首页 > 系统相关 >Microsoft平台开发,内存特征码识别

Microsoft平台开发,内存特征码识别

时间:2023-04-03 14:45:41浏览次数:53  
标签:00 CC da 内存 ff memory 识别 Microsoft block

在软件调试的角度看,某种类型的数据都有它特别的特征码,就像以前的病毒,看到特征码就知道是什么类型的病毒

我们从16制格式的内存数据中也能猜出某段内存数据是什么相关类型数据,比如位图,文本 Ascii码,被free的内存(0xFEEEFEEE),刚被初始化的内存 ,栈:(0xCCCCCCCC)烫 堆:(0xCDCDCDCD) 都有一定的特征码

0019FD62  40 00 C8 91 40 00 1C FE 19 00 20 5F 40 00 00  @.葢@..... _@..
0019FD71  A0 3D 00 CC CC CC CC CC CC CC CC CC CC CC CC  .=.烫烫烫烫烫烫
0019FD80  CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫烫烫.
0019FD8F  CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫烫烫.
0019FD9E  CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC  烫烫烫烫烫烫烫.
0019FDAD  CC CC CC CC CC CC CC CC CC CC CC 28 FE 19 00  烫烫烫烫烫.(...
0019FDBC  D0 2B 40 00 65 00 00 00 C9 00 00 00 2D 01 00  [email protected]..
0019FDCB  00 7C FE 19 00 20 5F 40 00 00 A0 3D 00 CC CC  .|... _@...=.烫

内存保护边界无人区:

  • NoMansLand (0xFD)
    The “NoMansLand” buffers on either side of the memory used by an application are currently filled with 0xFD.

  • Freed blocks (0xDD)
    The freed blocks kept unused in the debug heap’s linked list when the _CRTDBG_DELAY_FREE_MEM_DF flag is set are currently filled with 0xDD.

  • New objects (0xCD)
    New objects are filled with 0xCD when they are allocated.

黑白位图特征:灰度值与透明度 00 代表全黑

00000000`546b0950  b1 b1 b1 b1 ff ff ff ff-ff ff ff ff ff ff ff ff  ................
00000000`546b0960  ff ff ff ff d1 d1 d1 d1-00 00 00 00 00 00 00 00  ................
00000000`546b0970  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0980  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0990  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b09a0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b09b0  00 00 00 00 da da da da-ff ff ff ff ff ff ff ff  ................
00000000`546b09c0  ff ff ff ff ff ff ff ff-a3 a3 a3 a3 00 00 00 00  ................
00000000`546b09d0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b09e0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b09f0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0a00  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0a10  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0a20  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0a30  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00000000`546b0a40  00 00 00 00 00 00 00 00-93 93 93 93 da da da da  ................
00000000`546b0a50  da da da da da da da da-da da da da da da da da  ................
00000000`546b0a60  da da da da da da da da-da da da da da da da da  ................
00000000`546b0a70  b1 b1 b1 b1 82 82 82 82-00 00 00 00 00 00 00 00  ................

 后来我发现国外有一个人做了更详细的介绍:

Win32 Debug CRT Heap Internals

www.nobugs.org

This is Andrew Birkett’s website. I’m a software developer, living in Edinburgh. Contact me at [email protected]. I write one blog mostly about software engineering, and another about cycling and unicycling.

 

 


 

Inside CRT: Debug Heap Management

 

This paper is copied from below link:

http://www.codeguru.com/cpp/w-p/win32/tutorials/article.php/c9535

When you compile a debug build of your program with Visual Studio and run it in debugger, you can see that the memory allocated or deallocated has funny values, such as 0xCDCDCDCD or 0xDDDDDDDD. This is the result of the work Microsoft has put in to detect memory corruption and leaks in the Win32 platform. In this article, I will explain how memory allocation/deallocation is done via new/delete or malloc/free.

First, I will explain what all these values that you see, like CD, DD, and so forth, mean.

