16 lines
386 B
Text
16 lines
386 B
Text
|
// Copyright (C) 2013 Claudio "nex" Guarnieri
|
||
|
|
||
|
rule embedded_macho
|
||
|
{
|
||
|
meta:
|
||
|
author = "nex"
|
||
|
description = "Contains an embedded Mach-O file"
|
||
|
|
||
|
strings:
|
||
|
$magic1 = { ca fe ba be }
|
||
|
$magic2 = { ce fa ed fe }
|
||
|
$magic3 = { fe ed fa ce }
|
||
|
condition:
|
||
|
any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
|
||
|
}
|