An Analysis Tool that Detects The Code Caves in Specified Sizes for Portable Executable Files

Abstract

Code caves represent sequential null bytes in portable executable files and are particularly used in reverse engineering. With the help of code caves, the execution flow of the program can be changed, and different codes can be injected into the compiled programs. In the sections in the PE files, it is determined manually whether there is a code cave suitable for the size of the code to be injected. This paper presents the analysis tool named CodeCaveFinder. It finds in detail whether the code caves of the user desired size are in the sections of the PE file. As a result of tests, it has been proven that CodeCaveFinder gives accurate and reliable results.