ValueNameDescription
0xCD Clean Memory Allocated memory via malloc or new but never written by the application.
0xDD Dead Memory Memory that has been released with delete or free. It is used to detect writing through dangling pointers.
0xFD Fence Memory Also known as "no mans land." This is used to wrap the allocated memory (like surrounding it with fences) and is used to detect indexing arrays out of bounds.
0xAB (Allocated Block?) Memory allocated by LocalAlloc().
0xBAADF00D Bad Food Memory allocated by LocalAlloc() with LMEM_FIXED, but not yet written to.
0xCC   When the code is compiled with the /GZ option, uninitialized variables are automatically assigned to this value (at byte level).

If you take a look at DBGHEAP.C, you can see how some of these values are defined:

static unsigned char _bNoMansLandFill = 0xFD;   /* fill no-man's land with this */
static unsigned char _bDeadLandFill   = 0xDD;   /* fill free objects with this */
static unsigned char _bCleanLandFill  = 0xCD;   /* fill new objects with this */

Before going any further, take a look at the memory management function that I will refer in this article.

FunctionDescription
malloc C/C++ function that allocates a block of memory from the heap. The implementation of the C++ operator new is based on malloc.
_malloc_dbg Debug version of malloc; only available in the debug versions of the run-time libraries. _malloc_dbg is a debug version of the malloc function. When _DEBUG is not defined, each call to _malloc_dbg is reduced to a call to malloc. Both malloc and _malloc_dbg allocate a block of memory in the base heap, but _malloc_dbg offers several debugging features: buffers on either side of the user portion of the block to test for leaks, a block type parameter to track specific allocation types, and filename/linenumber information to determine the origin of allocation requests.
free C/C++ function that frees an allocated block. The implementation of C++ operator delete is based on free.
_free_dbg Debug version of free; only available in the debug versions of the run-time libraries. The _free_dbg function is a debug version of the free function. When _DEBUG is not defined, each call to _free_dbg is reduced to a call to free. Both free and _free_dbg free a memory block in the base heap, but _free_dbg accommodates two debugging features: the ability to keep freed blocks in the heap's linked list to simulate low memory conditions and a block type parameter to free specific allocation types.
LocalAlloc
GlobalAlloc
Win32 API to allocate the specified number of bytes from the heap. Windows memory management does not provide a separate local heap and global heap.
LocalFree
GlobalFree
Win32 API free the specified local memory object and invalidates its handle.
HeapAlloc Win32 API allocates a block of memory from a heap. The allocated memory is not movable.
HeapFree Win32 API frees a memory block allocated from a heap by the HeapAlloc or HeapReAlloc function.

There are many other functions that deal with memory management. For a complete view please refer to MSDN.

Note: Because this article is about memory management in a debug build, all the references to malloc and free in the following are actually references to their debug versions, _malloc_dbg and _free_dbg.

Compile the following code and run it in the debugger, walking step by step into it to see how memory is allocated and deallocated.

int main(int argc, char* argv[])
{
   char *buffer = new char[12];

   delete [] buffer;

   return 0;
}

Here, 12 bytes are dynamically allocated, but the CRT allocates more than that by wrapping the allocated block with bookkeeping information. For each allocated block, the CRT keeps information in a structure called _CrtMemBlockHeader, which is declared in DBGINT.H:

#define nNoMansLandSize 4

typedef struct _CrtMemBlockHeader
{
        struct _CrtMemBlockHeader * pBlockHeaderNext;
        struct _CrtMemBlockHeader * pBlockHeaderPrev;
        char *                      szFileName;
        int                         nLine;
        size_t                      nDataSize;
        int                         nBlockUse;
        long                        lRequest;
        unsigned char               gap[nNoMansLandSize];
        /* followed by:
         *  unsigned char           data[nDataSize];
         *  unsigned char           anotherGap[nNoMansLandSize];
         */
} _CrtMemBlockHeader;

It stores the following information:

