WinDbg : An Introduction To Windows Heaps

标签：00000000 Heaps process heap Introduction Void Windows HEAP null

WinDbg : An Introduction To Windows Heaps

Heaps are used by applications which need to allocate and release memory dynamically. Even though the heap is the most common facility to accommodate dynamic memory allocations, it is not the only way. Several other methods are available:

• Memory can be requested through the C run time (CRT).
• The virtual memory manager or some other private memory manager.

Even though these methods are different, they are tightly coupled internally at the memory manager's level.   When a process starts, the heap manager automatically creates a new heap called the 'default process heap'. Although some processes are known to use the default heap, a very very large number rely on the CRT heap (using malloc/free family of APIs, or the default new/delete family of APIs).   Some processes however also create additional heaps (via HeapCreate(...) ). this method has advantage of isolating different components running in the process. Thus memory leaks can be easier to detect and debug, if we know exactly which heap is leaking. It is indeed good programming practice. Kernel programmers are used to using different tags for allocating memory for different objects, this method described above is the usermode solution to the problem.   The Windows heap manager has two sub components.   

• Front End Allocator.
• Back End Allocator.

The Front End Allocator is an optimization layer for the actual Back End Allocator. Thus, by choosing different front end allocators applications with differnt memory requirements can function appropriately. Example, some programs might expect small bursts of allocations, and thus might prefer to use a low fragmentation front end allocator. 
Windows supplies two different front end allocators:  

• Low fragmentation (LF) Front End Allocator.
• Look aside List (LAL) Front End Allocator.

