3
[libs][yara] enable and compile the macho module on macOS by sharvilshah · Pull...
source link: https://github.com/osquery/osquery/pull/7174
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Conversation
We don't have libyara's macho module compiled and enabled currently, this causes yara: compilation error for signature files including the macho module
import "macho"
rule macho
{
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xfeedfacf
}osquery> select * from yara where path like '/tmp/%' and sigfile = '/tmp/macho_test.sig' and count > 0;
+---------------+---------+-------+-----------+---------------------+---------+------+
| path | matches | count | sig_group | sigfile | strings | tags |
+---------------+---------+-------+-----------+---------------------+---------+------+
| /tmp/osqueryd | macho | 1 | | /tmp/macho_test.sig | | |
+---------------+---------+-------+-----------+---------------------+---------+------+
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK