Heap Overflow Exploitation Technology on Windows

Source: Internet
Author: User

Author:Mr_me

Translator:Riusksk(Quan Ge:Http://riusksk.blogbus.com)

 

Preface

In stack overflow, we usually control the instruction pointer.EIP, Or overwriteSEHIn this article, we will talk about and test the use technology, which has not been directly applied to coverage.EIPOrSEH. We will overwrite a controllable memory address to implement anyDWORDOverwrite. If your understanding of stack overflow is not yet in progress/High level, so I suggest you concentrate on learning. The techniques used in this article are old technologies that have been around for a long time. If you have any new techniques, please share them with us. Before reading this article, you must meet the following requirements:

●Windows XP SP1;

●Debugger (Olly Debugger,Immunity Debugger,WindbgAnd so on );

●C/C ++Compiler (Vcpp-4.9.9.2_setup.exe "target = _ blank>Dev C ++,Lcc-32, MS visual C ++ 6.0.);

●Script Language execution environment (this article usesPythonYou can also usePerl);

●Brain;

●Compilation andCLanguage knowledge, and how to debug them with a debugger;

●Olly DebuggerPlug-insHideDbg, OrImmunity DebuggerOf! HidedebugCommand plug-in;

●Time.

We focus on basic knowledge in this article. These technologies may be outdated and not used in the "real world", but you must remember that if you want to improve the technology, you must know the past and use its strengths for your own use!

 

Definition of heap and itsXPWorking Principle

A heap is a place where processes store data. Each process can dynamically allocate and release the heap memory required by the program and allow global access. It should be noted that the stack is directedZero x 00000000Growth, while heap is directed0 xFFFFFFFFGrowth. This means that if a process is called twice in a rowHeapAllocate ()Function, the memory address pointed to by the pointer returned by the second call of the function will be higher than that of the first call, so the first heap will overflow to the second heap memory.

For each process, both the default process heap and the dynamically allocated heap contain multiple data structures. One of the data structures is128ItemsLIST_ENTRYAn array of structures used to track idle blocks, that is, a well-known idle linked listFreeList. EveryLIST_ENTRYThe structure contains two pointers, which can be offsetHEAPStructureZero x 178The location of the byte. When a heap is created, both pointers point to the first idle block and are set to an empty table index.FreeList [0]Is used to organize idle heap blocks into two-way linked lists.

Let's assume there is a heap whose base address isZero x 00650000, The first available block is located inZero x 00650688Next, let's assume the following:4Addresses:

1.Address0 × 00650178 (Freelist [0]. Flink)Is a valueZero x 00650688(The first idle heap block) pointer;

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.