How Malicious ELF Files Evade IDA Pro and What You Can Do About It

The author describes a new evasion technique observed in recent Linux malware where the ELF program header is deliberately corrupted to point outside the actual file, causing IDA Pro to abort loading with the message “SHT table size or offset is invalid. Continue?”. This manipulation makes the binary appear invalid, yet the file is only truncated and misaligned.

Using ELFTemplate in 010Editor, the corrupted header can be identified and zeroed out, allowing IDA Pro to load the sample. The author notes that other tools such as Radare2, Hopper, and lldb handle the binary without issue, while GDB fails to recognize the format.

To verify the technique, the author created a script that modifies ELF headers to reproduce the problem, then tested the sample across multiple disassemblers. The ease of detection suggests that antivirus engines might also be vulnerable to the same parsing flaw.

Detection in the Wild

Applying a simple YARA rule, the author scanned a large collection of Linux samples and found about 6,000 binaries employing this header‑offset trick, most of which are commercial Android protection shells repurposed for ELF.

VirusTotal analysis of a representative sample showed that nine different scanning engines (ten if counting two from the same vendor) failed to detect the malicious file.

YARA Rule and Remediation Script

The article provides the following YARA rule (image shown in the original) to detect the malformed ELF headers, and mentions that the full detection and repair script is available on GitHub.

https://github.com/username/elf‑evade‑script

Implications

Although no active attacks using this method have been observed yet, the technique demonstrates a viable anti‑analysis and anti‑obfuscation strategy that could be adopted by malware authors. Researchers are encouraged to monitor ELF files for such anomalies and share detection scripts.