Confusion in understanding data fork, resource fork and the MachO file format when viewed all together

Question

Note: I am a newbie to the OS X world. So please take it easy if I ask something noobish.

According to what I have read/understood: MachO's file layout consists of a header, load commands and data segment that contains either executable instructions or data. But after reading about fork s(data & resource) I am confused.

Confusion: In HFS files are not monolithic and doesn't consist of single segment. Apple Mac files usually exist out of two files the data fork and resource fork.They have an identical name and are shown by Mac as a single file. The resource fork contains the code of the program in execuatables.

How did I ponder here? I copied a file named filename from a Mac to my pendrive and opened it on Windows result 2 files ._filename and filename.

Question: Where do these forks fit in the file layout? There is no mention in the file layout about the forks. Are these two forks integrated to make a final mach file? Can the ._filename (resource fork) have malicious code?

Answer 1

The ._filename file does not only contain the resource fork, it also contains Finder metadata, in AppleDouble format.

The resource fork itself can be viewed on an HFS volume by opening filename/..namedfork/rsrc. Forks and other extended attributes can be listed by using ls -l@.

Resource forks are not specific to the Mach-O format (and I do not know if they are used at all for it), they're a feature from classic Mac OS which was extensively used for classic application files, and could store things like string tables, bitmap images, etc.

Malicious code can be hidden anywhere, a virus scanner should be able to detect it even if it is hidden in a resource fork.