Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

How to get heap head structure?

From: "Lei Zhao" <as2001o2004 () gmail com>
Date: Fri, 16 Jun 2006 10:22:06 +0800
Hi guys,
       Here is the heap head structure.
==================================================
struct _XP2600_2180_HEAP /* sizeof 00000588 1416 */
{
/* off 0x00000000 */ struct _XP2600_2180_HEAP_ENTRY Entry;
/* off 0x00000008 */ unsigned long Signature;
/* off 0x0000000C */ unsigned long Flags;
/* off 0x00000010 */ unsigned long ForceFlags;
/* off 0x00000014 */ unsigned long VirtualMemoryThreshold;
/* off 0x00000018 */ unsigned long SegmentReserve;
/* off 0x0000001C */ unsigned long SegmentCommit;
/* off 0x00000020 */ unsigned long DeCommitFreeBlockThreshold;
/* off 0x00000024 */ unsigned long DeCommitTotalFreeThreshold;
/* off 0x00000028 */ unsigned long TotalFreeSize;
/* off 0x0000002C */ unsigned long MaximumAllocationSize;
/* off 0x00000030 */ unsigned short ProcessHeapsListIndex;
/* off 0x00000032 */ unsigned short HeaderValidateLength;
/* off 0x00000034 */ void* HeaderValidateCopy;
/* off 0x00000038 */ unsigned short NextAvailableTagIndex;
/* off 0x0000003A */ unsigned short MaximumTagIndex;
/* off 0x0000003C */ struct _XP2600_2180_HEAP_TAG_ENTRY* TagEntries;
/* off 0x00000040 */ struct _XP2600_2180_HEAP_UCR_SEGMENT* UCRSegments;
/* off 0x00000044 */ struct
_XP2600_2180_HEAP_UNCOMMMTTED_RANGE* UnusedUnCommittedRanges;
/* off 0x00000048 */ unsigned long AlignRound;
/* off 0x0000004C */ unsigned long AlignMask;
/* off 0x00000050 */ struct _XP2600_2180_LIST_ENTRY VirtualAllocdBlocks;
/* off 0x00000058 */ struct _XP2600_2180_HEAP_SEGMENT* Segments[64];
/* off 0x00000158 */ union _XP2600_2180__unnamed_0000026A u;
/* off 0x00000168 */ union _XP2600_2180__unnamed_0000026B u2;
/* off 0x0000016A */ unsigned short AllocatorBackTraceIndex;
/* off 0x0000016C */ unsigned long NonDedicatedListLength;
/* off 0x00000170 */ void* LargeBlocksIndex;
/* off 0x00000174 */ struct
_XP2600_2180_HEAP_PSEUDO_TAG_ENTRY* PseudoTagEntries;
/* off 0x00000178 */ struct _XP2600_2180_LIST_ENTRY FreeLists[128];
/* off 0x00000578 */ struct _XP2600_2180_HEAP_LOCK* LockVariable;
/* off 0x0000057C */ long( __stdcall *CommitRoutine)(void*,void**,unsigned
long*);
/* off 0x00000580 */ void* FrontEndHeap;
/* off 0x00000584 */ unsigned short FrontHeapLockCount;
/* off 0x00000586 */ unsigned char FrontEndHeapType;
/* off 0x00000587 */ unsigned char LastSegmentIndex;
};
============================================================
Who knows how to get the pointer to this structure?  In normal heap
overflow, we usually use the 8 byte _XP2600_2180_HEAP_ENTRY  structure. But
it semms that there is no way to get the _XP2600_2180_HEAP  structure. I
have traced PEB structure, but the "processheap"pointer doesn't point to
this structure.


Thanks a lot & Regards
   as2001o2004

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: