New code snippet that demonstrate how to automatically detect code caves in Microsoft Windows PE Files.
It is then possible to inject a shellcode in located code-cave (optionally encrypted) and redirect PE file entrypoint to shellcode.
This was a common technique used by old school viruses to inject other applications and self-replicate.
--file: Valid PE File location (Ex: /path/to/calc.exe).
--payload: Shellcode Payload (Example: "\x01\x02\x03…\x0a").
--encrypt: Encrypt main section (entry point section).
--encryption-key: Define custom encryption key (1 Byte only).
--cave-opcodes: Define code opcode list to search for.
--cave-min-size: Minimum size of region to be considered as code cave.
--egg: Define a custom egg name (ESP Restore Mechanism).
2 years ago