Windows 8 Heap Internals - Illmatics.com

Fragmentation Heap (LFH) returns to the calling function. ... memory when an application calls functions such as free(), malloc(), and realloc(). _HEAP.
2MB Sizes 10 Downloads 178 Views


Wind W dow ws 8 H Heap In ntern nals

Chris Valasek Coverity Sr. Securiity Research Scientist – C [email protected] @gmail.com @nudehaaberdasher



Tarj ei Mandt Vulnerabilityy Researcher – Azimuth Sr. V kern [email protected] @keernelpool

1 | Window ws 8 Heap Inteernals   

Contents Introduction .................................................................................................................................................. 4  Overview ....................................................................................................................................................... 4  Prior Works ................................................................................................................................................... 5  Prerequisites ................................................................................................................................................. 5  User Land .................................................................................................................................................. 5  Kernel Land ............................................................................................................................................... 5  Terminology .................................................................................................................................................. 6  User Land Heap Manager ............................................................................................................................. 7  Data Structures ......................................................................................................................................... 7  _HEAP (HeapBase) ................................................................................................................................ 7  _LFH_HEAP (Heap‐>FrontEndHeap) ..................................................................................................... 8  _HEAP_LOCAL_DATA (Heap‐>FrontEndHeap‐>LocalData) ................................................................... 9  _HEAP_LOCAL_SEGMENT_INFO (Heap‐>LFH‐>SegmentInfoArrays[] / AffinitizedInfoArrays[]) .......... 9  _HEAP_SUBSEGMENT (Heap‐>LFH‐>InfoArrays[]‐>ActiveSubsegment) ............................................ 10  _HEAP_USERDATA_HEADER (Heap‐>LFH‐>InfoArrays[]‐>ActiveSubsegment‐>UserBlocks) ............. 11  _RTL_BITMAP (Heap‐>LFH‐>InfoArrays[]‐>ActiveSubsegment‐>UserBlocks‐>Bitmap) ..................... 12  _HEAP_ENTRY ..................................................................................................................................... 12  Architecture ............................................................................................................................................ 13  Algorithms ‐‐ Allocation .......................................................................................................................... 15  Intermediate ....................................................................................................................................... 15  BackEnd ............................................................................................................................................... 18  Front End ............................................................................................................................................. 25  Algorithms – Freeing ............................................................................................................................... 37  Intermediate ....................................................................................................................................... 37  BackEnd ............................................................................................................................................... 40  FrontEnd ..........................................................................................