There is a Mach-O module for Yara, but it wasn’t installed on my system. https://github.com/VirusTotal/yara/pull/1100

Unfortunately, I do not have any Mac systems or a good dataset of Mach-O binaries to test this rule with.

Based off of the PE and ELF examples in the prior posts, the fastest method has been using integers to identify magic byte sequences at

I was able to find many of these definitions here:

• https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/macho.h and by reading source code on opensource.apple.com
• https://web.archive.org/web/20090901205800/http://developer.apple.com/mac/library/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html

Unfortunately again, cafebabe is also the signature for compiled Java classes, which introduce a lot of false positives. After reading https://en.wikipedia.org/wiki/List_of_file_signatures, I came up with this rule:

rule macho
{
	meta:
		description = "Mach-O binaries"

	condition:
		uint32(0) == 0xfeedface or /* 32 bit */
		uint32(0) == 0xcefaedfe or /* NXSwapInt(MH_MAGIC */
		uint32(0) == 0xfeedfacf or /* 64 bit */
		uint32(0) == 0xcffaedfe or /* NXSwapInt(MH_MAGIC_64) */
		uint32(0) == 0xcafebabe or /* FAT, Java */
		uint32(0) == 0xbebafeca or /* NXSwapInt(FAT_MAGIC) */
		uint32(0) == 0xcafebabf or /* FAT 64 bit */
		uint32(0) == 0xbfbafeca    /* NXSwapLong(FAT_MAGIC_64) */
}

I made a separate rule for Java classes:

rule java_class_compiled
{
	meta:
		description = "Java Class"

	condition:
		uint32(0) == 0xbebafeca
}

I felt I spent enough time with this, and am accepting the false positives for now as I don’t have a ton of Mach-O or Java classes in my collection. I would like to revisit both of these rules to make them more accurate.

---

YARA Rules Index