Sneed-Reactivity/yara-mikesxrs/nex/embedded_macho.yar

16 lines
386 B
Text
Raw Normal View History

// Copyright (C) 2013 Claudio "nex" Guarnieri
rule embedded_macho
{
meta:
author = "nex"
description = "Contains an embedded Mach-O file"
strings:
$magic1 = { ca fe ba be }
$magic2 = { ce fa ed fe }
$magic3 = { fe ed fa ce }
condition:
any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
}