dissect.target.plugins.os.unix.bsd.darwin._os

Module Contents

Classes

DarwinPlugin

Darwin plugin.

Functions

detect_macho_arch

Detect the architecture of the system by reading the Mach-O headers of the provided binaries.

Attributes

ARCH_MAP

dissect.target.plugins.os.unix.bsd.darwin._os.ARCH_MAP

class dissect.target.plugins.os.unix.bsd.darwin._os.DarwinPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.os.unix.bsd._os.BsdPlugin

Darwin plugin.

classmethod detect(target: dissect.target.target.Target) → dissect.target.filesystem.Filesystem | None

Provide detection of this OSPlugin on a given filesystem.

Parameters:

fs – Filesystem to detect the OS on.

Returns:

The root filesystem / sysvol when found.

misc_user_paths() → collections.abc.Iterator[tuple[str, tuple[str, str] | None]]

Yields miscellaneous user paths and user keys.

Example

(“c:/Windows/ServiceProfiles/LocalService”, (“sid”, “S-1-5-19”))

dissect.target.plugins.os.unix.bsd.darwin._os.detect_macho_arch(paths: list[str | pathlib.Path], fs: dissect.target.filesystem.Filesystem | None = None) → str | None

Detect the architecture of the system by reading the Mach-O headers of the provided binaries.

We could use the mach-o magic headers (feedface, feedfacf, cafebabe), but the mach-o cpu type also contains bitness.

Parameters:

• paths – List of strings or Path objects.

• fs – Optional filesystem to search the provided paths in. Required if paths is a list of strings.

Returns:

Detected architecture (e.g. arm64) or None.

References

• https://github.com/opensource-apple/cctools/blob/master/include/mach/machine.h