Is it possible to have the size of an ELF file on disk

[LafLaurine]

Hi, I was wondering if it's possible to have the size of an ELF file on the disk, based on the information in its header ? If I understood well, e_shoff + (e_shentsize * e_shnum) is not always equal to the size on the disk. Thanks!

[mzpqnxow]

Randomly saw this issue at the top of my feed- I'm wondering what you intend to use this for. I ask because for certain use-cases, exposing this as a calculated value based on abstracted header values could be a bit dangerous if not very carefully and clearly documented

I'm thinking specifically of cases involving forensic analysis, where malware could take advantage of this behavior to fool analysis logic

I'm not associated with the pyelftools project, so feel free to ignore my question- I'm just curious :)

[davea42]

The OP's reference to e_shoff + (e_shentsize * e_shnum) is misguided. That just calculates the size of the section headers in total. Referring to those section headers one gets more relevant data but one has to be aware of the Elf ABI rules. For example SHT_NOBITS sh_type has no bits at all though it may have a large sh_size. All this is well documented on the web.

[sevaa]

@LafLaurine No. The ELF format perfectly allows for arbitrary gaps (past the header) and arbitrary trailing space. The loader is not supposed to read it sequentially.