在win7 64环境下分析
1.malloc代码
int main()
{
void *p = malloc(0xa8);
memset(p, 'a', 0xa8);
free(p);
return 0;
}
2.malloc(windbg分析)
- 函数调用过程
ntdll!RtlAllocateHeap//后面还有一串调用。过于复杂,不再跟进。
rpci!_malloc_base+0x44 [d: hminkernelcrtsucrtsrcappcrtheapmalloc_base.cpp @ 29]//call qword ptr [rpci!_imp_HeapAlloc]
rpci!main+0x21//此处malloc(a8)
rpci!invoke_main+0x22 [f:ddvctoolscrtvcstartupsrcstartupexe_common.inl @ 64]
rpci!__scrt_common_main_seh+0x124 [f:ddvctoolscrtvcstartupsrcstartupexe_common.inl @ 255]
kernel32!BaseThreadInitThunk+0xd
ntdll!RtlUserThreadStart+0x1d
- dc 004eb0a0
00000000`004eb0a0 feeefeee feeefeee 0b71f188 3800e716 ..........q....8//这里可以看出,堆头大小为0x10.
00000000`004eb0b0 baadf00d baadf00d baadf00d baadf00d ................
00000000`004eb0c0 baadf00d baadf00d baadf00d baadf00d ................//rax+a8后面也有一些堆尾数据
注意这是在windbg中启动程序运行。!gflag=0x70
如果直接运行,然后windbg附加到上面,则:!gflag=0
0:000> dd rax-10//可见,申请内存后,并没有初始化。
00000000`003f4260 00450042 002e003b 5f71a286 08003e99
00000000`003f4270 003f8000 00000000 003b0158 00000000
00000000`003f4280 002e003b 00530057 003b0048 004d002e
00000000`003f4290 00430053 00500000 004f0052 00450043
0:000> !heap -p -a rax//没开pageheap也可以查看
address 00000000003f4270 found in
_HEAP @ 3b0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
00000000003f4260 000b 0000 [00] 00000000003f4270 000a8 - (busy)//堆头大小为0x10
3.memset填充数据
0:000> dc 0000000000404270 +a8-10
00000000`00404308 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa//一直到堆尾,最后没填0
00000000`00404318 b41d0acd 0000b0b4 00408000 00000000
00000000`00404328 003c0158 00000000 00650074 00700070
00000000`00404338 006e0069 00200067 002c0037 00470020
0:000> !heap -p -a 00404308
address 0000000000404308 found in
_HEAP @ 3c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0000000000404260 000b 0000 [00] 0000000000404270 000a8 - (busy)
0:000> !heap -p -a 00404318 //奇怪现象:挨着的地址为何堆头=被占用的地址。不对!
address 0000000000404318 found in
_HEAP @ 3c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0000000000404310 008b 0000 [00] 0000000000404320 008a0 - (free)
4.free.
0:000> dc 0000000000404270
00000000`00404270 00408000 00000000 003c0158 00000000 ..@.....X.<.....
00000000`00404280 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa//释放后数据并没有填0
00000000`00404290 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0:000> !heap -p -a 0000000000404270
address 0000000000404270 found in
_HEAP @ 3c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0000000000404260 0096 0000 [00] 0000000000404270 00950 - (free)//已经交给系统。