23 lines
954 B
Text
23 lines
954 B
Text
|
include "../../MachO.yara"
|
||
|
|
||
|
rule hacktool_macos_macpmem
|
||
|
{
|
||
|
meta:
|
||
|
description = "MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers."
|
||
|
reference = "https://github.com/google/rekall/tree/master/tools/osx/MacPmem"
|
||
|
author = "@mimeframe"
|
||
|
strings:
|
||
|
// osxpmem
|
||
|
$a1 = "%s/MacPmem.kext" wide ascii
|
||
|
$a2 = "The Pmem physical memory imager." wide ascii
|
||
|
$a3 = "The OSXPmem memory imager." wide ascii
|
||
|
$a4 = "These AFF4 Volumes will be loaded and their metadata will be parsed before the program runs." wide ascii
|
||
|
$a5 = "Pmem driver version incompatible. Reported" wide ascii
|
||
|
$a6 = "Memory access driver left loaded since you specified the -l flag." wide ascii
|
||
|
// kext
|
||
|
$b1 = "Unloading MacPmem" wide ascii
|
||
|
$b2 = "MacPmem load tag is" wide ascii
|
||
|
condition:
|
||
|
MachO and 2 of ($a*) or all of ($b*)
|
||
|
}
|