Reading data (embedded plist) linked to executable through -sectcreate __TEXT
Solution 1:
otool
You can use otool(1) to dump the contents of the section containing the embedded plist:
otool -s __TEXT __info_plist /path/to/executable
and then pipe its output to xxd(1) in order to obtain the corresponding ASCII representation:
otool -X -s __TEXT __info_plist /path/to/executable | xxd -r
However, otool is only available in machines where Xcode has been installed.
NSBundle
For the cases where a program needs to read its own embedded plist, NSBundle can be used:
id someValue = [[NSBundle mainBundle] objectForInfoDictionaryKey:someKey];
Mach-O
For the cases where a program needs to read the embedded plist of an arbitrary file without resorting to otool, the program can parse the Mach-O information in the file and extract its embedded plist as follows:
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <mach-o/loader.h>
#include <sys/mman.h>
#include <sys/stat.h>
#import <Foundation/Foundation.h>
id embeddedPlist(NSURL *executableURL) {
id plist = nil;
int fd;
struct stat stat_buf;
size_t size;
char *addr = NULL;
char *start_addr = NULL;
struct mach_header_64 *mh = NULL;
struct load_command *lc = NULL;
struct segment_command_64 *sc = NULL;
struct section_64 *sect = NULL;
// Open the file and get its size
fd = open([[executableURL path] UTF8String], O_RDONLY);
if (fd == -1) goto END_FUNCTION;
if (fstat(fd, &stat_buf) == -1) goto END_FILE;
size = stat_buf.st_size;
// Map the file to memory
addr = start_addr = mmap(0, size, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0);
if (addr == MAP_FAILED) goto END_FILE;
// The first bytes are the Mach-O header
mh = (struct mach_header_64 *)addr;
// Load commands follow the header
addr += sizeof(struct mach_header_64);
for (int icmd = 0; icmd < mh->ncmds; icmd++) {
lc = (struct load_command *)addr;
if (lc->cmd != LC_SEGMENT_64) {
addr += lc->cmdsize;
continue;
}
if (lc->cmdsize == 0) continue;
// It's a 64-bit segment
sc = (struct segment_command_64 *)addr;
if (strcmp("__TEXT", sc->segname) != 0 || sc->nsects == 0) {
addr += lc->cmdsize;
continue;
}
// It's the __TEXT segment and it has at least one section
// Section data follows segment data
addr += sizeof(struct segment_command_64);
for (int isect = 0; isect < sc->nsects; isect++) {
sect = (struct section_64 *)addr;
addr += sizeof(struct section_64);
if (strcmp("__info_plist", sect->sectname) != 0) continue;
// It's the __TEXT __info_plist section
NSData *data = [NSData dataWithBytes:(start_addr + sect->offset)
length:sect->size];
plist = [NSPropertyListSerialization propertyListWithData:data
options:NSPropertyListImmutable
format:NULL
error:NULL];
goto END_MMAP;
}
}
END_MMAP:
munmap(addr, size);
END_FILE:
close(fd);
END_FUNCTION:
return plist;
}
and:
NSURL *url = [NSURL fileURLWithPath:@"/path/to/some/file"];
id plist = embeddedPlist(url);
if ([plist isKindOfClass:[NSDictionary class]]) {
NSDictionary *info = plist;
id someValue = [info objectForKey:someKey];
}
Note that embeddedPlist() has some limitations: it expects the file to be a thin Mach-O file (i.e., it will crash with non-Mach-O files and it won’t work with fat files containing, for example, both i386 and x86_64 Mach-O data); it only works with x86_64 files; it doesn’t report errors.
I went ahead and released BVPlistExtractor under the MIT licence. It detects whether the file is indeed a thin Mach-O file or a fat/universal file, and works with both i386 and x86_64.
Solution 2:
There's a CoreFoundation function for that: CFBundleCopyInfoDictionaryForURL(). From the documentation:
For a directory URL, this is equivalent to
CFBundleCopyInfoDictionaryInDirectory. For a plain file URL representing an unbundled application, this function will attempt to read an information dictionary either from the (__TEXT,__info_plist) section of the file (for a Mach-O file) or from aplstresource.
It's available on Mac OS X v10.2 and later. If you use in Cocoa you can do this (provided you have an (NSURL*)url for the bundle):
NSDictionary* infoPlist = [ (NSDictionary*) CFBundleCopyInfoDictionaryForURL( (CFURLRef) url ) autorelease];
Solution 3:
User's computer would not probably have otool installed, and I had the same problem. The solution was to use launchctl, which is guaranteed to be present at any modern Mac.
It has a plist subcommand which does the following:
Prints the the property list embedded in the __TEXT,__info_plist segment/section
of the target Mach-O or the specified segment/section.
If you do not specify the section, it prints __TEXT by default. The only argument to provide is the path to the executable:
launchctl plist /Library/PrivilegedHelperTools/com.sparklabs.ViscosityHelper
If you have given path, output might be something like this:
{
"CFBundleIdentifier" = "com.sparklabs.ViscosityHelper";
"SMAuthorizedClients" = (
"anchor apple generic and identifier "com.viscosityvpn.Viscosity" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "34XR7GXFPX")";
);
"CFBundleName" = "ViscosityHelper";
"CFBundleVersion" = "548";
"CFBundleInfoDictionaryVersion" = "6.0";
};
It can be used in command-line as well as from code via NSTask (Process in swift) class.
Solution 4:
A much simpler approach:
#include <mach-o/getsect.h>
unsigned long *len;
char *data = getsectdata("__TEXT", "__info_plist");
man getsectdata. There's lots of examples on how to access various pieces (current executable, arbitrary executable, framework, etc).