More fun with ELF files and GoLang - Code Caves

2 minute read Published:

Finding code caves in ELF binaries with GoLang


A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script. This is what is referred to as a Code cave.

Yup. That’s about it. Fascinating yet simple. I remember when I first read about this years ago and I was amazed (and still am!).

Anyway, I was looking for something to play with and remembered cave_miner Python project and the urge to do it with GoLang took over and here we are. This won’t be a huge post but rather a simplistic explaination on how it works and how it can be used. You can find the full project with some instructions on my GitHub here (available as a Docker image too).

After you download it, the usage display is pretty ordinary:

λ ./gocave
Usage: gocave elf_file cave_size

So here’s an example, using a ELF binary downloaded from http://ugetdm.com:

λ ./gocave uget-gtk 65

[+] CAVE DETECTED!
[!] Section Name: .bss
[!] Flags: SHF_WRITE+SHF_ALLOC
[!] Virtual Address: 0x658a2b
[!] Size: 0x45
[!] Begin: 0x58a13
[!] End: 0x58a58

As you can see we were able to find a code cave of 65 bytes in section .bss which has the flag SHF_WRITE (therefore it is writable).

Please note that as of now, this code only looks for 0x00 bytes, I plan to let the user choose the bytes he wants to search later.

For now, this ends here but if you check the TODO section in the GitHub repository page, you’ll see I am working on a way to inject a shellcode to this code cave and patching the ELF file entrypoint to make this shellcode executable in runtime (I just lack the time to put more effort on this at the moment, that’s why I am posting little pieces as they become ready).

See you soon.