DefenderYara/Exploit/MacOS/DirtyCow/Exploit_MacOS_DirtyCow_E_MTB.yar

rule Exploit_MacOS_DirtyCow_E_MTB{
	meta:
		description = "Exploit:MacOS/DirtyCow.E!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 07 00 00 01 00 "
		
	strings :
		$a_00_0 = {76 6d 5f 72 65 61 64 5f 6f 76 65 72 77 72 69 74 65 3a 20 4b 45 52 4e 5f 53 55 43 43 45 53 53 3a 25 64 20 4b 45 52 4e 5f 50 52 4f 54 45 43 54 49 4f 4e 5f 46 41 49 4c 55 52 45 3a 25 64 20 6f 74 68 65 72 3a 25 64 } //01 00  vm_read_overwrite: KERN_SUCCESS:%d KERN_PROTECTION_FAILURE:%d other:%d
		$a_00_1 = {52 4f 20 6d 61 70 70 69 6e 67 20 77 61 73 20 6d 6f 64 69 66 69 65 64 } //01 00  RO mapping was modified
		$a_00_2 = {52 61 6e 20 25 64 20 74 69 6d 65 73 20 69 6e 20 25 6c 64 20 73 65 63 6f 6e 64 73 20 77 69 74 68 20 6e 6f 20 66 61 69 6c 75 72 65 } //01 00  Ran %d times in %ld seconds with no failure
		$a_00_3 = {53 42 44 6f 6e 74 4c 6f 63 6b 41 66 74 65 72 43 72 61 73 68 } //01 00  SBDontLockAfterCrash
		$a_00_4 = {63 6f 6d 2e 61 70 70 6c 65 2e 6d 6f 62 69 6c 65 67 65 73 74 61 6c 74 2e 70 6c 69 73 74 } //01 00  com.apple.mobilegestalt.plist
		$a_00_5 = {76 6d 5f 75 6e 61 6c 69 67 6e 65 64 5f 63 6f 70 79 5f 73 77 69 74 63 68 5f 72 61 63 65 } //01 00  vm_unaligned_copy_switch_race
		$a_00_6 = {5f 73 77 69 74 63 68 65 72 6f 6f } //00 00  _switcheroo
	condition:
		any of ($a_*)
 
}