FieldDescription
pBlockHeaderNext A pointer to the next block allocated, but next means the previous allocated block because the list is seen as a stack, with the latest allocated block at the top.
pBlockHeaderPrev A pointer to the previous block allocated; this means the block that was allocated after the current block.
szFileName A pointer to the name of the file in which the call to malloc was made, if known.
nLine The line in the source file indicated by szFileName at which the call to malloc was made, if known.
nDataSize Number of bytes requested
nBlockUse 0 - Freed block, but not released back to the Win32 heap
1 - Normal block (allocated with new/malloc)
2 - CRT blocks, allocated by CRT for its own use
lRequest Counter incremented with each allocation
gap A zone of 4 bytes (in the current implementation) filled with 0xFD, fencing the data block, of nDataSize bytes. Another block filled with 0xFD of the same size follows the data.

Most of the work of heap block allocation and deallocation are made by HeapAlloc() and HeapFree(). When you request 12 bytes to be allocated on the heap, malloc() will call HeapAlloc(), requesting 36 more bytes.

blockSize = sizeof(_CrtMemBlockHeader) + nSize + nNoMansLandSize;

malloc requests space for the 12 bytes we need (nSize), plus 32 bytes for the _CrtMemBlockHeader structure and another nNoMansLandSize bytes (4 bytes) to fence the data zone and close the gap.

But, HeapAlloc() will allocate even more bytes: 8 bytes below the requested block (that is, at a lower address) and 32 above it (that is, at a bigger address). It also initializes the requested block to 0xBAADF00D (bad food).

Then, malloc() fills the _CrtMemBlockHeader block with information and initializes the data block with 0xCD and no mans land with 0xFD.

Here is a table that shows how memory looks after the call to HeapAlloc() and after malloc() returns. For a complete situation, see the last table. (Note: All values are in hex.)

Addressafter HeapAlloc()after malloc()
00320FD8
00320FDC
00320FE0
00320FE4
00320FE8
00320FEC
00320FF0
00320FF4
00320FF8
00320FFC
00321000
00321004
00321008
0032100C
00321010
00321014
00321018
0032101C
00321020
00321024
00321028
0032102C
09 00 09 01
E8 07 18 00
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
0D F0 AD BA
AB AB AB AB
AB AB AB AB
00 00 00 00
00 00 00 00
79 00 09 00
EE 04 EE 00
40 05 32 00
40 05 32 00
09 00 09 01
E8 07 18 00
98 07 32 00
00 00 00 00
00 00 00 00
00 00 00 00
0C 00 00 00
01 00 00 00
2E 00 00 00
FD FD FD FD
CD CD CD CD
CD CD CD CD
CD CD CD CD
FD FD FD FD
AB AB AB AB
AB AB AB AB
00 00 00 00
00 00 00 00
79 00 09 00
EE 04 EE 00
40 05 32 00
40 05 32 00

Colors:

  • Green: win32 bookkeeping info
  • Blue: block size requested by malloc and filled with bad food
  • Magenta: _CrtMemBlockHeader block
  • Red: no mans land
  • Black: requested data block

In this example, after the call to malloc() returns, buffer will point to memory address 0x00321000.

When you call delete/free, the CRT will set the block it requested from HeapAlloc() to 0xDD, indicating this is a free zone. Normally after this, free() will call HeapFree() to give back the block to the Win32 heap, in which case the block will be overwritten with 0xFEEEEEEE, to indicate Win32 heap free memory.

You can avoid this by using the CRTDBG_DELAY_FREE_MEM_DF flag to _CrtSetDbgFlag(). It prevents memory from actually being freed, as for simulating low-memory conditions. When this bit is on, freed blocks are kept in the debug heap's linked list but are marked as _FREE_BLOCK. This is useful if you want to detect dangling pointers errors, which can be done by verifying if the freed block is written with 0xDD pattern or something else. Use _CrtCheckMemory() to verify the heap.s integrity.

The next table shows how the memory looks during the free(), before HeapFree() is called and afterwards.

