Yup. That’s about it. Fascinating yet simple. I remember when I first read about this years ago and I was amazed (and still am!).
Anyway, I was looking for something to play with and remembered cave_miner Python project and the urge to do it with GoLang took over and here we are. This won’t be a huge post but rather a simplistic explaination on how it works and how it can be used. You can find the full project with some instructions on my GitHub here (available as a Docker image too).
After you download it, the usage display is pretty ordinary:
λ ./gocave
Usage: gocave elf_file cave_size
So here’s an example, using a ELF binary downloaded from http://ugetdm.com:
λ ./gocave uget-gtk 65
[+] CAVE DETECTED!
[!] Section Name: .bss
[!] Section Offset: 0x588e8
[!] Section Size: 0x1b0 (432 bytes)
[!] Section Flags: SHF_WRITE+SHF_ALLOC
[!] Virtual Address: 0x658a2b
[!] Cave Begin: 0x58a13
[!] Cave End: 0x58a58
[!] Cave Size: 0x45 (69 bytes)
As you can see we were able to find a code cave of 65 bytes in section .bss which has the flag SHF_WRITE (therefore it is writable).
Please note that as of now, this code only looks for 0x00 bytes, I plan to let the user choose the bytes he wants to search later.
For now, this ends here but if you check the TODO section in the GitHub repository page, you’ll see I am working on a way to inject a shellcode to this code cave and patching the ELF file entrypoint to make this shellcode executable in runtime (I just lack the time to put more effort on this at the moment, that’s why I am posting little pieces as they become ready).
See you soon.