If you are infected with a rootkit moving YARA into the kernel is not an answer
since the rootkit has full access to muck around with YARA even if it is in the
kernel.
My recommendation is don't run YARA on a system which is potentially
compromised with a rootkit like you describe. If the
Not entirely true. The YARA VM does not run native instructions directly, so if
you did manage to jump somewhere other than YARA instructions the VM would
likely crash badly. If this can lead to arbitrary code execution, I have no
idea.
Jumps are not bad. BPF, which runs in the kernel, allows
Yara is so powerful in malware matching. Sometimes people want to check
files , which attached to file-systems hooks. So how about importing yara
( or just libyara ) into linux kernel? Is it possible? Is there some
advices? Thanks for each response.
--
You received this message because you
Yara rules with jump constructs would make it easy to get code execution in
the kernel.
On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields wrote:
> If you are infected with a rootkit moving YARA into the kernel is not an
> answer since the rootkit has full access to muck around