AddressBefore HeapFree()After HeapFree()
00320FD8
00320FDC
00320FE0
00320FE4
00320FE8
00320FEC
00320FF0
00320FF4
00320FF8
00320FFC
00321000
00321004
00321008
0032100C
00321010
00321014
00321018
0032101C
00321020
00321024
00321028
0032102C
09 00 09 01
5E 07 18 00
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
DD DD DD DD
AB AB AB AB
AB AB AB AB
00 00 00 00
00 00 00 00
79 00 09 00
EE 04 EE 00
40 05 32 00
40 05 32 00
82 00 09 01
5E 04 18 00
E0 2B 32 00
78 01 32 00
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE
EE FE EE FE

Colors:

  • Green: win32 bookkeeping info
  • Blue: CRT block filled with dead memory
  • Gray: memory given back to win32 heap

The two tables above are put in a single, more detailed, table below:

Address (hex)OffsetHeapAllocmallocFree before HeapFreeFree after HeapFreeDescription
00320FD8 -40 01090009 01090009 01090009 01090082 Win32 Heap info
00320FDC -36 001807E8 001807E8 0018075E 0018045E Win32 Heap info
00320FE0 -32 BAADF00D 00320798 DDDDDDDD 00322BE0 pBlockHeaderNext
00320FE4 -28 BAADF00D 00000000 DDDDDDDD 00320178 pBlockHeaderPrev
00320FE8 -24 BAADF00D 00000000 DDDDDDDD FEEEEEEE szFileName
00320FEC -20 BAADF00D 00000000 DDDDDDDD FEEEEEEE nLine
00320FF0 -16 BAADF00D 0000000C DDDDDDDD FEEEEEEE nDataSize
00320FF4 -12 BAADF00D 00000001 DDDDDDDD FEEEEEEE nBlockUse
00320FF8 -8 BAADF00D 0000002E DDDDDDDD FEEEEEEE lRequest
00320FFC -4 BAADF00D FDFDFDFD DDDDDDDD FEEEEEEE gap (no mans land)
00321000 0 BAADF00D CDCDCDCD DDDDDDDD FEEEEEEE Data requested
00321004 +4 BAADF00D CDCDCDCD DDDDDDDD FEEEEEEE Data requested
00321008 +8 BAADF00D CDCDCDCD DDDDDDDD FEEEEEEE Data requested
0032100C +12 BAADF00D FDFDFDFD DDDDDDDD FEEEEEEE No mans land
00321010 +16 ABABABAB ABABABAB ABABABAB FEEEEEEE Win32 Heap info
00321014 +20 ABABABAB ABABABAB ABABABAB FEEEEEEE Win32 Heap info
00321018 +24 00000000 00000000 00000000 FEEEEEEE Win32 Heap info
0032101C +28 00000000 00000000 00000000 FEEEEEEE Win32 Heap info
00321020 +32 00090079 00090079 00090079 FEEEEEEE Win32 Heap info
00321024 +36 00EE04EE 00EE04EE 00EE04EE FEEEEEEE Win32 Heap info
00321028 +40 00320540 00320540 00320540 FEEEEEEE Win32 Heap info
0032102C +44 00320540 00320540 00320540 FEEEEEEE Win32 Heap info

Most time you may find that there is no filename and line name. If you need, you need to do like below:

#define DEBUG_NEW new(_NORMAL_BLOCK, __FILE__, __LINE__)
#define new DEBUG_NEW

And for the

_crtBreakAlloc,

you'd better take a look at below article.

How to use _crtBreakAlloc to debug a memory allocation

http://support.microsoft.com/kb/151585

标签:00,CC,da,内存,ff,memory,识别,Microsoft,block
From: https://www.cnblogs.com/ioriwellings/p/17282958.html

