堆内存破坏检测实战.docx
6页
堆内存破坏检测实战--附完整调试过程首先解释一下,什么是堆内存?堆是一种常见的内存管理器,应用程序通过堆来动态地分配和释放内存,通常使用堆的情况是无法预先知道所需要的内存大小,或者申请内存太大,无法通过栈内存来自动分配,下面让我们再来看一段英文解释A heap is a form of memory manager that an application can use when it needs to allocate and free memory dynamically. Common situations that call for the use of a heap are when the size of the memory needed is not known ahead of time and the size of the memory is too large to neatly fit on the stack (automatic memory).常见的情况是由于效率或特殊需求一个进程中同时使用几个堆,如下图: 下面通过一个完整的demo来带大家调试一个对破坏问题,demo代码如下:#define SZ_MAX_LEN 10void __cdecl wmain (int argc, WCHAR* args[]){ if(argc==2) { wprintf(L"Press any key to start\n"); _getch(); DupString(args[1]); } else { wprintf(L"Please enter a string"); }}BOOL DupString(WCHAR* psz){ BOOL bRet=FALSE; if(psz!=NULL) { pszCopy=(WCHAR*) HeapAlloc(GetProcessHeap(), 0, SZ_MAX_LEN*sizeof(WCHAR)); if(pszCopy) { wcscpy(pszCopy, psz); wprintf(L"Copy of string: %s", pszCopy); HeapFree(GetProcessHeap(), 0, pszCopy); bRet=TRUE; } } return bRet; 在应用程序验证器下启用普通页堆,配置gflags, 运行build出来的代码,输入参数为:SolidmangoSolidmangoSolidmango得到如下输出:CommandLine: C:\WinXP.x86.chk\06overrun.exe SolidmangoSolidmangoSolidmangoExecutable search path is: ModLoad: 01000000 01005000 06overrun.exeModLoad: 7c900000 7c9b2000 ntdll.dllAVRF: 06overrun.exe: pid 0x120C: flags 0x8044B026: application verifier enabledModLoad: 5ad10000 5ad59000 C:\WINDOWS\System32\verifier.dllModLoad: 10000000 10029000 C:\WINDOWS\System32\vrfcore.dllModLoad: 003a0000 003dc000 C:\WINDOWS\System32\vfbasics.dllModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dllAVRF: verifier.dll provider initialized for 06overrun.exe with flags 0x8044B026 ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll(120c.1700): Break instruction exception - code 80000003 (first chance)eax=00391ec4 ebx=7ffd8000 ecx=00000004 edx=00000010 esi=00391f98 edi=00391ec4eip=7c90120e esp=0006fb20 ebp=0006fc94 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202ntdll!DbgBreakPoint:7c90120e cc int 30:000> g0:000> g 我们会看到一个访问违例, 继续运行得到如下输出,说明应用程序验证器验证成功:=======================================VERIFIER STOP 00000008: pid 0x120C: Corrupted heap block. 00081000 : Heap handle used in the call. 001E2B60 : Heap block involved in the operation. 00000014 : Size of the heap block. 00000000 : Reserved=======================================This verifier stop is not continuable. Process will be terminated when you use the `go' debugger command.=======================================(120c.1700): Break instruction exception - code 80000003 (first chance)eax=1000e848 ebx=1000cd44 ecx=00000001 edx=0006f939 esi=00000000 edi=1000e848eip=7c90120e esp=0006f9cc ebp=0006fbd0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202ntdll!DbgBreakPoint:7c90120e cc int 3 继续调试,此时我们已经找到了出问题的堆快,注意观察上面的输出中有这样一条语句:001E2B60 : Heap block involved in the operation,好的,让我们看看这个堆块里面是什么东西,0:000> dt _DPH_BLOCK_INFORMATION 001E2B60-0x20ntdll!_DPH_BLOCK_INFORMATION +0x000 StartStamp : 0xabcdaaaa +0x004 Heap : 0x80081000 Void +0x008 RequestedSize : 0x14 +0x00c ActualSize : 0x3c +0x010 FreeQueue : _LIST_ENTRY [ 0x1e - 0x0 ] +0x010 TraceIndex : 0x1e +0x018 StackTrace : 0x00286c3c Void +0x01c EndStamp : 0xdcbaaaaa0:000> dds 0x00286c3c //callstack00286c3c abcdaaaa00286c40 0000000100286c44 0000000700286c48 0000000100286c4c 0000001400286c50 0008100000286c54 0000000000286c58 00286c5c00286c5c 7c94b244 ntdll!RtlAllocateHeapSlowly+0x4400286c60 7c919c0c ntdll!RtlAllocateHeap+0xe6400286c64 003afd2c vfbasics!AVrfpRtlAllocateHeap+0xb100286c68 010012f4 06overrun!DupString+0x24 [c:\awd\chapter6\overrun\overrun.cpp @ 41]00286c6c 010012ab 06overrun!wmain+0x2b [c:\awd\chapter6\overrun\overrun.cpp @ 28]00286c70 010014b8 06overrun!__wmainCRTStartup+0x102 [d:\vistartm\base\crts\crtw32\dllstuff\crtexe.c @ 711]00286c74 7c817077 kernel32!BaseProcessStart+0x2300286c78 00000000我们找到了出问题的callstack:0:000> kbChildEBP RetAddr Args to Child 0006f9c8 10003b68 10062cb0 00000008 001e2b60 ntdll!DbgBreakPoint0006fbd0 100078c9 1000c540 00000008 00081000 vrfcore!VerifierStopMessageEx+0x4d10006fbf4 7c96c06e 00000008 7c96c314 00081000 vrfcore!VfCoreRedirectedStopMessage+0x810006fc70 7c96d147 00081000 00000004 001e2b60 ntdll!RtlpDphReportCorruptedBlock+0x17c0006fc94 7c96d34a 00081000 01000002 00000010 ntdll!RtlpDphNormalHeapFree+0x2e0006fce4 7c9703eb 00080000 01000002 001e2b60 ntdll!RtlpDe。
医疗卫生人才供需分析-详解洞察.docx血液制品管理条例(2016修订)培训解读课件.pptx2024年1月浙江省高考英语真题试卷含答案.pdf岗位价值评估工具-美世2.0PPT课件.ppt2023-2024学年秋季小学三年级上册语文部编版课时练第4课《古诗三首》01(含答案).doc税收会统核算及相关操作.pptLNG储罐施工关键控制点总结.ppt影视视听语言3色彩光线影调.ppt高级无损检测技术资格人员超声检测培训复习题汇编.docx2024年江苏省南京市建邺区小升初语文试卷(原卷全解析版).docx电路图与实物图的相互转化课件.ppt医疗影像数据的加密传输与存储-详解洞察.docx
