Export (0) Print
Expand All

3.8 Sample Heap-on-Node (HN)

Office

The following is the binary dump of an HN (section 2.3.1). The first 12 bytes (EC 00 EC BC 20 00 00 00-00 00 00 00) indicate the HNHDR structure (section 2.3.1.2), which contain information about the HN. The last 22 bytes (shown following) represent the HNPAGEMAP structure (section 2.3.1.5), which contains the information about each allocated heap block.

                                    08 00 00 00  *.....}.pb.......*
00000000000048F0  0C 00 14 00 6C 00 7C 00-8C 00 A4 00 BC 00 D4 00  *....l.|.........*
0000000000004900  EC 00              *

In this particular example, the signature indicates an HN (bSig=0xEC) which ultimately contains a PC (bClientSig=0xBC (bTypePC)). The metadata of the next-level client is stored in HID 0x20 (hidUserRoot=0x00000020). The HNPAGEMAP structure can be found at offset 0xEC with respect to the beginning of the HN (ibHnpm=0x00EC).

The HNPAGEMAP indicate that the HN has 8 allocations (cAlloc=8), and the starting offsets of the allocations (with respect to the beginning of the HN) are: 0x0C, 0x14, 0x6C, 0x7C, 0x8C, 0xA4, 0xBC, 0xD4, respectively. And finally, the next allocation starts at offset 0xEC.

0000000000004800  EC 00 EC BC 20 00 00 00-00 00 00 00 B5 02 06 00
0000000000004810  40 00 00 00 34 0E 02 01-A0 00 00 00 38 0E 03 00  *@...4.......8...*
0000000000004820  00 00 00 00 F9 0F 02 01-60 00 00 00 01 30 1F 00  *........`....0..*
0000000000004830  80 00 00 00 DF 35 03 00-89 00 00 00 E0 35 02 01  *.....5.......5..*
0000000000004840  C0 00 00 00 E3 35 02 01-00 01 00 00 E7 35 02 01  *.....5.......5..*
0000000000004850  E0 00 00 00 33 66 0B 00-01 00 00 00 FA 66 03 00  *....3f.......f..*
0000000000004860  0D 00 0E 00 FF 67 03 00-00 00 00 00 22 9D B5 0A  *.....g......"...*
0000000000004870  DC D9 94 43 85 DE 90 AE-B0 7D 12 70 55 00 4E 00  *...C.....}.pU.N.*
0000000000004880  49 00 43 00 4F 00 44 00-45 00 31 00 01 00 00 00  *I.C.O.D.E.1.....*
0000000000004890  F5 5E F6 66 95 69 CC 4C-83 D1 D8 73 98 99 02 85  *.^.f.i.L...s....*
00000000000048A0  01 00 00 00 00 00 00 00-22 9D B5 0A DC D9 94 43  *........"......C*
00000000000048B0  85 DE 90 AE B0 7D 12 70-22 80 00 00 00 00 00 00  *.....}.p".......*
00000000000048C0  22 9D B5 0A DC D9 94 43-85 DE 90 AE B0 7D 12 70  *"......C.....}.p*
00000000000048D0  42 80 00 00 00 00 00 00-22 9D B5 0A DC D9 94 43  *B......."......C*
00000000000048E0  85 DE 90 AE B0 7D 12 70-62 80 00 00 08 00 00 00  *.....}.pb.......*
00000000000048F0  0C 00 14 00 6C 00 7C 00-8C 00 A4 00 BC 00 D4 00  *....l.|.........*
0000000000004900  EC 00                   *
Show:
© 2015 Microsoft