Skip to content

ASLR

#define MH_PIE 0x200000                 /* When this bit is set, the OS will
                                           load the main executable at a
                                           random address.  Only used in
                                           MH_EXECUTE filetypes. */

If that flag is on, MacOS will enable ASLR and the binary will have different load addresses for code, data, heap and stack every time it is running.

$ sudo otool -h '/Library/Application Support/TrendMicro/TmccMac/iCoreService_tmsm'
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777223          3  0x80           2    20       2656 0x00018085

Check the ‘flags’ for this. No 0x200000, no ASLR. Not here, and not on any other binary with “TrendMicro” in the pathname. And that is why you can’t have nice things.

Published inHackerterrorcybercyber

2 Comments

    • kris kris

      10.12.6. The most current I have not yet installed, because new file system.

Leave a Reply

Your email address will not be published. Required fields are marked *