-- Inspired by Operation Earth Berberoka
-- https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

SELECT
  file.path,
  uid,
  gid,
  mode,
  mtime,
  ctime,
  type,
  size,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash ON file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
    file.path LIKE "/usr/lib/udev/rules.d/%"
    AND file.size < 180
AND file.path NOT IN (
    "/usr/lib/udev/rules.d/60-rfkill.rules",
    "/usr/lib/udev/rules.d/50-apport.rules",
    "/usr/lib/udev/rules.d/60-net.rules",
    "/usr/lib/udev/rules.d/61-mutter.rules",
    "/usr/lib/udev/rules.d/66-saned.rules",
    "/usr/lib/udev/rules.d/70-hypervfcopy.rules",
    "/usr/lib/udev/rules.d/70-hypervkvp.rules",
    "/usr/lib/udev/rules.d/70-hypervvss.rules",
    "/usr/lib/udev/rules.d/70-spice-vdagentd.rules",
    "/usr/lib/udev/rules.d/70-spice-webdavd.rules",
    "/usr/lib/udev/rules.d/75-probe_mtd.rules",
    "/usr/lib/udev/rules.d/85-hdparm.rules",
    "/usr/lib/udev/rules.d/85-regulatory.rules",
    "/usr/lib/udev/rules.d/90-daxctl-device.rules",
    "/usr/lib/udev/rules.d/91-drm-modeset.rules",
    "/usr/lib/udev/rules.d/96-e2scrub.rules",
    "/usr/lib/udev/rules.d/99-fuse.rules",
    "/usr/lib/udev/rules.d/99-fuse3.rules",
    "/usr/lib/udev/rules.d/99-libsane1.rules",
    "/usr/lib/udev/rules.d/99-nfs.rules",
    "/usr/lib/udev/rules.d/99-qemu-guest-agent.rules"
)