O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Page Heap Implementation

It is a well-known fact that page heap is implemented by placing allocations at the end of pages with the next non-accessible page to catch buffer overruns leading to heap corruption (Volume 1, page 257). The best way to see it is to use !address command that dumps all such allocations:

0:004> !gflag
Current NtGlobalFlag contents: 0x02000000
hpa - Place heap allocations at ends of pages
0:004> !address [...] 20b10000 20b11000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000] 20b11000 20b12000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000] 20b12000 20b13000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required