Eli Fulkerson .com HomeProjectsCavfill



cavfill is a (Very Experimental) console utility that fills in stretches of the zero byte in a given executable with random bytes. The goal here is to armor a given executable against the malware technique used by "the backdoor factory" by not giving it any caves to work with.

There isn't much going on here - it is literally just filling detected cavities in the given file with random junk. To a certain extent, this doesn't seem to have any detrimental effect on certain executables I have tested - which of course means ABSOLUTELY NOTHING insofar as your executable may be concerned. I am in no way suggesting, let alone guaranteeing, that a file processed with this utility will be in any way bug free. If something breaks, well, you broke it. Note - the smaller you tune the cavity detection the more likely you will end up with a very broken executable.


Usage: cavfill [-i bytes] [-s size] [-b buffersize] target_file

    -s size         Ignore any cavities smaller than _size_ bytes
                    (default size: 50)
    -b buffersize   Leave _buffersize_ bytes alone at edges of cavity
                    (default buffersize: 8)
    -i bytes        Ignore any cavities in the first _bytes_ bytes
                    (default ignore: 0)
    -v              Print version information and exit
    -?              Get help

cavfill processes a target .exe, filling 'cavities' (long sequences of the
zero byte) with random bytes.  The output is placed in 'cavfill.out'.

The purpose is to serve as a post-compilation step, to prevent malware from
being embedded in these empty (and normally useless) spaces.

The assumption is that if the zero bytes were unnecessary to the execution
of the program it should still work correctly.  (NO GUARANTEES!)

This program is experimental.  I make no guarantees as to the usefulness
of the output.  It may very well make a version of your .exe that appears
to work but has some random bug.  It might even (the fill is random after
all) result in a working output sometimes and a broken output other times.

Seriously.  If you are screwing around with an executable post compliation
and break it somehow, don't come whining to me.

On the other hand I would imagine that this is *relatively* safe, since
Malware hijacks these cavities all the time and usually gets away with it.


C:\>dir cavfill.exe
03/15/2016  10:15 PM            10,240 cavfill.exe
               1 File(s)         10,240 bytes

C:\>cavfill cavfill.exe
Found Cavity: 00001DDA to 00001EA3, size: 201
Found Cavity: 00001F03 to 0000200D, size: 266
Found Cavity: 0000252A to 00002600, size: 214
Found Cavity: 0000260A to 000027FF (END), size: 501

C:\dir cavfill.out
03/15/2016  10:17 PM            10,240 cavfill.out
               1 File(s)         10,240 bytes