Discussion:
debug heap on Windows 7 .. related problem ..
(too old to reply)
Voila
2010-09-02 14:50:31 UTC
Permalink
hello . i m try to debug heap memory ( basically i want to know the
size of first heap element of freelist[00] ) on windows 7 using
windbg .. so i create a simple code .. which is like this ...

int __cdecl wmain (int argc, wchar_t* pArgs[])
{
BYTE* pAlloc1=NULL;
BYTE* pAlloc2=NULL;

HANDLE hProcessHeap=GetProcessHeap();
pAlloc1=(BYTE*)HeapAlloc(hProcessHeap, 0, 16);

pAlloc2=(BYTE*)HeapAlloc(hProcessHeap, 0, 1500);
//
// Use allocated memory
//
HeapFree(hProcessHeap, 0, pAlloc1);
HeapFree(hProcessHeap, 0, pAlloc2);
}

, So i take the following steps ..
.
.
.
+0x090 ProcessHeaps : 0x77c37500 -> 0x000b0000
.
.
.

0:000> dd 77c37500
77c37500 000b0000 00010000 00020000 00090000
77c37510 00000000 00000000 00000000 00000000


0:000> dt _heap 000b0000
ntdll!_HEAP
+0x000 Entry : _HEAP_ENTRY
+0x008 SegmentSignature : 0xffeeffee
.
.
.
+0x0c4 FreeLists : _LIST_ENTRY [ 0xb4268 - 0xb52a8 ]
.
.
.


0:000> dt _list_entry 000b0000+0x0c4
third!_LIST_ENTRY
[ 0xb4268 - 0xb52a8 ]
+0x000 Flink : 0x000b4268 _LIST_ENTRY [ 0xb43e0 -
0xb00c4 ]
+0x004 Blink : 0x000b52a8 _LIST_ENTRY [ 0xb00c4 -
0xb43e0 ]


0:000> dt _heap_entry 000b4268-0x8
ntdll!_HEAP_ENTRY
+0x000 Size : 0x8767 ------------------------> Huge
Size
+0x002 Flags : 0x77 'w'
+0x003 SmallTagIndex : 0x78 'x'
+0x000 SubSegmentCode : 0x78778767
.
.
.
.



My problem is that , first of all i want to know .. whether i have
taken right steps to reach to FREELIST[00] ???? may be not ....
because to get actual size of heap element at freelist[00] , we
multiply 0x8767*8 = 43b38 .. which is huge ...

Can any one tell me .. where i m wrong ..


Thank in Advance ...
Matt Alderman
2010-09-28 20:14:03 UTC
Permalink
Hello,

I recently ran across this issue, and was banging my head trying to figure
out what was going on. A little disassembly of HeapSize shows that the
block header (userMem - 0x8) is actually XORed with a value from the heap's
header before it's read.

This is a new vista+ feature to protect against heap exploits by encoding
the heap values. You need to take the entry at _HEAP+0x50 ("Encoding") and
XOR that with the value at your memory, then the data will make sense.

