Re: Yara - Bus error: 10

What happens if you move the crashing folders off CIF and onto local disk? If it still crashes can you narrow it down to a single file and rule (or set of rules) that crash? If you can do that then I can try to replicate and debug from there. -- WXS > On Mar 1, 2016, at 6:19 PM, Patrick Olsen

Re: How about importing yara into kernel space ?

Yara rules with jump constructs would make it easy to get code execution in the kernel. On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields wrote: > If you are infected with a rootkit moving YARA into the kernel is not an > answer since the rootkit has full access to muck around

How about importing yara into kernel space ?

Yara is so powerful in malware matching. Sometimes people want to check files , which attached to file-systems hooks. So how about importing yara ( or just libyara ) into linux kernel? Is it possible? Is there some advices? Thanks for each response. -- You received this message because you

Re: How about importing yara into kernel space ?

Not entirely true. The YARA VM does not run native instructions directly, so if you did manage to jump somewhere other than YARA instructions the VM would likely crash badly. If this can lead to arbitrary code execution, I have no idea. Jumps are not bad. BPF, which runs in the kernel, allows