Another utility rule, this time to match the little-endian hex representation of the header for Executable and Linkable Format (ELF) files commonly found on Linux systems.
rule file_elf_header {
meta:
description = "Matches ELF file \x7fELF header as uint32"
last_modified = "2024-01-02"
author = "@petermstewart"
DaysofYara = "2/100"
condition:
uint32(0) == 0x464c457f
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 