确定在堆上分配的对象的大小

逆向工程 调试 风袋
2021-06-21 10:25:25

作为作业的一部分,处理操作极光漏洞,我应该确定在堆上分配的 C++ 类的大小。

我用了: 

0:017> !heap -p -a <address of the class I am researching>

并得到:

address 047dcf08 found in
  _DPH_HEAP_ROOT @ 12d1000
  in busy allocation (DPH_HEAP_BLOCK:     UserAddr     UserSize -    VirtAddr   VirtSize)
                             4501270:      47dcf08           f8 -     47dc000       2000

根据用户大小,对象是0xf8大小,但是是否有任何需要减去的头/尾字节数才能获得此分配块中类的实际大小?

2个回答

不,UserSize是发送给分配器的大小。

malloc(0x100); // usersize 100

一个明显的例外是,如果您使用构建在标准堆分配器之上的自定义堆分配器。

这不是一个直接的答案,但WinDbg中有一个很好的命令,让你“解密”的答案,大多数这些问题自己命令的名称是.ocommand

显示如何确定用户大小指向使用此命令的示例

#include <stdio.h>
#include <windows.h>

void dbg (PCHAR cmdstr , PVOID value) {
    char buff[0x300] = {0};
    sprintf_s(buff,cmdstr,value);
    OutputDebugStringA(buff);
    return ;
}
int main(void) {
    printf (
        "This is a windbg .ocommand Example\n"
        "This command can be leveraged to execute windbg commands \n"
        "For example command !heap -p -a is performed on allocated heap\n"
        "Output of !heap -p -a <address> can be viewed in windbg \n"
        "issue .ocommand myjick in windbg prior to running this exe\n"
        "or run this exe with windbg -c \".ocommand myjick\" ocommand.exe\n"
        );
    HANDLE hHeap = NULL;   
    if((hHeap = GetProcessHeap() ) != NULL)     {
        for (int i = 1 ; i< 6; i++)  {
            PCHAR mem[6] = {0};
            if (( mem[i] = (PCHAR)HeapAlloc(hHeap,0,0x101*i) ) != NULL)   {
                dbg("myjick !heap -p -a %x ;g;\n\n",mem[i]);
            }
        }
    }
    return 0; //all the allocated heaps need to be freed
}

上面代码的输出

cdb -c ".ocommand myjick ;g;q" ocommand.exe

0:000> cdb: Reading initial command '.ocommand myjick ;g;q'
Treat output prefixed with 'myjick ' as a command

This is a windbg .ocommand Example
This command can be leveraged to execute windbg commands
For example command !heap -p -a is performed on allocated heap
Output of !heap -p -a <address> can be viewed in windbg
issue .ocommand myjick in windbg prior to running this exe
or run this exe with windbg -c ".ocommand myjick" ocommand.exe 

    address 001537e8 found in
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        001537e0 0024 0000  [07]   001537e8    00101 - (busy)    
    address 00153908 found in
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00153900 0044 0000  [07]   00153908    00202 - (busy)    
    address 00153b28 found in
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00153b20 0064 0000  [07]   00153b28    00303 - (busy)    
    address 00153e48 found in
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00153e40 0084 0000  [07]   00153e48    00404 - (busy)    
    address 00154268 found in
    _HEAP @ 150000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00154260 00a4 0000  [07]   00154268    00505 - (busy)
其它你可能感兴趣的问题
上一篇调试用 pe compact 压缩的 .dll 下一篇WinDbg 中的页目录指针表