Good luck.
Post by Voila
hello . i m try to debug heap memory ( basically i want to know the
size of first heap element of freelist[00] ) on windows 7 using
windbg .. so i create a simple code .. which is like this ...
int __cdecl wmain (int argc, wchar_t* pArgs[])
{
BYTE* pAlloc1=NULL;
BYTE* pAlloc2=NULL;
HANDLE hProcessHeap=GetProcessHeap();
pAlloc1=(BYTE*)HeapAlloc(hProcessHeap, 0, 16);
pAlloc2=(BYTE*)HeapAlloc(hProcessHeap, 0, 1500);
//
// Use allocated memory
//
HeapFree(hProcessHeap, 0, pAlloc1);
HeapFree(hProcessHeap, 0, pAlloc2);
}
, So i take the following steps ..
..
..
..
+0x090 ProcessHeaps : 0x77c37500 -> 0x000b0000
..
..
..
0:000> dd 77c37500
77c37500 000b0000 00010000 00020000 00090000
77c37510 00000000 00000000 00000000 00000000
0:000> dt _heap 000b0000
ntdll!_HEAP
+0x000 Entry : _HEAP_ENTRY
+0x008 SegmentSignature : 0xffeeffee
.
.
.
+0x0c4 FreeLists : _LIST_ENTRY [ 0xb4268 - 0xb52a8 ]
.
.
.
0:000> dt _list_entry 000b0000+0x0c4
third!_LIST_ENTRY
[ 0xb4268 - 0xb52a8 ]
+0x000 Flink : 0x000b4268 _LIST_ENTRY [ 0xb43e0 -
0xb00c4 ]
+0x004 Blink : 0x000b52a8 _LIST_ENTRY [ 0xb00c4 -
0xb43e0 ]
0:000> dt _heap_entry 000b4268-0x8
ntdll!_HEAP_ENTRY
+0x000 Size : 0x8767 ------------------------> Huge
Size
+0x002 Flags : 0x77 'w'
+0x003 SmallTagIndex : 0x78 'x'
+0x000 SubSegmentCode : 0x78778767
.
.
.
.
My problem is that , first of all i want to know .. whether i have
taken right steps to reach to FREELIST[00] ???? may be not ....
because to get actual size of heap element at freelist[00] , we
multiply 0x8767*8 = 43b38 .. which is huge ...
Can any one tell me .. where i m wrong ..
Thank in Advance ...
.
Matt Alderman
2010-09-28 20:13:03 UTC
Permalink
Hello,

I recently ran across this issue, and was banging my head trying to figure
out what was going on. A little disassembly of HeapSize shows that the
block header (userMem - 0x8) is actually XORed with a value from the heap's
header before it's read.

This is a new vista+ feature to protect against heap exploits by encoding
the heap values. You need to take the entry at _HEAP+0x50 ("Encoding") and
XOR that with the value at your memory, then the data will make sense.

Good luck.
Post by Voila
hello . i m try to debug heap memory ( basically i want to know the
size of first heap element of freelist[00] ) on windows 7 using
windbg .. so i create a simple code .. which is like this ...
int __cdecl wmain (int argc, wchar_t* pArgs[])
{
BYTE* pAlloc1=NULL;
BYTE* pAlloc2=NULL;
HANDLE hProcessHeap=GetProcessHeap();
pAlloc1=(BYTE*)HeapAlloc(hProcessHeap, 0, 16);
pAlloc2=(BYTE*)HeapAlloc(hProcessHeap, 0, 1500);
//
// Use allocated memory
//
HeapFree(hProcessHeap, 0, pAlloc1);
HeapFree(hProcessHeap, 0, pAlloc2);
}
, So i take the following steps ..
..
..
..
+0x090 ProcessHeaps : 0x77c37500 -> 0x000b0000
..
..
..
0:000> dd 77c37500
77c37500 000b0000 00010000 00020000 00090000
77c37510 00000000 00000000 00000000 00000000
0:000> dt _heap 000b0000
ntdll!_HEAP
+0x000 Entry : _HEAP_ENTRY
+0x008 SegmentSignature : 0xffeeffee
.
.
.
+0x0c4 FreeLists : _LIST_ENTRY [ 0xb4268 - 0xb52a8 ]
.
.
.
0:000> dt _list_entry 000b0000+0x0c4
third!_LIST_ENTRY
[ 0xb4268 - 0xb52a8 ]
+0x000 Flink : 0x000b4268 _LIST_ENTRY [ 0xb43e0 -
0xb00c4 ]
+0x004 Blink : 0x000b52a8 _LIST_ENTRY [ 0xb00c4 -
0xb43e0 ]
0:000> dt _heap_entry 000b4268-0x8
ntdll!_HEAP_ENTRY
+0x000 Size : 0x8767 ------------------------> Huge
Size
+0x002 Flags : 0x77 'w'
+0x003 SmallTagIndex : 0x78 'x'
+0x000 SubSegmentCode : 0x78778767
.
.
.
.
My problem is that , first of all i want to know .. whether i have
taken right steps to reach to FREELIST[00] ???? may be not ....
because to get actual size of heap element at freelist[00] , we
multiply 0x8767*8 = 43b38 .. which is huge ...
Can any one tell me .. where i m wrong ..
Thank in Advance ...
.
Loading...