp b/view/sharedcache/core/SharedCache.cpp
@@ -80,10 +80,14 @@ std::optional<CacheEntry> CacheEntry::FromFile(const std::string& filePath, cons
 		// We found a single dyld data cache entry file. Mark it as such!
 		type = CacheEntryType::DyldData;
 	}
-	else if (fileName.find(".symbols") != std::string::npos)
+	else if (fileName.find(".symbols") != std::string::npos && mappings.size() == 1)
 	{
 		// We found a single symbols cache entry file. Mark it as such!
 		type = CacheEntryType::Symbols;
+		// Adjust the mapping for the symbol file, they seem to be only for the header.
+		// If we do not adjust the mapping than we will not be able to read the symbol table through the virtual memory.
+		mappings[0].fileOffset = 0;
+		mappings[0].size = file->Length();
 	}
 	else if (mappings.size() == 1 && header.imagesCountOld == 0 && header.imagesCount == 0
 		&& header.imagesTextOffset == 0)
diff --git a/view/sharedcache/core/SharedCacheController.cpp b/view/sharedcache/core/SharedCacheController.cpp
@@ -213,6 +213,71 @@ bool SharedCacheController::ApplyImage(BinaryView& view, const CacheImage& image
 		view.SetFunctionAnalysisUpdateDisabled(true);
 		machoProcessor.ApplyHeader(*image.header);
 		view.SetFunctionAnalysisUpdateDisabled(prevDisabledState);
+		
+		// Add symbols from the symbol cache files.
+		// This is done separate from applying the header as it constitutes knowing about other cache images.
+		// NOTE: If we want to move this into the `ApplyHeader` above we would need to give it some extra cache context.
+		const auto& cache = GetCache();
+		const auto vm = cache.GetVirtualMemory();
+		for (const auto& entry : cache.GetEntries())
+		{
+			if (entry.GetType() != CacheEntryType::Symbols && vm->GetAddressSize() == 8)
+				continue;
+			const auto& header = entry.GetHeader();
+
+			// This is where we get the symbol and string table information from in the .symbols file.
+			dyld_cache_local_symbols_info localSymbolsInfo = {};
+			auto localSymbolsInfoAddr = entry.GetMappedAddress(header.localSymbolsOffset);
+			if (!localSymbolsInfoAddr.has_value())
+				continue;
+			vm->Read(&localSymbolsInfo, *localSymbolsInfoAddr, sizeof(dyld_cache_local_symbols_info));
+
+			// Read each symbols entry, looking for the current image entry.
+			uint64_t localEntriesAddr = *localSymbolsInfoAddr + localSymbolsInfo.entriesOffset;
+			uint64_t localSymbolsAddr = *localSymbolsInfoAddr + localSymbolsInfo.nlistOffset;
+			uint64_t localStringsAddr = *localSymbolsInfoAddr + localSymbolsInfo.stringsOffset;
+			std::vector<dyld_cache_local_symbols_entry_64> symbolEntries;
+			symbolEntries.reserve(localSymbolsInfo.entriesCount);
+			dyld_cache_local_symbols_entry_64 localSymbolsEntry = {};
+
+			// TODO: Clean this up!!!! This is taken from the macho code...
+			auto typeLibraryFromName = [&](const std::string& name) -> Ref<TypeLibrary> {
+				// Check to see if we have already loaded the type library.
+				if (auto typeLib = view.GetTypeLibrary(name))
+					return typeLib;
+
+				auto typeLibs = view.GetDefaultPlatform()->GetTypeLibrariesByName(name);
+				if (!typeLibs.empty())
+					return typeLibs.front();
+				return nullptr;
+			};
+
+			// Pull the available type library for the image we are loading, so we can apply known types.
+			auto typeLib = typeLibraryFromName(image.GetName());
+
+			for (uint32_t i = 0; i < localSymbolsInfo.entriesCount; i++)
+			{
+				vm->Read(&localSymbolsEntry,  localEntriesAddr + i * sizeof(dyld_cache_local_symbols_entry_64),
+				         sizeof(dyld_cache_local_symbols_entry_64));
+				symbolEntries.push_back(localSymbolsEntry);
+				auto imageAddr = cache.GetBaseAddress() + localSymbolsEntry.dylibOffset;
+				if (image.headerAddress == imageAddr)
+				{
+					// We have found the entry to read!
+					// TODO: Support 32bit nlist
+					uint64_t symbolTableStart = localSymbolsAddr + (localSymbolsEntry.nlistStartIndex * sizeof(nlist_64));
+					TableInfo symbolInfo = { symbolTableStart, localSymbolsEntry.nlistCount };
+					TableInfo stringInfo = { localStringsAddr, localSymbolsInfo.stringsSize };
+					const auto symbols = image.header->ReadSymbolTable(*vm, symbolInfo, stringInfo);
+					m_logger->LogInfoF("Found {} symbols in .symbols for image {}", symbols.size(), image.path.c_str());
+					for (const auto& sym : symbols)
+					{
+						auto [symbol, symbolType] = sym.GetBNSymbolAndType(view);
+						ApplySymbol(&view, typeLib, symbol, symbolType);
+					}
+				}
+			}
+		}
 
 		// Load objective-c information.
 		auto objcProcessor = DSCObjC::SharedCacheObjCProcessor(&view, false, image.headerAddress);
diff --git a/view/sharedcache/core/VirtualMemory.h b/view/sharedcache/core/VirtualMemory.h
@@ -42,8 +42,11 @@ class VirtualMemory
 {
 	std::shared_mutex m_regionMutex;
 	AddressRangeMap<VirtualMemoryRegion> m_regions;
+	uint64_t m_addressSize = 8;
 
 public:
+	uint64_t GetAddressSize() const { return m_addressSize; }
+
 	// At no point do we ever store a strong pointer to a file accessor, that is the job of the `FileAccessorCache`.
 	void MapRegion(WeakFileAccessor fileAccessor, AddressRange mappedRange, uint64_t fileOffset);
 

Original file line number	Diff line number	Diff line change
`@@ -80,10 +80,14 @@ std::optional<CacheEntry> CacheEntry::FromFile(const std::string& filePath, cons`
`80`	`80`	`// We found a single dyld data cache entry file. Mark it as such!`
`81`	`81`	`type = CacheEntryType::DyldData;`
`82`	`82`	`}`
`83`		`- else if (fileName.find(".symbols") != std::string::npos)`
	`83`	`+ else if (fileName.find(".symbols") != std::string::npos && mappings.size() == 1)`
`84`	`84`	`{`
`85`	`85`	`// We found a single symbols cache entry file. Mark it as such!`
`86`	`86`	`type = CacheEntryType::Symbols;`
	`87`	`+ // Adjust the mapping for the symbol file, they seem to be only for the header.`
	`88`	`+ // If we do not adjust the mapping than we will not be able to read the symbol table through the virtual memory.`
	`89`	`+ mappings[0].fileOffset = 0;`
	`90`	`+ mappings[0].size = file->Length();`
`87`	`91`	`}`
`88`	`92`	`else if (mappings.size() == 1 && header.imagesCountOld == 0 && header.imagesCount == 0`
`89`	`93`	`&& header.imagesTextOffset == 0)`