Jump to content
Nytro

Understanding the Low Fragmentation Heap

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Understanding the Low Fragmentation Heap

Blackhat USA 2010

Chris Valasek

X-Force Researcher

cvalasek = gmail.com

@nudehaberdasher

Table of Contents
Introduction ................................................................................................................................................ 4
Overview ................................................................................................................................................. 4
Prior Works ............................................................................................................................................. 5
Prerequisites ........................................................................................................................................... 6
Terminology ............................................................................................................................................ 6
Notes ...................................................................................................................................................... 7
Data Structures ........................................................................................................................................... 7
_HEAP ..................................................................................................................................................... 7
_HEAP_LIST_LOOKUP.............................................................................................................................. 9
_LFH_HEAP ........................................................................................................................................... 10
_LFH_BLOCK_ZONE ............................................................................................................................... 11
_HEAP_LOCAL_DATA ............................................................................................................................ 11
_HEAP_LOCAL_SEGMENT_INFO ........................................................................................................... 12
_HEAP_SUBSEGMENT ........................................................................................................................... 12
_HEAP_USERDATA_HEADER ................................................................................................................. 13
_INTERLOCK_SEQ .................................................................................................................................. 14
_HEAP_ENTRY ....................................................................................................................................... 15
Overview ............................................................................................................................................... 16
Architecture .............................................................................................................................................. 17
FreeLists ................................................................................................................................................ 17
Algorithms ................................................................................................................................................ 20
Allocation .............................................................................................................................................. 20
Back-end Allocation .............................................................................................................................. 21
RtlpAllocateHeap .............................................................................................................................. 21
Overview ........................................................................................................................................... 27
Front-end Allocation ............................................................................................................................. 28
RtlpLowFragHeapAllocFromContext ................................................................................................. 28
Overview ........................................................................................................................................... 36
Example ............................................................................................................................................ 37
Freeing .................................................................................................................................................. 40
Back-end Freeing .............................................................................................................................. 41
RtlpFreeHeap .................................................................................................................................... 41
Overview ........................................................................................................................................... 47
Front-end Freeing ................................................................................................................................. 48
RtlpLowFragHeapFree ....................................................................................................................... 48
Overview ........................................................................................................................................... 51
Example ............................................................................................................................................ 52
Security Mechanisms ................................................................................................................................ 55
Heap Randomization ............................................................................................................................. 55
Comments ......................................................................................................................................... 56
Header Encoding/Decoding .................................................................................................................. 56
Comments ......................................................................................................................................... 57
Death of bitmap flipping ....................................................................................................................... 58
Safe Linking ........................................................................................................................................... 59
Comments ......................................................................................................................................... 59
Tactics ....................................................................................................................................................... 60
Heap Determinism ................................................................................................................................ 60
Activating the LFH ............................................................................................................................. 60
Defragmentation ............................................................................................................................... 61
Adjacent Data ................................................................................................................................... 62
Seeding Data ..................................................................................................................................... 63
Exploitation ........................................................................................................................................... 67
Ben Hawkes #1 .................................................................................................................................. 67
FreeEntryOffset Overwrite ................................................................................................................ 71
Observations ......................................................................................................................................... 79
SubSegment Overwrite ..................................................................................................................... 79
Example ............................................................................................................................................ 83
Issues ................................................................................................................................................ 83
Conclusion ................................................................................................................................................ 85
Bibliography .............................................................................................................................................. 86

Download:

http://www.illmatics.com/Understanding_the_LFH.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...