From c1d9a5379ce7b76b51f8f5f1eee8e74f9946bfe5 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 24 Oct 2016 16:40:54 +0200
Subject: [PATCH] Improved DirtyCOW Rule

---
 yara/gen_dirtycow.yar | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/yara/gen_dirtycow.yar b/yara/gen_dirtycow.yar
index dad24e6..72005ea 100644
--- a/yara/gen_dirtycow.yar
+++ b/yara/gen_dirtycow.yar
@@ -34,9 +34,12 @@ rule Linux_DirtyCow_Exploit {
       $s2 = "/proc/%d/mem"
       $s3 = "/proc/self/map"
       $s4 = "/proc/%d/map"
+
+      $p1 = "pthread_create" fullword ascii
+      $p2 = "pthread_join" fullword ascii
    condition:
       ( uint16(0) == 0x457f and $a1 ) or
       all of ($b*) or
       3 of ($source*) or
-      ( uint16(0) == 0x457f and 1 of ($s*) and filesize < 20KB )
+      ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
 }