OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 24, 2007 14:18 CDT by nicowow .

Hey everyone,
  Im finished the last details of the Heap library for Vista, I would love to double check my results with something.
  Does anyone know how to dump the Low Fragmentation Heap with WinDBG? It's me or it doesn't have a real support?
  Im not good at Windbg (Learn how to use poi() after years from using by reading Alex Sotirov slides)  but maybe someone knows how to use .

anonymouse		August 25, 2007 11:34.04 CDT
i dont know if this pertain to vista or not there is an environement variable _NO_DEBUG_HEAP that could be set to 1 apart from that you can use gflags to set +ust (enable user stack trace database 0:000> !gflag Current NtGlobalFlag contents: 0x00000070 htc - Enable heap tail checking hfc - Enable heap free checking hpc - Enable heap parameter checking 0:000> 0:000> !gflag +ust New NtGlobalFlag contents: 0x00001070 htc - Enable heap tail checking hfc - Enable heap free checking hpc - Enable heap parameter checking ust - Create user mode stack trace database 0:000> or you could hack and set the poi(peb->NtGlobalFlag) (*peb+0x68) dword to 0 iirc these all affects lfh there was an mskb article that showed what gflag affets lfh and whatnot but i cant locate it atm will edit if i find it and post he link here

anonymouse		August 25, 2007 12:00.13 CDT
ok her is the !heap commandlines that are related to low fragmentation heaps if the type is not specified then all breakpoints are removed. 0:000> !heap -s ? NtGlobalFlag enables following debugging aids for new heaps: tail checking free checking validate parameters stack back traces Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast (k) (k) (k) (k) length blocks cont. heap ----------------------------------------------------------------------------- 00080000 50000062 1024 12 12 1 1 1 0 0 L 00180000 50001062 64 24 24 14 1 1 0 0 L 00190000 50008060 0 0 0 2 1 0 0 0 ----------------------------------------------------------------------------- 0:000> !heap -s -? !heap -s [-v] [-a] [-b size] [-c] [-d block_size] [-e debug_option] [heap_addres s] Where: -a Dumps all heap blocks -v Validate heap metadata -c Partially dump the content of a block -b Displays statistics with the granularity specified by size -d Filter the output only for the blocks matching the bucket block_size -e set debugging options at runtime. Debug_option can take the following val ues 0 - disable all debug options from further heap operations 1 - enable buffer-overrun detection (for LFH only) 2 - enable buffer-underrun detection (for LFH only) 4 - enable stack trace collection If no heap_address is specified, the command command will be applied for all hea ps in the process 0:000> here is the link http://support.microsoft.com/kb/929136 http://support.microsoft.com/default.aspx?scid=kb;en-us;286470 0:000> !heap -s -e 1 -a Enabling the following debug options for the heap 00080000: Feature not supported Enabling the following debug options for the heap 00180000: Feature not supported Enabling the following debug options for the heap 00190000: Feature not supported 0:000>

nicowow		August 26, 2007 07:38.46 CDT
Cool, not exactly what I need but still useful. Do you know if i can dump the Low Fragmentation Chunks ?

