Post #1154

检测规则 CVE-2024-3094-p.yara import "elf" rule ELF_Droplet_Object { meta: description = "Droplet object used during xz / liblzma incident" reference = "CVE-2024-3094" author = "Matthias Weckbecker" strings: $1 = { f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 } condition: elf.machine == elf.EM_X86_64 and ( ( elf.number_of_sections > 100 and elf.number_of_sections <= 242 and for any s in (".text.crc64_resolve", ".text._get_cpuid"): ( for any i in (0 .. elf.number_of_sections): ( ((elf.sections[i].name == s) and (elf.sections[i].type == elf.SHT_PROGBITS)) ) ) ) or $1 ) }