All geek questions in one place

Heap process segments and their need

While the heap is a bunch of win32 processes (mainly in a process with high heap memory, like IE) using ! heap -a 004e0000 , I find several segments of a specific heap, for example

Heap entries for Segment00 in Heap 004e0000 Heap entries for Segment01 in Heap 004e0000 Heap entries for Segment02 in Heap 004e0000

My questions

Question 1. Why is it necessary to divide one heap into several segments?

Question 2. In most cases, I find a big gap between the two segments. For example, in the image below, Segment00 actually ends with @ 0x005e0000 (if non-running bytes are started) and the Segment01 @ 0x05b60000 process has started.

Why is this gap? Could we use the same segment (Segment00) for further selection?

enter image description here

Question 3 .. How to find the number of segments present in a particular heap and their addresses from RAM memory or, more specifically, heap offset (example heap_handle + 0xsomeoffset?

+3
source share
1 answer

As the answer to question 3, I think I found a β€œhacker” way to get the base address of the segment from memory.

 0:027> !heap Index Address Name Debugging options enabled 1: 00790000 2: 004d0000 3: 028b0000 4: 02a40000 5: 02fa0000 6: 03b00000 7: 02ca0000 8: 03ac0000 9: 04d80000 10: 0a850000

We take a bunch of 0x00790000 and list all the segments in it.

 0:027> !heap 00790000 Index Address Name Debugging options enabled 1: 00790000 Segment at 00790000 to 00890000 (00100000 bytes committed) Segment at 053a0000 to 054a0000 (00100000 bytes committed) Segment at 05d40000 to 05f40000 (00200000 bytes committed) Segment at 063e0000 to 067e0000 (00400000 bytes committed) Segment at 09ce0000 to 0a4e0000 (007fa000 bytes committed)

Now it is time to get the same base segment addresses from memory.

 0:027> dt _HEAP 00790000 ntdll!_HEAP +0x000 Entry : _HEAP_ENTRY +0x008 SegmentSignature : 0xffeeffee +0x00c SegmentFlags : 0 +0x010 SegmentListEntry : _LIST_ENTRY [ 0x53a0010 - 0x7900a8 ] +0x018 Heap : 0x00790000 _HEAP +0x01c BaseAddress : 0x00790000 Void .. ..

we are interested in SegmentListEntry (which is the offset @ 0x010)

We reset 2 DWORDs from heap_base + 0x10

 0:027> dd 00790000 + 0x10 L2 00790010 053a0010 007900a8

Then we take BLINK (which means the 2nd DWORD of the above output, which is 0x007900a8) and from there 2 DWROD. And we continue to do this until we reach the same pointer that we started with, i.e. 0x007900a8

 0:027> dd 007900a8 L2 007900a8 00790010 09ce0010 0:027> dd 09ce0010 L2 09ce0010 007900a8 063e0010 0:027> dd 063e0010 L2 063e0010 09ce0010 05d40010 0:027> dd 05d40010 L2 05d40010 063e0010 053a0010 0:027> dd 053a0010 L2 053a0010 05d40010 00790010 0:027> dd 00790010 L2 00790010 053a0010 007900a8

Since we have reached the same point from which we started, we can stop here.

 0:027> dd 007900a8 L2 007900a8 00790010 09ce0010

Now take a look at the values ​​we got above. If you subtract 16 from all (except 0x007900a8 and 0x007900a8), you will get the segment addresses.

 0:027> ? 09ce0000 + 16 Evaluate expression: 164495382 = 09ce0016

What kind

 00790000 053a0000 05d40000 063e0000 09ce0000
+2
source

Source: https://habr.com/ru/post/1213264/

More articles:


All Articles