anonymouse		August 26, 2007 13:05.10 CDT
> nicowow: Cool, not exactly what I need but still useful. Do you know if i can dump the Low Fragmentation Chunks ? i'm not sure if i understand you here is a sample code #include <windows.h> #include <stdio.h> void __cdecl main() { ULONG HeapFragValue = 2; int i; ULONG_PTR foo; if(HeapSetInformation(GetProcessHeap(), HeapCompatibilityInformation, &HeapFragValue, sizeof(HeapFragValue)) ) { printf("Success!\n"); for (i=0;i<20;i++) { printf( "allocating heap no %d\n",i); foo = (ULONG_PTR ) HeapAlloc(GetProcessHeap(), 0,1024); printf("heap allocated at %p\n",foo); } printf("done\n"); } else printf ("Failure (%d)\n", GetLastError()); } here is the output Success! allocating heap no 0 heap allocated at 000893C0 allocating heap no 1 heap allocated at 000897C8 allocating heap no 2 heap allocated at 00089BD0 allocating heap no 3 heap allocated at 00089FD8 allocating heap no 4 heap allocated at 0008A3E0 allocating heap no 5 heap allocated at 0008A7E8 allocating heap no 6 heap allocated at 0008ABF0 allocating heap no 7 heap allocated at 0008AFF8 allocating heap no 8 heap allocated at 0008B400 allocating heap no 9 heap allocated at 0008B808 allocating heap no 10 heap allocated at 0008BC10 allocating heap no 11 heap allocated at 0008C018 allocating heap no 12 heap allocated at 0008C420 allocating heap no 13 heap allocated at 0008C828 allocating heap no 14 heap allocated at 0008CC30 allocating heap no 15 heap allocated at 0008D038 allocating heap no 16 heap allocated at 0008D440 allocating heap no 17 heap allocated at 0008D848 allocating heap no 18 heap allocated at 0008DC50 allocating heap no 19 heap allocated at 0008E058 here is the windbg output for the above app (set bp on last printf ) using -hd commandline option (equivalent to _NO_DEBUG_HEAP environment varibale) C:\Program Files\Debugging Tools for Windows>windbg.exe -hd d:\DDKTests\heapy\objfre_wxp_x86\i386\lowheapy.exe ntdll!DbgBreakPoint: 77f767cd cc int 3 0:000> bp lowheapy!main 0:000> g Breakpoint 0 hit eax=00260d38 ebx=00000000 ecx=004010e8 edx=7ffe0304 esi=00083010 edi=77e7b77f eip=00401c55 esp=0006ff7c ebp=0006ffc0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 lowheapy!main: 00401c55 8bff mov edi,edi 0:000> g Breakpoint 1 hit eax=0000001b ebx=00000000 ecx=0008e058 edx=00000001 esi=77e7b77f edi=00000014 eip=00401cbc esp=0006ff6c ebp=0006ff78 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 lowheapy!main+0x67: 00401cbc 683c114000 push offset lowheapy!`string' (0040113c) 0:000> !heap -s Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast (k) (k) (k) (k) length blocks cont. heap ----------------------------------------------------------------------------- 00080000 00000002 1024 76 76 7 1 1 0 0 LFH 00180000 00001002 64 24 24 15 1 1 0 0 L 00190000 00008000 64 4 4 2 1 1 0 0 00260000 00001003 64 16 16 6 2 1 0 bad ----------------------------------------------------------------------------- 0:000> !heap -s 80000 Walking the heap 00080000 . 0: Heap 00080000 Flags 00000002 - HEAP_GROWABLE Reserved memory in segments 1024 (k) Commited memory in segments 76 (k) Virtual bytes (correction for large UCR) 76 (k) Free space 7 (k) (1 blocks) External fragmentation 10% (1 free blocks) Virtual address fragmentation 0% (1 uncommited ranges) Virtual blocks 0 - total 0 KBytes Lock contention 0 Segments 1 Low fragmentation heap 00083168 ERROR Cannot read SubSegmentZones list at 0099b9ac Metadata usage 1024 bytes Statistics: Segments created 0 Segments deleted 0 Segments reused 0 Block cache: Buckets info: Size Blocks Seg Empty Aff Distribution ------------------------------------------------ ------------------------------------------------ Default heap Front heap Unused bytes Range (bytes) Busy Free Busy Free Total Average ------------------------------------------------------------------ 0 - 1024 15 3 0 0 155 10 1024 - 2048 2 0 0 0 8 4 6144 - 7168 1 0 0 0 8 8 7168 - 8192 0 1 0 0 0 0 24576 - 25600 1 0 0 0 8 8 32768 - 33792 1 0 0 0 8 8 ------------------------------------------------------------------ Total 20 4 0 0 187 9 you mean you want to dump that Low fragmentation heap 00083168 like this `0:000> dd 00083168 00083168 77fc35c0 ffffffff 00000000 00000000 00083178 00000000 00000000 00081e90 00081e90` if you do not use -hd commandline argument the heapsetinfo() will fail lowheapy!main+0x25: 00401c7a 85c0 test eax,eax 0:000> !gle LastErrorValue: (Win32) 0x1f (31) - A device attached to the system is not functioning. LastStatusValue: (NTSTATUS) 0xc0000001 - {Operation Failed} The requested operation was unsuccessful. 0:000> r eax eax=00000000

nicowow		August 26, 2007 22:18.04 CDT
Cool, thx a lot

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit