A lightweight C++ utility to scan for "Code Caves" in executable sections of PE files (.exe, .dll).
- Automatically parses PE file structures (DOS Header, NT Headers, Section Table).
- Scans only executable sections (marked with
IMAGE_SCN_MEM_EXECUTE, e.g.,.text). - Identifies regions composed of continuous
0x00or0x90(NOP) bytes. - Provides detailed information including File Offset, RVA (Relative Virtual Address), and Cave Size.
Compile using g++:
g++ main.cpp -o SearchCodeCaving.exe -staticRun via command line:
.\SearchCodeCaving.exe <file_path> [min_cave_size]- file_path: Path to the PE file you want to analyze.
- min_cave_size: (Optional) Minimum size of the cave in bytes to be displayed. Defaults to 16.
.\SearchCodeCaving.exe test.exe 20This will scan test.exe for all code caves that are at least 20 bytes long.