private rule Macho{ meta: description = "private rule to match Mach

1. private rule Macho
2. {
3. meta:
4. description = "private rule to match Mach-O binaries (copied from Apple's XProtect)"
5. condition:
6. uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
7. }
8.  
9. rule ZoomDaemon
10. {
11. meta:
12. description = "ZoomDaemon and its whitelabels"
13. strings:
14. $ = "zLocalHostWrapper"
15. $ = "ZMClientHelper"
16. $ = "ZMLocalHostMgr"
17. condition:
18. Macho and all of them
19. }