The last rule (at least for now) to identify particular types of executable file. This rule is a bit more complicated due to the number of variations in the MachO specification. It works in the same way as the PE header and ELF header rules though – a simple check for the magic bytes at the beginning of the file.
rule file_macho_header {
meta:
description = "Matches Mach-O file headers as uint32"
last_modified = "2024-01-03"
author = "@petermstewart"
DaysofYara = "3/100"
condition:
uint32(0) == 0xfeedface or //MH_MAGIC
uint32(0) == 0xcefaedfe or //MH_CIGAM
uint32(0) == 0xfeedfacf or //MH_MAGIC_64
uint32(0) == 0xcffaedfe or //MH_CIGAM_64
uint32(0) == 0xcafebabe or //FAT_MAGIC
uint32(0) == 0xbebafeca //FAT_CIGAM
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 