What is a code cave, and is there any legitimate use for one?

assembly terminology definition self-modifying codecave
16,047

Solution 1

I've used them, although I'd never heard the term code cave until today. The Wiktionary definition suggests that a code cave is something the cracker finds in the executable he or she is attempting to crack. The question you cite doesn't use it that way. Instead, it suggests the code cave is being allocated with VirtualAllocEx to create a brand new block of memory in the target process. That removes the need to search for unused space in the target, and it guarantees you'll have enough space to put all your new code.

Ultimately, I think a "code cave" is just a place to store run-time-generated code. There doesn't have to be any nefarious purpose to that code. And at that point, the question of what a code cave is becomes entirely uninteresting. The interesting parts are what reasons there are for generating code at run time, and what techniques there are for making sure that new code gets run when you want it.

Solution 2

One might wish to intentionally create a code cave as a part of using self-modifying code.

Assuming, of course, that one is insane.

Solution 3

Code caves are usually created by compilers for alignment and are often located between functions in copious amounts. There should also be code caves between structures and jumps (in some architectures), but usually not in any significant amounts.

You also might search for a block of zeroed memory, but there's no guarantee that the program won't use them.

I suppose theoretically, if you lost your source code, you could patch your buggy program by using them, and your program wouldn't grow in size.

Edit

To those of you suggesting code caves are only for run-time generated code: that is an incomplete definition. Many times I have written a data structure in a "code cave" and updated pointers to point there, and I suspect I am not the only person to do so.

Solution 4

some legitimate uses: patching live OS binaries without a reboot (MS does this), hooking low level OS functionality (filesystem, network) for firewall and antivirus, extending an application when you don't have source code (like scraping low level OS calls to DrawText so you can read them aloud for blind people)

Solution 5

The way it's described here reminds me of patchpoints -- a legit use.

Share:
16,047
Eddie
Author by

Eddie

Physicist by training, now a programmer by choice. My languages of preference are Java and C, although I am also skilled in C# and many assembly languages, and competent in Perl, general shell scripting, and a handful of other languages I use less often. I can speak basic SQL. I write my HTML by hand and prefer table-free page layout. NOTE: I never do retaliatory downvotes or anything petty like that. I am here to learn as well as to teach. If something I write is worthy of a downvote, please leave a comment to let me know why. If I am incorrect, I want to know! I use Linux by preference, but also develop extensively under Windows. I've developed under various embedded and custom OS's and RTOS's (primarily Microware OS-9 and VxWorks), assorted UNIXes, VAX/VMS, and assorted Windows releases. I've played with RSTS/E and a few other operating systems that are unknown today. My home website is pretty sparse, but will some day be populated. Really.

Updated on June 16, 2022

Comments

  • Eddie
    Eddie about 2 years

    I encountered this word for the first time in the StackOverflow question "C# Theoretical: Write a JMP to a codecave in asm." I see that according to Wiktionary, a code cave is:

    an unused block of memory that someone, typically a software cracker, can use to inject custom programming code to modify the behavior of a program.

    Did I find the correct definition? If so, is there any legitimate use for a code cave?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What does etc stand for/mean?
What is pseudo-op in assembly programming?
What is the meaning of "exclusive" and "inclusive" when describing number ranges?
How to write self-modifying code in x86 assembly
What does the term "Tuple" Mean in Relational Databases?
"Assembly" vs. "Assembler"
Easy to understand definition of "asynchronous event"?
What's the difference between a word and byte?
What exactly do "IB" and "UB" mean?
What is the function of the push / pop instructions used on registers in x86 assembly?