HeapAlloc分配的区块不在任何堆段中

Question

以下反汇编是msvcrt!_heap_alloc函数的一部分，该函数由msvcrt!malloc调用：

msvcrt!_heap_alloc+0xd1:
77c2c3ba 56              push    esi
77c2c3bb 6a00            push    0
77c2c3bd ff351824c677    push    dword ptr [msvcrt!_crtheap (77c62418)]
77c2c3c3 ff15f410c177    call    dword ptr [msvcrt!_imp__HeapAlloc (77c110f4)]

上面的反汇编显示msvcrt!_heap_alloc调用HeapAlloc( hHeap，dwFlags，dwBytes)，并将hHeap设置为C运行时堆(0x1ea0000)，将dwFags设置为0，将dwBytes设置为0x964。从以下调试器输出中也可以明显看出这一点：

eax=00000001 ebx=00000000 ecx=5384f625 edx=00000964 esi=00000964 edi=0336cd5c
eip=77c2c3c3 esp=0336ccc8 ebp=0336cd00 iopl=0 nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000246
msvcrt!_heap_alloc+0xda:
77c2c3c3 ff15f410c177    call    dword ptr [msvcrt!_imp__HeapAlloc (77c110f4)] ds:0023:77c110f4={ntdll!RtlAllocateHeap (7c9100c4)}
0:008> r esi
esi=00000964
0:008> dd msvcrt!_crtheap
77c62418  01ea0000 00000001 00000020 00000000

紧接着调用HeapAlloc之后，eax具有值3b8c8698，该值必须是分配的块的地址：

0:008> r eax
eax=3b8c8698

但是，chunk不在任何堆段范围内：

0:008> !heap -a 
Index   Address  Name      Debugging options enabled
1:   00250000 
 Segment at 00250000 to 00350000 (00003000 bytes committed)
2:   00360000 
 Segment at 00360000 to 00370000 (00006000 bytes committed)
3:   00370000 
 Segment at 00370000 to 00380000 (00003000 bytes committed)
4:   01820000 
 Segment at 01820000 to 01830000 (00002000 bytes committed)
5:   01930000 
 Segment at 01930000 to 01940000 (00003000 bytes committed)
6:   01a50000 
 Segment at 01a50000 to 01a90000 (00003000 bytes committed)
7:   016d0000 
 Segment at 016d0000 to 016e0000 (00003000 bytes committed)
8:   01710000 
 Segment at 01710000 to 01720000 (00003000 bytes committed)
9:   020b0000 
 Segment at 020b0000 to 020c0000 (00003000 bytes committed)
10:   02450000 
 Segment at 02450000 to 02550000 (00003000 bytes committed)
11:   03d70000 
 Segment at 03d70000 to 03db0000 (00003000 bytes committed)
12:   047b0000 
 Segment at 047b0000 to 047f0000 (00003000 bytes committed)
13:   048f0000 
 Segment at 048f0000 to 04900000 (00003000 bytes committed)
14:   04a40000 
 Segment at 04a40000 to 04a50000 (00003000 bytes committed)
15:   053a0000 
 Segment at 053a0000 to 053b0000 (00003000 bytes committed)
16:   154b0000 
 Segment at 154b0000 to 155b0000 (00100000 bytes committed)
17:   38170000 
 Segment at 38170000 to 38180000 (00008000 bytes committed)

块被分配到哪个堆中？感谢您的回复。

Answer 1

你所引用的似乎不可行

但是，如果您确定您在正确的位置，并且eax确实指向某个分配的地址

您可以使用! address 命令让windbg说出地址区域是什么

向后反汇编以显示调用者是谁。

0:000> ub . l5
malloc!_malloc_base+0x27 [minkernel\crts\ucrt\src\appcrt\heap\malloc_base.cpp @ 39]:
01230c49 7415            je      malloc!_malloc_base+0x3e (01230c60)
01230c4b 56              push    esi
01230c4c 6a00            push    0
01230c4e ff3504ab2501    push    dword ptr [malloc!__acrt_heap (0125ab04)]
01230c54 ff15b0002501    call    dword ptr [malloc!_imp__HeapAlloc (012500b0)]

向前反汇编以显示调用返回(1230c5a)的地址

0:000> u . l1
malloc!_malloc_base+0x38 [minkernel\crts\ucrt\src\appcrt\heap\malloc_base.cpp @ 34]:
01230c5a 85c0            test    eax,eax

确认我们位于返回地址，以便eax实际指向分配的内存

请注意弹性公网eip上的(1230c5a)

0:000> r
eax=002cb958 ebx=7ffdd000 ecx=77545dd3 edx=002cb953 esi=00000984 edi=0012fa54
**eip=01230c5a** esp=0012fa08 ebp=0012fa0c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
malloc!_malloc_base+0x38:
01230c5a 85c0            test    eax,eax

让我们来看看这个内存区域是什么，它属于什么位置

0:000> !address @eax

Usage:                  Heap
Base Address:           002c0000
End Address:            002cf000
Region Size:            0000f000 (  60.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000004          PAGE_READWRITE
Type:                   00020000          MEM_PRIVATE
Allocation Base:        002c0000
Allocation Protect:     00000004          PAGE_READWRITE
More info:              heap owning the address: !heap 0x2c0000
More info:              heap segment
More info:              heap entry containing the address: !heap -x 0x2cb958


Content source: 1 (target), length: 36a8