fix: add base address to elf entrypoint during process scanning (#1989)

As is done for PE, the entrypoint computed during process memory scanning should be added to the base address of the block, so that the returned value is the process address of the entrypoint.
VirusTotal · Nov 16, 2023 · 587c10a · 587c10a
1 parent 1256631
commit 587c10a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/libyara/exefiles.c b/libyara/exefiles.c
@@ -405,15 +405,15 @@ uint64_t yr_get_entry_point_address(
     elf_header32 = (elf32_header_t*) buffer;
 
     if (elf_header32->type == ELF_ET_EXEC)
-      return elf_header32->entry;
+      return base_address + elf_header32->entry;
 
     break;
 
   case ELF_CLASS_64:
     elf_header64 = (elf64_header_t*) buffer;
 
     if (elf_header64->type == ELF_ET_EXEC)
-      return elf_header64->entry;
+      return base_address + elf_header64->entry;
 
     break;
   }