2

I've been debugging a heap corruption in a software. I can write data to the heap and get control over some pointers. I can achieve my goal of executing code without knowing this but it confused me a bit.

The problem is that I can't find in which heap the block that I'm writing to is , nor the heap segments.

I used : !heap -x [address] and !heap -x -v [address] under Windbg and they didn't give me any result. I know that some heaps may reserve another heap segment when no uncommitted space is available in the first one . However, I've dumped all heap segments and I couldn't find anyone with a base address similar to the one I'm looking for.

It seems a little bit weird to me that there's no process or application specific heap having these blocks !!

trincot
  • 317,000
  • 35
  • 244
  • 286
JohnnyCat
  • 203
  • 1
  • 15
  • What makes you sure the address is on the heap and not on the stack (or, in the case of a multithreaded program, one of the stacks)? – NPE Jan 14 '14 at 19:58
  • 1
    I've just checked the access rights of that page and it's not "guarded" and a stack should be guarded. In addition , the main thread (which I'm interested in) is editing memory in the heap block. – JohnnyCat Jan 14 '14 at 20:04
  • Fair enough, just checking... :) – NPE Jan 14 '14 at 20:05
  • Do you have any idea ? It's the first time that I see such a case. – JohnnyCat Jan 14 '14 at 20:10
  • 1
    Related, might be helpful: http://stackoverflow.com/a/353606/241536 – John Dibling Jan 14 '14 at 20:11
  • Anyway I'm coding a simple Immunity plugin that will help me track all allocations for this piece of software , can it be helpful in this case ? – JohnnyCat Jan 14 '14 at 23:30
  • 1
    Stack pages are not guarded. There is a single guard page at the very end of the stack but all other stack pages are totally writable. – Marc Sherman Jan 15 '14 at 15:00
  • @MarcSherman You're right , my bad. – JohnnyCat Jan 15 '14 at 15:31

1 Answers1

4

If the heap is corrupt, the !heap –x command might not work properly,

try a !heap –s –v to determine. Sample: Windbg !heap

Do !address , and you should see if the memory is stack or heap.

Community
  • 1
  • 1
Kjell Gunnar
  • 3,017
  • 18
  • 24
  • Thanks for the information I was able to determine the source of the allocation, !address helped me to get the base address of the allocation (I saw under WinXP that the allocation address is always static). It's obvious that the application will be obliged to allocate that space some time so I've set breakpoints on all Allocations APIs used and I was surprised to find that the application is using VirtualAlloc to allocate that space which is not a "heap" but a big chunk of memory from the virtual space of the process. It's clear now why !heap wasn't giving any details. Thanks for the help. – JohnnyCat Jan 15 '14 at 15:24