Sneed-Reactivity/yara-mikesxrs/nex/embedded_macho.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

15 lines
386 B
Text

// Copyright (C) 2013 Claudio "nex" Guarnieri
rule embedded_macho
{
meta:
author = "nex"
description = "Contains an embedded Mach-O file"
strings:
$magic1 = { ca fe ba be }
$magic2 = { ce fa ed fe }
$magic3 = { fe ed fa ce }
condition:
any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
}