ProcHeapViewer : Faster way to enumerate process heaps
 Nagareshwar (tnagareshwar) <tnagareshwar gmail com> |
Sunday, August 26 2007 06:48.43 CDT |
ProcHeapViewer is a fast heap enumeration tool which uses better technique than normal Windows heap API functions. Its very useful tool for anyone involved in analyzing process heaps. Vulnerability researchers can find it useful while working on heap related vulnerabilities.
Traditional Windows heap enumeration functions are slower and takes lot of time while traversing large number of heap blocks. Here is the article which uncovers the reason behind the slower functionality of heap functions. It also explains new efficient way of enumerating process heaps based on reverse engineering of Windows heap API functions.
You can read more interesting details about ProcHeapViewer at following location.
http://securityxploded.com/ProcHeapViewer.php
Note that currently ProcHeapViewer source code is not public, but I am planning to make it public after the second release. I have already got couple of feature requests for this tool. If you have any, then let me know.
Thanks
- Nag
Comments
 nicowow |
Posted: Sunday, August 26 2007 09:06.02 CDT |
| Nice work man! Our way to do it, is directly using the reversed structures of the heap and list the chunk (aka get the Heap from the PEB, Grab the segments from the PHEAP structure, and transverse the chunks directly by their size) | |
 tnagareshwar |
Posted: Sunday, August 26 2007 11:40.12 CDT |
| Thanks for the new way...I will explore more in that direction | |
|
nicowow |
Posted: Sunday, August 26 2007 22:04.51 CDT |
|
You can take a look at Immunity Debugger check Libs/libheap.py Here you have our source code (Although, written in python) Cheers |
|
|
tnagareshwar |
Posted: Monday, August 27 2007 00:08.39 CDT |
| Thanks nicowow, that will be useful. | |
 djnemo |
Posted: Monday, August 27 2007 00:54.52 CDT |
| Thanks about useful tools ,gr8 ,befor you wana release your source code ;may i have some information about how get PEB and Heap Detail (^-^) Soem library or Api mybe you use or ... | |
|
nicowow |
Posted: Monday, August 27 2007 06:32.37 CDT |
To get the PEB is easy:Now, to get all the heaps from the PEB you go: To do it in C: Cheers |
|
|
djnemo |
Posted: Tuesday, August 28 2007 02:49.59 CDT |
| TanX dear nicowow it helps so much ,and Special Tanx to tnagareshwar for his good tools and UseFull article | |
 MohammadHosein |
Posted: Tuesday, August 28 2007 07:00.16 CDT |
| on newer windows PEB is no longer located there , its location is randomized | |
|
anonymouse |
Posted: Tuesday, August 28 2007 12:45.50 CDT |
|
on newer windows PEB is no longer located there , its location is randomized where ? it is still located there but you cannot hardcode the address viz 7ffd0030 iinw what he proposes is finding peb with NtQueryInformation##() not hardcoding 7fffd0030 which used to be the case [url] https://www.openrce.org/blog/view/44/finding_the_peb_of_other_process_in_xp-sp2 [/url] |
|
|
tnagareshwar |
Posted: Tuesday, August 28 2007 13:10.25 CDT |
|
Hi Djnemo, Here is the article which explains the reason and research behind the ProcHeapViewer. http://securityxploded.com/enumheaps.php For the PEB, the method suggested by nicowow is right way to get it even though it randomized. Have a good day |
|
|
anonymouse |
Posted: Thursday, September 13 2007 05:35.56 CDT |
|
is it able to enumerate process heaps of application that are spawned under a debugger ?? this always hangs for me with a hung application here is a minidump details and !analyze -v results from windbg disassembly of where it probably hangs is here |
|
|
tnagareshwar |
Posted: Monday, September 17 2007 07:58.59 CDT |
| This scenario is not tested. I will look into this problem. Thanks for posting full details. That will help. | |