windbg heap
regedit状态位:0x02001000, 0x2,此时为常规页堆,但感觉无法准确输出call stack,-p -a访问失败,dph_block_information不准确.
regedit状态位:0x02001000, 0x3,此时为完全页堆,完全页堆中heap -l命令不可用、 heap -x命令没有结果。
完全页堆时,申请的内存粒度为0x1000(4K),且在申请的内存块后面再加个4K的栏栅内存。
完全页堆时,HEAP_ENTRY变为DPH_HEAP_BLOCK,且不跟用户内存连续:
(heap -p -h xx部分输出结果)Busy allocations
DPH_HEAP_BLOCK : UserAddr UserSize - VirtAddr VirtSize
00151634 : 00198fd8 00000024 - 00198000 00002000
MSCTF!CSharedBlockNT::`vftable'
0015183c : 0017eff8 00000008 - 0017e000 00002000
001534d4 : 01efafe0 00000020 - 01efa000 00002000
00153074 : 01f57ff0 0000000c - 01f57000 00002000
001531dc : 01f3bf88 00000074 - 01f3b000 00002000
00152a0c : 01f24f88 00000074 - 01f24000 00002000
00152c3c : 01f20f88 00000074 - 01f20000 00002000
heap -p -h heap_handle,输出heap中的所有entry
heap -i heap_entry指针,打印(_heap_entry)结构体内容,共8字节,需要注意的是,这里的size单位为8字节
+ust时,用户申请的内存指针前是0x20字节的dph_block_information,再往上是heap_entry,否则直接是heap_entry
dph_block_information,dph_heap_block, heap -p -a都可以输出stacktrace
heap -p -a 内存地址,开启页堆(完全或常规)时,报访问错误输出不了call stack,不开启时relase又输出不完整;只有debug下才有用。
heap-p-a访问失败示例:
0:001> !heap -p -a 0218ef20
ReadMemory error for address eeddccee
Use `!address eeddccee' to check validity of the address.
heap -l fullpage 不可用, normal page正常, debug正常
heap -x fullpage 无输出, noraml page正常, debug正常
heap -flt / -p -h 中第一项在full heap page时,是dph heap block,在normal heap page时,是heap entry
normal page时,!heap -x输出示例:
0:001> !heap -x 02140180
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
02140158 02140160 01df0000 02140000 118 118 14 busy extra
其中:118: 包含14字节填充空间,8字节heap_entry,0x20字节_dph_block_information
===================================================================
GlobalFlag=02001000, PageHeapFlags=0x2:
0:001> !heap -p
Active GlobalFlag bits:
hpa - Place heap allocations at ends of pages
StackTraceDataBase @ 00420000 of size 01000000 with 0000021c traces
PageHeap enabled with options:
COLLECT_STACK_TRACES
active heaps:
+ 150000
COLLECT_STACK_TRACES
NormalHeap - 250000
HEAP_GROWABLE
ReadMemory error for address eeddccee
Use `!address eeddccee' to check validity of the address.
===================================================================
GlobalFlag=02001000, PageHeapFlags=0x1:
0:000> !heap -p
Active GlobalFlag bits:
hpa - Place heap allocations at ends of pages
StackTraceDataBase @ 00420000 of size 01000000 with 00000023 traces
PageHeap enabled with options:
ENABLE_PAGE_HEAP
active heaps:
+ 150000
ENABLE_PAGE_HEAP
NormalHeap - 250000
HEAP_GROWABLE
ReadMemory error for address eeddccee
Use `!address eeddccee' to check validity of the address.
===================================================================
GlobalFlag=0x1100, PageHeapFlags=0x1:
0:001> !heap -p
Active GlobalFlag bits:
vrf - Enable application verifier
hpa - Place heap allocations at ends of pages
StackTraceDataBase @ 00420000 of size 01000000 with 0000044a traces
PageHeap enabled with options:
ENABLE_PAGE_HEAP
active heaps:
+ 150000
ENABLE_PAGE_HEAP
NormalHeap - 250000
HEAP_GROWABLE
ReadMemory error for address eeddccee
Use `!address eeddccee' to check validity of the address.
===================================================================
总结:
1、0x02000000(pageheap)或者0x100(verify)位置1时,PageHeapFlags项才有用。
2、PageHeapFlags中,0x1表示fullpageheap, 0x2表示记录heap申请的call stack,此时用户得到的ptr前0x20字节为DPH_BLOCK_INFOMATION。
3、0x1000位(ust),在开启page heap时就无效了,但仍然user ptr前0x20字节空间仍然是DPH_BLOCK_INFORMATION,只不过StackTrace项为NULL。
4、0:001> dt ntdll!_DPH_BLOCK_INFORMATION 02120f20-20 (02120f20为user ptr)
+0x000 StartStamp : 0xabcdbbbb
+0x004 Heap : 0x01cf1000 Void
+0x008 RequestedSize : 0xdc
+0x00c ActualSize : 0x1000
+0x010 FreeQueue : _LIST_ENTRY [ 0x9a - 0x0 ]
+0x010 TraceIndex : 0x9a
+0x018 StackTrace : (null)
+0x01c EndStamp : 0xdcbabbbb
这个0xabcdbbbb, 0xdcbabbbb, 在常规堆(normal pageheap)或不开启页堆时为0xabcdaaaa, 0xdcbaaaaa)
5、在开启页堆或verify时(0x100位), !heap-p-a的输出包含:hpa - Place heap allocations at ends of pages,
否则输出的是hpc即堆参数检查。
6、!heap -p -a any_adress,在verify或页堆开启时,都是出错提示:
ReadMemory error for address eeddccee
Use `!address eeddccee' to check validity of the address.