Vista and above use the LF allocator by default, where as all older generations use the LAL allocator. The differences between these allocators re beyond the scope of the current discussion.   If the Front End Allocator is unable to satisfy the allocation requests, then the Back End Allocator takes over. It is made up of free lists. Each list has blocks of specific sizes. Such free blocks are sorted in ascending order of sizes. Again, a more elaborate discussion on how this is managed, or of it's algorithms is beyond the scope of this current article.   Enough theory, lets get into some practicals.   The first step for us is to determine which all heaps are active for a process.  
kd> $ Lets use the lsass process as an example. kd> $ First we need to find it's EPROCESS   kd> !process 0 0 lsass.exe PROCESS 84cdc860  SessionId: 0  Cid: 0208    Peb: 7ffda000  ParentCid: 018c     DirBase: 1eed30e0  ObjectTable: 95f00d18  HandleCount: 513.     Image: lsass.exe   kd> $ Next we need to switch contexts to this process (this is because this session is running from Kernel mode)   kd> .process /p /r 84cdc860   Implicit process is now 84cdc860 Loading User Symbols ............................................................   kd> $ The Process execution block (_PEB) helps us with finding the active heaps, so lets use dt to find it   kd> dt _PEB @$peb ntdll!_PEB    +0x000 InheritedAddressSpace : 0 ''    +0x001 ReadImageFileExecOptions : 0 ''    +0x002 BeingDebugged    : 0 ''    +0x003 BitField         : 0x8 ''    +0x003 ImageUsesLargePages : 0y0    +0x003 IsProtectedProcess : 0y0    +0x003 IsLegacyProcess  : 0y0    +0x003 IsImageDynamicallyRelocated : 0y1    +0x003 SkipPatchingUser32Forwarders : 0y0    +0x003 SpareBits        : 0y000    +0x004 Mutant           : 0xffffffff Void    +0x008 ImageBaseAddress : 0x00d90000 Void    +0x00c Ldr              : 0x77c77880 _PEB_LDR_DATA    +0x010 ProcessParameters : 0x00330f18 _RTL_USER_PROCESS_PARAMETERS    +0x014 SubSystemData    : (null)     +0x018 ProcessHeap      : 0x00330000 Void    +0x01c FastPebLock      : 0x77c77380 _RTL_CRITICAL_SECTION    +0x020 AtlThunkSListPtr : (null)     +0x024 IFEOKey          : (null)     +0x028 CrossProcessFlags : 0    +0x028 ProcessInJob     : 0y0    +0x028 ProcessInitializing : 0y0    +0x028 ProcessUsingVEH  : 0y0    +0x028 ProcessUsingVCH  : 0y0    +0x028 ProcessUsingFTH  : 0y0    +0x028 ReservedBits0    : 0y000000000000000000000000000 (0)    +0x02c KernelCallbackTable : 0x7790d568 Void    +0x02c UserSharedInfoPtr : 0x7790d568 Void    +0x030 SystemReserved   : [1] 0    +0x034 AtlThunkSListPtr32 : 0    +0x038 ApiSetMap        : 0x77de0000 Void    +0x03c TlsExpansionCounter : 0    +0x040 TlsBitmap        : 0x77c77260 Void    +0x044 TlsBitmapBits    : [2] 0x1fffff    +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void    +0x050 HotpatchInformation : (null)     +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null)     +0x058 AnsiCodePageData : 0x7ffb0000 Void    +0x05c OemCodePageData  : 0x7ffc0224 Void    +0x060 UnicodeCaseTableData : 0x7ffd0648 Void    +0x064 NumberOfProcessors : 1    +0x068 NtGlobalFlag     : 0    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000    +0x078 HeapSegmentReserve : 0x100000    +0x07c HeapSegmentCommit : 0x2000    +0x080 HeapDeCommitTotalFreeThreshold : 0x10000    +0x084 HeapDeCommitFreeBlockThreshold : 0x1000    +0x088 NumberOfHeaps    : 4    +0x08c MaximumNumberOfHeaps : 0x10    +0x090 ProcessHeaps     : 0x77c77500  -> 0x00330000 Void    +0x094 GdiSharedHandleTable : 0x004d0000 Void    +0x098 ProcessStarterHelper : (null)     +0x09c GdiDCAttributeList : 0x14    +0x0a0 LoaderLock       : 0x77c77340 _RTL_CRITICAL_SECTION    +0x0a4 OSMajorVersion   : 6    +0x0a8 OSMinorVersion   : 1    +0x0ac OSBuildNumber    : 0x1db1    +0x0ae OSCSDVersion     : 0x100    +0x0b0 OSPlatformId     : 2    +0x0b4 ImageSubsystem   : 2    +0x0b8 ImageSubsystemMajorVersion : 6    +0x0bc ImageSubsystemMinorVersion : 1    +0x0c0 ActiveProcessAffinityMask : 1    +0x0c4 GdiHandleBuffer  : [34] 0    +0x14c PostProcessInitRoutine : (null)     +0x150 TlsExpansionBitmap : 0x77c77268 Void    +0x154 TlsExpansionBitmapBits : [32] 1    +0x1d4 SessionId        : 0    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0    +0x1e8 pShimData        : (null)     +0x1ec AppCompatInfo    : (null)     +0x1f0 CSDVersion       : _UNICODE_STRING "Service Pack 1"    +0x1f8 ActivationContextData : 0x00040000 _ACTIVATION_CONTEXT_DATA    +0x1fc ProcessAssemblyStorageMap : (null)     +0x200 SystemDefaultActivationContextData : 0x00030000 _ACTIVATION_CONTEXT_DATA    +0x204 SystemAssemblyStorageMap : (null)     +0x208 MinimumStackCommit : 0    +0x20c FlsCallback      : 0x0033daa0 _FLS_CALLBACK_INFO    +0x210 FlsListHead      : _LIST_ENTRY [ 0x347828 - 0x3cb680 ]    +0x218 FlsBitmap        : 0x77c77270 Void    +0x21c FlsBitmapBits    : [4] 7    +0x22c FlsHighIndex     : 2    +0x230 WerRegistrationData : (null)     +0x234 WerShipAssertPtr : (null)     +0x238 pContextData     : 0x00050000 Void    +0x23c pImageHeaderHash : (null)     +0x240 TracingFlags     : 0    +0x240 HeapTracingEnabled : 0y0    +0x240 CritSecTracingEnabled : 0y0    +0x240 SpareTracingBits : 0y000000000000000000000000000000 (0)   kd> $ Now lets use dd to see what this address contains
