A code cave is a series of unused bytes in a process's memory. The code cave inside a process's memory is often a reference to a section that has capacity for injecting custom instructions.
The concept of a code cave is often employed by hackers and reverse engineers to execute arbitrary code in a compiled program. It can be a helpful method to make modifications to a compiled program in the example of including additional dialog boxes, variable modifications or even the removal of software key validation checks. Often using a call instruction commonly found on many CPU architectures, the code jumps to the new subroutine and pushes the next address onto the stack. After execution of the subroutine a return instruction can be used to pop the previous location off of the stack into the program counter. This allows the existing program to jump to the newly added code without making significant changes to the program flow itself.
- Easy and fast – This means the modification process is fast and easy. When modifying the existing code with tools such as Ollydbg, the added functions can be assembled and tested without any external dependencies.
- No need for source – Using code caves can be extremely efficient even if there is no source code provided for the programmer. This allows for the programmer to make adjustments such as adding or removing functions in the code without having to rewrite the entire program or link any external dependencies into an existing project.
- Easy to break the program – In many cases the executable file is modified. This means that there may not be an existing code cave in the existing script for any code injection due to the lack of resources provided in script. Any replacement of the existing script may lead to program failure/crash.
- Lack of versatility – Injecting code into an existing script means that the limited space given only allows for simple instruction modifications and the language used is only assembly. This can be mitigated by the use of shared library injectors (DLL injection [Windows] or LD_PRELOAD [Linux]) such that the injected library contains already compiled code and existing instructions in the target binary are simply modified to use it.
- pycave: Simple tool to find code caves in Portable Executable (PE) files.
- Ollydbg: a debugger for code analysis. It traces the script calls and executes, as well as displays any iterations in the libraries and binaries. Code can be injected or removed into/from the EXE file directly with this debugger.
- PE: Explorer: it allows a user to open and edit executable files called PE files (portable executable files). This includes .EXE, .DLLs and other less common file types.
- Cheat Engine: a powerful tool that reads process memory and writes process memory. This means any client-side data values can be changed and edited. It also can display changes in the values.
- TSearch: a powerful tool that reads process memory and writes process memory. Like Cheat Engine, it can change client-side values data.