Closed jpohls1 closed 7 months ago
MacOS has a feature called System Integrity Protection that may prevent you from attaching to certain processes, even if you are root. I'm not sure if your issue is related to that, but it's very likely. My advice is that you try to attach to those processes with other tools like gdb
and see what happens. If the cause is that the SIP mechanism is preventing the attachment, you should have the same problem with other tools. That's an indication that those processes are protected.
You may also disable SIP temporarily and then test: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
Thanks, that makes sense. I used lldb
following this thread and it matches the behavior of Yara: If Yara can scan the process memory then lldb
can attach to it as well and vice versa. Note, however, I just performed a very limited number of tests.
Since this is a company laptop I am hesitant to disable the System Integrity Protection but most likely that is the root cause as it is also mentioned in the Stackoverflow post.
So it seems like there is not too much that can be done about this from the Yara side except maybe document it.
Describe the bug When attempting to scan a process on macOS (M1) I often get the error message:
Same result when running as root.
To Reproduce
Replace
16200
with an appropriate PIDAdditional context
Interestingly, some processes can be scanned successfully. I did not figure out what determines that but something like
allows successful scanning of PID 17244.