[Stylo]

Hi,
In a case I have a pointer to some memory block, how can I tell from which heap of the process's heaps the specified block was allocated?
HeapWalk can help me in that situation?

Thanks

[EP_X0FF]

ToolHelp, http://msdn.microsoft.com/en-us/library ... s.85).aspx?

[Stylo]

Thanks!

But how can you retrieve the heap handle from that?
As far as I got it right, the Heap Id only apply for the tool help and there's not heap handle in those structures

[EP_X0FF]

Thanks!

But how can you retrieve the heap handle from that?
As far as I got it right, the Heap Id only apply for the tool help and there's not heap handle in those structures

Long time ago, maybe 10 years ago I did a simple process manager, one of it functionalities was listing process heaps. Why I'm telling this - things may heavy changed since that time.

1) get PEB and lock it;
2) read PEB->NumberOfHeaps and allocate enough space for holding pointers;
3) read PEB->ProcessHeapsListBuffer, here stored all process heaps (you can verity through GetProcessHeap() - returned pointer will be listed here), each value here is a handle pointer;
4) unlock PEB.

edit:

Seems to be all things still the same.

lkd> dt nt!_PEB 00000000`fffdf000
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 BitField : 0x8 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsLegacyProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 SpareBits : 0y000
+0x008 Mutant : 0xffffffff`ffffffff Void
+0x010 ImageBaseAddress : 0x00000000`00120000 Void
+0x018 Ldr : 0x00000000`775a2640 _PEB_LDR_DATA
+0x020 ProcessParameters : 0x00000000`01132640 _RTL_USER_PROCESS_PARAMETERS
+0x028 SubSystemData : (null)
+0x030 ProcessHeap : 0x00000000`01130000 Void
+0x038 FastPebLock : 0x00000000`775aa960 _RTL_CRITICAL_SECTION

/--- skip

+0x0e8 NumberOfHeaps : 2
+0x0ec MaximumNumberOfHeaps : 0x10
+0x0f0 ProcessHeaps : 0x00000000`775aa6c0 -> 0x00000000`01130000 Void

from the pointer itself you can extract many information (all inside undocumented HEAP structure). Below from w7

Code: Select all

lkd> dt nt!_HEAP
   +0x000 Entry            : _HEAP_ENTRY
   +0x010 SegmentSignature : Uint4B
   +0x014 SegmentFlags     : Uint4B
   +0x018 SegmentListEntry : _LIST_ENTRY
   +0x028 Heap             : Ptr64 _HEAP
   +0x030 BaseAddress      : Ptr64 Void
   +0x038 NumberOfPages    : Uint4B
   +0x040 FirstEntry       : Ptr64 _HEAP_ENTRY
   +0x048 LastValidEntry   : Ptr64 _HEAP_ENTRY
   +0x050 NumberOfUnCommittedPages : Uint4B
   +0x054 NumberOfUnCommittedRanges : Uint4B
   +0x058 SegmentAllocatorBackTraceIndex : Uint2B
   +0x05a Reserved         : Uint2B
   +0x060 UCRSegmentList   : _LIST_ENTRY
   +0x070 Flags            : Uint4B
   +0x074 ForceFlags       : Uint4B
   +0x078 CompatibilityFlags : Uint4B
   +0x07c EncodeFlagMask   : Uint4B
   +0x080 Encoding         : _HEAP_ENTRY
   +0x090 PointerKey       : Uint8B
   +0x098 Interceptor      : Uint4B
   +0x09c VirtualMemoryThreshold : Uint4B
   +0x0a0 Signature        : Uint4B
   +0x0a8 SegmentReserve   : Uint8B
   +0x0b0 SegmentCommit    : Uint8B
   +0x0b8 DeCommitFreeBlockThreshold : Uint8B
   +0x0c0 DeCommitTotalFreeThreshold : Uint8B
   +0x0c8 TotalFreeSize    : Uint8B
   +0x0d0 MaximumAllocationSize : Uint8B
   +0x0d8 ProcessHeapsListIndex : Uint2B
   +0x0da HeaderValidateLength : Uint2B
   +0x0e0 HeaderValidateCopy : Ptr64 Void
   +0x0e8 NextAvailableTagIndex : Uint2B
   +0x0ea MaximumTagIndex  : Uint2B
   +0x0f0 TagEntries       : Ptr64 _HEAP_TAG_ENTRY
   +0x0f8 UCRList          : _LIST_ENTRY
   +0x108 AlignRound       : Uint8B
   +0x110 AlignMask        : Uint8B
   +0x118 VirtualAllocdBlocks : _LIST_ENTRY
   +0x128 SegmentList      : _LIST_ENTRY
   +0x138 AllocatorBackTraceIndex : Uint2B
   +0x13c NonDedicatedListLength : Uint4B
   +0x140 BlocksIndex      : Ptr64 Void
   +0x148 UCRIndex         : Ptr64 Void
   +0x150 PseudoTagEntries : Ptr64 _HEAP_PSEUDO_TAG_ENTRY
   +0x158 FreeLists        : _LIST_ENTRY
   +0x168 LockVariable     : Ptr64 _HEAP_LOCK
   +0x170 CommitRoutine    : Ptr64     long 
   +0x178 FrontEndHeap     : Ptr64 Void
   +0x180 FrontHeapLockCount : Uint2B
   +0x182 FrontEndHeapType : UChar
   +0x188 Counters         : _HEAP_COUNTERS
   +0x1f8 TuningParameters : _HEAP_TUNING_PARAMETERS

[Stylo]

That's great!
Thank you :)