Optimizing Mach-O Detection

How to find MachO’s and check their types fast with Python

INTRO

In the past year, while learning the byte structure of Mach-O files, I made the MachOFileFinder tool for identifying Mach-O binaries on macOS.

Snake&Apple I — Mach-O

Recently, I received insightful feedback on Twitter suggesting different ways to optimize the detection process from a few researchers:

In this article, I will share my journey optimizing MachOFileFinder. I will analyze the strengths and weaknesses of various approaches, including Python libraries like lief, python-magic (a wrapper around libmagic), and even a Swift-based solution with CFBundleCopyExecutableArchitectures.

The Original Approach and the Feedback

The original version of MachOFileFinder used the lief library to parse Mach-O binaries, which involved full parsing of the Mach-O file.

This worked well for detailed examination but came with considerable overhead in terms of performance. It also resulted in a complex codebase that was challenging to maintain. With every new version of lief, I had to make minor changes because of the lief symbol rescopes.

Feedback pointed me toward two potential optimizations:

1. CFBundleCopyExecutableArchitectures: Patrick Wardle suggested leveraging this macOS API to quickly identify executable binaries without needing to parse files manually.
2. libmagic: Gergely Kalman mentioned using libmagic (the core of the Unix file command - aptly noted by…