updated README and added elf_ehdr_size

elfmaster · Mar 6, 2019 · 44c5a3b · 44c5a3b
1 parent dd30d0c
commit 44c5a3b
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/TODO b/TODO
@@ -44,3 +44,10 @@ iteration.
 * Display forensically reconstructed sections in ascending order by sh_addr
 rather than the order they were reconstructed in.
 
+# eh_frame symbol reconstruction with text padding viruses
+
+With a text padding Virus, the parasite ends up in the last section header, which is
+on x86 usually .eh_frame. Because of this, libelfmaster sees the .eh_frame section
+and continues parsing into the parasite code resulting in corrupted FDE data and
+therefore fails. We must handle this situation somehow!
+
diff --git a/include/libelfmaster.h b/include/libelfmaster.h
@@ -831,7 +831,7 @@ elf_section_count(elfobj_t *obj)
 }
 
 ssize_t elf_phdr_table_size(elfobj_t *);
-
+size_t elf_ehdr_size(elfobj_t *);
 
 /*
  * Modify an elf_segment entry

diff --git a/src/libelfmaster.c b/src/libelfmaster.c
@@ -538,6 +538,21 @@ elf_linking_type(elfobj_t *obj)
 	    ELF_LINKING_STATIC;
 }
 
+size_t
+elf_ehdr_size(elfobj_t *obj)
+{
+
+	switch(elf_class(obj)) {
+	case elfclass32:
+		return sizeof(Elf32_Ehdr);
+		break;
+	case elfclass64:
+		return sizeof(Elf64_Ehdr);
+		break;
+	}
+	return 0;
+}
+
 ssize_t
 elf_phdr_table_size(elfobj_t *obj)
 {