A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script. This is what is referred to as a Code cave.
Contents
Common Uses
The concept of a code cave is often used by hackers to execute arbitrary code in a compiled program. It can be an extremely helpful tool to make additions and removals to a compiled program including the addition of dialog boxes, variable modification, or removal of software key validation checks. Often using a call instruction commonly found on many CPU's, the code jumps to the new subroutine and pushes the next address onto the stack. After execution of the subroutine, a return instruction can be used to pop the previous location off of the stack into the program counter. This allows the existing program to jump to the newly added code without making significant changes to the program itself.
Advantages
Easy/Fast – This means the modification process is fast and easy. When modifying the existing code with byte tools like Ollydbg, the added functions can be compiled and tested without any dependencies.
No need for source – Using code caves can be extremely efficient if there is no source code provided for the coder. The programmer can make adjustments and add/remove functions to the code without having to rewrite an entire new program or link class into a project.
Disadvantages
Easy to break the program – In many cases you will be modifying the executable file. This means that there may not be an existing code cave in the existing script for any code injection due to the lack of resources provided in script. Any replacement of the existing script may lead to program failure/crash.
Lack of versatility – Injecting code into an existing script means that the limited space given only allows for simple instruction modifications and the language used is only assembly.
Tools
Ollydbg: a debugger for code analysis. It traces the script calls and executes, as well as displays any iterations in the libraries and binaries. Code can be injected or removed into/from the EXE file directly with this debugger.
PE: Explorer: it lets you open and edit executable files called PE files (portable executable files). This includes .EXE, .DLLs and other less common file types.
Cheat Engine: a powerful tool that reads process memory and writes process memory. This means any client-side data values can be changed and edited. It also can display changes in the values.
TSearch: a powerful tool that reads process memory and writes process memory. Like Cheat Engine, it can change client-side values data.