From 44c5a3bb7939750315b22181d5af1511b91b96ef Mon Sep 17 00:00:00 2001
From: elfmaster <ryan@bitlackeys.org>
Date: Wed, 6 Mar 2019 15:03:57 -0800
Subject: [PATCH] updated README and added elf_ehdr_size

---
 TODO                   |  7 +++++++
 include/libelfmaster.h |  2 +-
 src/libelfmaster.c     | 15 +++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/TODO b/TODO
index f725658..dec6d4f 100644
--- a/TODO
+++ b/TODO
@@ -44,3 +44,10 @@ iteration.
 * Display forensically reconstructed sections in ascending order by sh_addr
 rather than the order they were reconstructed in.
 
+# eh_frame symbol reconstruction with text padding viruses
+
+With a text padding Virus, the parasite ends up in the last section header, which is
+on x86 usually .eh_frame. Because of this, libelfmaster sees the .eh_frame section
+and continues parsing into the parasite code resulting in corrupted FDE data and
+therefore fails. We must handle this situation somehow!
+
diff --git a/include/libelfmaster.h b/include/libelfmaster.h
index a6c7f17..7039795 100644
--- a/include/libelfmaster.h
+++ b/include/libelfmaster.h
@@ -831,7 +831,7 @@ elf_section_count(elfobj_t *obj)
 }
 
 ssize_t elf_phdr_table_size(elfobj_t *);
-
+size_t elf_ehdr_size(elfobj_t *);
 
 /*
  * Modify an elf_segment entry
diff --git a/src/libelfmaster.c b/src/libelfmaster.c
index d6acc5f..6b64037 100644
--- a/src/libelfmaster.c
+++ b/src/libelfmaster.c
@@ -538,6 +538,21 @@ elf_linking_type(elfobj_t *obj)
 	    ELF_LINKING_STATIC;
 }
 
+size_t
+elf_ehdr_size(elfobj_t *obj)
+{
+
+	switch(elf_class(obj)) {
+	case elfclass32:
+		return sizeof(Elf32_Ehdr);
+		break;
+	case elfclass64:
+		return sizeof(Elf64_Ehdr);
+		break;
+	}
+	return 0;
+}
+
 ssize_t
 elf_phdr_table_size(elfobj_t *obj)
 {