A native Swift commandline utility that's able to generate a symhash (and cdhash) for a given macho file or a directory containing multiple macho binaries. This utility can also help to organize files by their symhash and generate a CSV report.
- Download the latest installer from Releases and run the installer (codesigned and notarized)
- The executable will be put in
/usr/local/bin/symhash - The execucable needs a path to a macho file or directory containing multiple macho's as argument like the example here:
symhash /Users/txhaflaire/Downloads/DropFolder/samples/amos/ARM64 - a. Once ran it will provide the following output:
➜ Downloads git:(main) symhash /Users/txhaflaire/Downloads/DropFolder/samples/amos/ARM64
▌ ✔ Success
▌ File: /Users/txhaflaire/Downloads/DropFolder/samples/amos/ARM64
▌
▌ Recommended next steps:
▌ ▸ SHA1: '120f005bf597e7e59168e044ccc3715669118608'
▌ ▸ Symhash: 'bb5f34fb92057662da6cd6a3df9fca8a'
▌ ▸ CDHash: '143ff2777af4812eee4b71101f4cd19406d521f6'
➜ Downloads git:(main) ✗ symhash funky/ -d
▌ ✔ Success
▌ File: /Users/txhaflaire/Downloads/funky/2593b80b7a1bc722b2b003884ccd408c39274d10a89a00ae2c9cee6de78ff34b
▌
▌ Recommended next steps:
▌ ▸ SHA1: 'fc4199081db07b4e1806f5ff157c69c5ed99bbb3'
▌ ▸ Symhash: '94c1eee939dc15f2197fff9030990e40'
▌ ▸ CDHash: '26358206b821c1c4856493a28f38f503c4a118f6'
▌ ✔ Success
▌ File: /Users/txhaflaire/Downloads/funky/295f1aaaddfbb885db2afbf692e333ad4ce560f1bd0160092d132228f5f92671
▌
▌ Recommended next steps:
▌ ▸ SHA1: '6546de6477c7efedb2868eeda7ddf8bf95e24fe8'
▌ ▸ Symhash: '93770cf47c3cbb7b7e98990ccbf9034a'
▌ ▸ CDHash: 'dc5dbb9c5258a6112e577abf68038e586eb544e2'
▌ ✔ Success
▌ File: /Users/txhaflaire/Downloads/funky/289213fe74c50b120084216bd23ce9e820126e4fa605039707f51e01c8080a24
▌
▌ Recommended next steps:
▌ ▸ SHA1: '74e83d9b56d387358fe8b88aba1c0930e6f856ba'
▌ ▸ Symhash: '93770cf47c3cbb7b7e98990ccbf9034a'
▌ ▸ CDHash: '7b41ec6544ca9c87e43657ec07da3a672e0ecf9b'
➜ Downloads git:(main) symhash /Users/txhaflaire/Downloads/DropFolder/samples/amos -e
▌ ✔ Success
▌ CSV export completed
▌
▌ Recommended next steps:
▌ ▸ Open the file at: /Users/txhaflaire/Downloads/DropFolder/samples/amos/symhash_results.csv
▌ ▸ Review the symhashes and cdhashes and compare them in a database like VirusTotal
➜ Downloads git:(main) symhash /Users/txhaflaire/Downloads/DropFolder/samples/amos -o
▌ ✔ Success
▌ Organization complete
▌
▌ Recommended next steps:
▌ ▸ Organized 26 files into symhash-based folders under:
▌ ▸ '/Users/txhaflaire/Downloads/DropFolder/samples/amos'
This will use the cdhash and use the CloudKitAPI to asses the notary ticket status. Shoutout to Ferdous Saljooki (@malwarezoo) of Jamf for helping out with the notary lookup
➜ Downloads git:(main) ✗ symhash ~/Downloads/DropFolder/samples/odyssey/auto -n
▌ ✔ Success
▌ File: /Users/txhaflaire/Downloads/DropFolder/samples/odyssey/auto
▌
▌ Recommended next steps:
▌ ▸ SHA1: '95a3d63156aa9746b8fb5d54392f255ee38961c9'
▌ ▸ Symhash: '49b636a66b5d62b9a3f1ba7fcdee5cd4'
▌ ▸ CDHash: 'f277454c9e978002c54b911f3ec1398163b1845c'
▌ ✔ Success
▌ Apple Notarization Ticket
▌
▌ Recommended next steps:
▌ ▸ Ticket version: 1
▌ ▸ Content timestamp: 2025-07-09 20:31:36 +0000
▌ ▸ CDHash count: 1
▌ ▸ Flags: 0x00000001
▌ ▸ Revoked: Yes
▌ ▸ Revocation type: Revoked after notarization by Notary (created date does not equals modified date)
▌ ▸ Created: 2025-07-03 10:06:09 +0000
▌ ▸ Modified: 2025-07-09 20:31:36 +0000
▌ ▸ CDHashes in Ticket: f277454c9e978002c54b911f3ec1398163b1845c
OVERVIEW: Compute Mach-O symhash (MD5 of sorted symbol table), SHA1, and CDHash.
USAGE: Generate a symhash for a given Mach-O file or a directory of Mach-O binaries. Can also organize files by their symhash and export to CSV.
ARGUMENTS:
<input-path> Path to a Mach-O file or directory
OPTIONS:
-d, --directory Process a directory of Mach-O binaries instead of a single file
-o, --organize Organize files by symhash
-e, --export Export results to CSV
-n, --notary Fetch and parse the Apple notarization ticket for the file's CDHash
--version Show the version.
-h, --help Show help information.