You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I was wondering if it's possible to have the size of an ELF file on the disk, based on the information in its header ?
If I understood well, e_shoff + (e_shentsize * e_shnum) is not always equal to the size on the disk.
Thanks!
The text was updated successfully, but these errors were encountered:
Randomly saw this issue at the top of my feed- I'm wondering what you intend to use this for. I ask because for certain use-cases, exposing this as a calculated value based on abstracted header values could be a bit dangerous if not very carefully and clearly documented
I'm thinking specifically of cases involving forensic analysis, where malware could take advantage of this behavior to fool analysis logic
I'm not associated with the pyelftools project, so feel free to ignore my question- I'm just curious :)
The OP's reference to e_shoff + (e_shentsize * e_shnum) is misguided. That just calculates
the size of the section headers in total. Referring to those section headers
one gets more relevant data but one has to be aware of the Elf ABI rules. For example
SHT_NOBITS sh_type has no bits at all though it may have a large sh_size.
All this is well documented on the web.
@LafLaurine No. The ELF format perfectly allows for arbitrary gaps (past the header) and arbitrary trailing space. The loader is not supposed to read it sequentially.
Hi,
I was wondering if it's possible to have the size of an ELF file on the disk, based on the information in its header ?
If I understood well,
e_shoff + (e_shentsize * e_shnum)
is not always equal to the size on the disk.Thanks!
The text was updated successfully, but these errors were encountered: