Techly NewsGet the app

Get the latest tech news

Carving ELF Files


Recently, I created a simple tool, Carve Exe, to carve executables from other files (e.g. memory dumps or network traffic). Carving executables from binary blobs is a common task in digital forensics and reverse engineering. For example, when analyzing how a malware sample unpacks and deobfuscates itself.

This blog discusses how to determine the (beginning and) end of an ELF executable, by computing its size by only looking at the headers in the file. In this post, we discussed carving ELF files from other files/data streams (e.g. memory dumps and network traffic). Similarly, if the ELF file has some sort of appended overlay that is not properly part of a section, these types of analyzes will not work.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of ELF Files

ELF Files

« Remove PDF password protection using qpdf and AppleScript