Length of recovered ELF file incorrect

cgsecurity / testdisk

TestDisk & PhotoRec

https://www.cgsecurity.org/

GNU General Public License v2.0

1.58k stars 195 forks source link

Length of recovered ELF file incorrect #13

Closed probonopd closed 7 years ago

probonopd commented 7 years ago

It looks like photorec makes no attempt at calculating the correct length of ELF files, instead it just assumes an ELF to extend until the next start position of the next file it recognizes.

This seems wrong, as the extracted ELF files can be too large, can have garbage at the end.

cgsecurity commented 7 years ago

Running unknown binary recovered by PhotoRec is a bad idea. Let's append garbage at the end of an ELF

cat /bin/ls /bin/pwd > ls
chmod a+x ./ls
./ls

The resulting ls binary works, it's not "too large" to run. What problem do you have with such files ? Some binaries used tricky header to prevent analysis by ida, hopper to works but I want that photorec to be able to recover them anyway... (see http://www.blog.elfparser.com/ )

probonopd commented 7 years ago

Thanks for the explanation. I don't have an issue with it, just noticed that the extracted ELFs can be larger than the original ones.