search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
7.95k stars 1.42k forks source link

macOS: can not attach to process #2017

Closed jpohls1 closed 7 months ago

jpohls1 commented 7 months ago

Describe the bug When attempting to scan a process on macOS (M1) I often get the error message:

can not attach to process (try running as root)

Same result when running as root.

To Reproduce

sh-3.2# whoami
root
sh-3.2# ps 16200
  PID   TT  STAT      TIME COMMAND
16200   ??  S      0:06.67 /Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/
sh-3.2# yara example.yara 16200
error scanning 16200: can not attach to process (try running as root)

Replace 16200 with an appropriate PID

Additional context

Interestingly, some processes can be scanned successfully. I did not figure out what determines that but something like

❯ python3
Python 3.11.6 (main, Oct  2 2023, 13:45:54) [Clang 15.0.0 (clang-1500.0.40.1)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.getpid()
17244

allows successful scanning of PID 17244.

plusvic commented 7 months ago

MacOS has a feature called System Integrity Protection that may prevent you from attaching to certain processes, even if you are root. I'm not sure if your issue is related to that, but it's very likely. My advice is that you try to attach to those processes with other tools like gdb and see what happens. If the cause is that the SIP mechanism is preventing the attachment, you should have the same problem with other tools. That's an indication that those processes are protected.

You may also disable SIP temporarily and then test: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection

jpohls1 commented 7 months ago

Thanks, that makes sense. I used lldb following this thread and it matches the behavior of Yara: If Yara can scan the process memory then lldb can attach to it as well and vice versa. Note, however, I just performed a very limited number of tests.

Since this is a company laptop I am hesitant to disable the System Integrity Protection but most likely that is the root cause as it is also mentioned in the Stackoverflow post.

So it seems like there is not too much that can be done about this from the Yara side except maybe document it.