Created
October 15, 2022 02:47
-
-
Save xorhex/0d75316a00bd7c640483935e3dabc131 to your computer and use it in GitHub Desktop.
Look for Go build ID in Macho X86_64 Files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "macho" | |
| rule is_go_macho { | |
| strings: | |
| $go = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 } // \xff Go build ID: \" | |
| condition: | |
| macho.cputype == macho.CPU_TYPE_X86_64 | |
| and | |
| for any s in macho.segments : ( | |
| for any sec in s.sections : ( | |
| sec.sectname == "__text" | |
| and | |
| $go in (sec.addr..sec.addr+sec.size) | |
| ) | |
| ) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment