Yara rules with jump constructs would make it easy to get code execution in the kernel.
On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields <[email protected]> wrote: > If you are infected with a rootkit moving YARA into the kernel is not an > answer since the rootkit has full access to muck around with YARA even if > it is in the kernel. > > My recommendation is don't run YARA on a system which is potentially > compromised with a rootkit like you describe. If the kernel of the system > is compromised you can no longer trust it. > > Sure, it's possible to put YARA in the kernel but it isn't going to get > you anything if your concern is rootkits. > > -- WXS > > > On Mar 18, 2016, at 1:19 AM, 慎增刘 <[email protected]> wrote: > > > > Yara is so powerful in malware matching. Sometimes people want to check > files , which attached to file-systems hooks. So how about importing yara > ( or just libyara ) into linux kernel? Is it possible? Is there some > advices? Thanks for each response. > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