  kd> dd 0x77c77500   77c77500  00330000 00010000 00250000 00d10000 77c77510  00000000 00000000 00000000 00000000 77c77520  00000000 00000000 00000000 00000000 77c77530  00000000 00000000 00000000 00000000 77c77540  00000000 77c77340 77c7ab08 77c77220 77c77550  00000000 00000004 00000000 00000000 77c77560  77c77220 003e3198 00000000 00000000 77c77570  00000000 00000000 00000000 00000000   The Default Process heap pointer is always the first one in this list. Since most applications work with the default heap, we will focus our attention on that.   The _HEAP structure in Windows is used to maintain a heap. So lets typecast this address to it.   kd> dt _HEAP 0x00330000 ntdll!_HEAP    +0x000 Entry            : _HEAP_ENTRY    +0x008 SegmentSignature : 0xffeeffee    +0x00c SegmentFlags     : 0    +0x010 SegmentListEntry : _LIST_ENTRY [ 0x3300a8 - 0x3300a8 ]    +0x018 Heap             : 0x00330000 _HEAP    +0x01c BaseAddress      : 0x00330000 Void    +0x020 NumberOfPages    : 0x100    +0x024 FirstEntry       : 0x00330588 _HEAP_ENTRY    +0x028 LastValidEntry   : 0x00430000 _HEAP_ENTRY    +0x02c NumberOfUnCommittedPages : 0x47    +0x030 NumberOfUnCommittedRanges : 1    +0x034 SegmentAllocatorBackTraceIndex : 0    +0x036 Reserved         : 0    +0x038 UCRSegmentList   : _LIST_ENTRY [ 0x3e8ff0 - 0x3e8ff0 ]    +0x040 Flags            : 2    +0x044 ForceFlags       : 0    +0x048 CompatibilityFlags : 0    +0x04c EncodeFlagMask   : 0x100000    +0x050 Encoding         : _HEAP_ENTRY    +0x058 PointerKey       : 0x37d910ba    +0x05c Interceptor      : 0    +0x060 VirtualMemoryThreshold : 0xfe00    +0x064 Signature        : 0xeeffeeff    +0x068 SegmentReserve   : 0x100000    +0x06c SegmentCommit    : 0x2000    +0x070 DeCommitFreeBlockThreshold : 0x800    +0x074 DeCommitTotalFreeThreshold : 0x2000    +0x078 TotalFreeSize    : 0xac0    +0x07c MaximumAllocationSize : 0x7ffdefff    +0x080 ProcessHeapsListIndex : 1    +0x082 HeaderValidateLength : 0x138    +0x084 HeaderValidateCopy : (null)     +0x088 NextAvailableTagIndex : 0    +0x08a MaximumTagIndex  : 0    +0x08c TagEntries       : (null)     +0x090 UCRList          : _LIST_ENTRY [ 0x3e8fe8 - 0x3e8fe8 ]    +0x098 AlignRound       : 0xf    +0x09c AlignMask        : 0xfffffff8    +0x0a0 VirtualAllocdBlocks : _LIST_ENTRY [ 0x3300a0 - 0x3300a0 ]    +0x0a8 SegmentList      : _LIST_ENTRY [ 0x330010 - 0x330010 ]    +0x0b0 AllocatorBackTraceIndex : 0    +0x0b4 NonDedicatedListLength : 0    +0x0b8 BlocksIndex      : 0x00330150 Void    +0x0bc UCRIndex         : 0x00330590 Void    +0x0c0 PseudoTagEntries : (null)     +0x0c4 FreeLists        : _LIST_ENTRY [ 0x3db6a8 - 0x3de378 ]    +0x0cc LockVariable     : 0x00330138 _HEAP_LOCK    +0x0d0 CommitRoutine    : 0x37d910ba     long  +37d910ba    +0x0d4 FrontEndHeap     : 0x00336548 Void    +0x0d8 FrontHeapLockCount : 0    +0x0da FrontEndHeapType : 0x2 ''    +0x0dc Counters         : _HEAP_COUNTERS    +0x130 TuningParameters : _HEAP_TUNING_PARAMETERS   Note: The _HEAP structure might be different for different versions of Windows.   A point to note here is that inside the _PEB there are two fields:   kd> dt _PEB ProcessH* ntdll!_PEB    +0x018 ProcessHeap : Ptr32 Void    +0x090 ProcessHeaps : Ptr32 Ptr32 Void   The ProcessHeaps is an array of pointers to the various heaps for the process. The ProcessHeap on the other hand will always store the address of the default heap of the process.   To browse all heaps in this process, we can use the WinDbg .for command, which is described here.   kd> .for (r $t0 = 0; @$t0 < 0x4; r $t0 = @$t0 + 1){dt _HEAP poi(0x77c77500 + ((@$t0)*4)) - y SegmentSignature} ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee
ntdll!_HEAP
   +0x008 SegmentSignature : 0xffeeffee   We will revisit heaps again for further elaborate discussions and even walking the heaps when we explore heap corruption scenarios.

标签：00000000,Heaps,process,heap,Introduction,Void,Windows,HEAP,null
From： https://www.cnblogs.com/ioriwellings/p/17157022.html