相关文章

  • m基于AlexNet神经网络和GEI步态能量图的步态识别算法MATLAB仿真
    1.算法描述        AlexNet是2012年ImageNet竞赛冠军获得者Hinton和他的学生AlexKrizhevsky设计的。也是在那年之后,更多的更深的神经网络被提出,比如优秀的vgg,GoogLeNet。这对于传统的机器学习分类算法而言,已经相当的出色。Alexnet网络模型于2012年提出。它具有更高维......
  • ASP.NET Core - 缓存之内存缓存(上)
    1.缓存缓存指的是在软件应用运行过程中,将一些数据生成副本直接进行存取,而不是从原始源(数据库,业务逻辑计算等)读取数据,减少生成内容所需的工作,从而显著提高应用的性能和可伸缩性,使用好缓存技术,有利于提高我们提升用户体验性。对于缓存的使用有以下一些注意点:缓存最适用于不常更......
  • 556系列反射内存卡
    如果您正在寻找一款高效、可靠的内存卡,那么我们的反射内存卡绝对是您的不二选择!我们的5565系列反射内存卡采用最新的PCIe技术,具有极快的读写传输速度,可轻松应对大型文件和高清视频的存储和传输需求。此外,我们的反射内存卡还采用了高品质的闪存芯片和抗震抗压外壳,可保证您的数据安全......
  • Microsoft.SqlServer.Management.SqlMgmt.SimpleJobSchedule”上的属性访问器“Schedu
    标题:MicrosoftSQLServerManagementStudio对象“Microsoft.SqlServer.Management.SqlMgmt.SimpleJobSchedule”上的属性访问器“ScheduleRecurrenceAndTimes”发生以下异常:“对象“Microsoft.SqlServer.Management.SqlMgmt.SimpleJobSchedule”上的属性访问器“StartTimeOfD......
  • Microsoft Visual Studio 企业应用开发高效编程
    有一个假设在大自然中人和动物们比赛,比谁跑的"快".其实想想也知道,我们绝对不可能拿第一,毕竟跑的比人快的动物多的去了,老虎,狮子,猎豹,就连素食的羚羊跑的也比我们快不少.人类之所以将自己凌驾于动物之上,一方面智商使然,另一方面我们利用我们的智慧创造了原本没有的东西"工具".......
  • 内存屏障踩坑
    内存屏障踩坑最近为了给linux系统装上一个新的scheduler,连续一周在熬夜看linux的内核源码。打算等有时间出一个详细的教程怎么搞这类东西作为存档,也要再学习一下。但是这不是今天的主题,今天的主题是一个非常坑爹的bug。在linux内核模块中,调度器为了提高性能,在每次进行调度的时候......
  • [转]C#写一个后台运行的文字识别工具
    最近做笔记需要一个截图后获取图中文字的轻型程序,最好直接按快捷键就能识别并将文字自动复制。网上的应该都是要钱的,或者东西太杂了看着乱得慌,于是决定自己写。我c#只稍微学了一点,讲的不好的地方代码不规范的地方见谅。我使用的是百度的文字识别api,请先自己去申请一下资源,免费......
  • m基于WOA优化的SVM乳腺癌细胞和正常细胞分类识别算法matlab仿真,对比BP网络,SVM,PSO+S
    1.算法描述       SVM是有监督的学习模型,我们需要事先对数据打上分类标签,通过求解最大分类间隔来求解二分类问题。如果要求解多分类问题,可以将多个二分类器组合起来形成一个多分类器。        WOA算法设计的既精妙又富有特色,它源于对自然界中座头鲸群体狩猎行......
  • 从 JDK 9 到 19,认识一个新的 Java 形态(内存篇)
    前言在JDK9之前,Java基本上平均每三年出一个版本。但是自从2017年9月份推出JDK9到现在,Java开始了疯狂更新的模式,基本上保持了每年两个大版本的节奏。从2017年至今,已经发布了一个版本到了JDK19。其中包括了两个LTS版本(JDK11与JDK17)。除了版本更新节奏明显加快之......
  • Demo03 数据类型 类型转换 内存溢出
    关键字数据类型java是强类型语言要求变量的使用要严格符合规定,所有变量都要先定义后才能使用 Java的数据类型分为两大类基本类型(primitivetype)引用类型(referencetype)  publicclassDemo02{   publicstaticvoidmain(String[]args){   ......