import "elf"

rule ELF_Droplet_Object {
    meta:
        description = "Droplet object used during xz / liblzma incident"
        reference   = "CVE-2024-3094"
        author      = "Matthias Weckbecker"

    strings:
        $1 = { f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 }

    condition:
        elf.machine == elf.EM_X86_64

        and

        (
            (
                elf.number_of_sections > 100 and elf.number_of_sections <= 242

                and

                for any s in (".text.crc64_resolve", ".text._get_cpuid"): (
                    for any i in (0 .. elf.number_of_sections): (
                        ((elf.sections[i].name == s)
                        and (elf.sections[i].type == elf.SHT_PROGBITS))
                    )
                )
            )

            or

            $1
        )
}