过程堆和其必要性 [英] Process Heap Segments And Their Necessity
问题描述
在使用!heap -a 004e0000 的一个win32进程(大部分正在进行中具有高堆内存消耗的进程)进行转储时,我发现一个特定堆的多个段,如
While dumping heap of a win32 processes (Mostly in process which has high heap memory consumption like IE ) using !heap -a 004e0000 I find multiple segments of a particular heap like ,
Heap entries for Segment00 in Heap 004e0000
Heap entries for Segment01 in Heap 004e0000
Heap entries for Segment02 in Heap 004e0000
我的问题是
问题为什么要将单个堆分成多个区段?
Question 1. Why its necessory to divide single heap into multiple segments ?
问题2。大部分时间我找到一个大的两段之间的差距。例如在下图中Segment00实际上结束@ 0x005e0000(其中未提交的字节开始)和Segment01开始@ 0x05b60000。
Question 2. Most of the times I find a large gap between two segments. For example in below image Segment00 actually ends @ 0x005e0000 (Where un-commited bytes started) and Segment01 getting started @ 0x05b60000.
为什么这个差距?我们不能使用相同的细分(Segment00)进一步分配?
Why this gap ?? Couldn't we use the same segment (Segment00)for further allocation ??
问题3。如何查找特定堆中的段数及其来自进程内存的地址或更具体的堆偏移(示例heap_handle + 0xsomeoffset?
Question 3. How can I find the number of segments present in particular heap and their addresses from process memory memory or more specifically heap offset (example heap_handle+0xsomeoffset ?
推荐答案
作为问题3的答案,我认为,我发现一个hacky的方式从内存中获取分段基地址。
As an answer to Question 3, I think, I've found a "hacky" way to get the segment base address from memory.
0:027> !heap
Index Address Name Debugging options enabled
1: 00790000
2: 004d0000
3: 028b0000
4: 02a40000
5: 02fa0000
6: 03b00000
7: 02ca0000
8: 03ac0000
9: 04d80000
10: 0a850000
我们采取堆 0x00790000 并列出其中的所有细分。
We take heap 0x00790000 and list all Segments in it.
0:027> !heap 00790000
Index Address Name Debugging options enabled
1: 00790000
Segment at 00790000 to 00890000 (00100000 bytes committed)
Segment at 053a0000 to 054a0000 (00100000 bytes committed)
Segment at 05d40000 to 05f40000 (00200000 bytes committed)
Segment at 063e0000 to 067e0000 (00400000 bytes committed)
Segment at 09ce0000 to 0a4e0000 (007fa000 bytes committed)
现在可以从内存中手动获取相同的细分基地址。
0:027> dt _HEAP 00790000
ntdll!_HEAP
+0x000 Entry : _HEAP_ENTRY
+0x008 SegmentSignature : 0xffeeffee
+0x00c SegmentFlags : 0
+0x010 SegmentListEntry : _LIST_ENTRY [ 0x53a0010 - 0x7900a8 ]
+0x018 Heap : 0x00790000 _HEAP
+0x01c BaseAddress : 0x00790000 Void
..
..
我们对 SegmentListEntry 感兴趣(哪个是@ offset 0x010)
We are interested in SegmentListEntry (Which is @ offset 0x010)
我们转储2个DWORD来自address heap_base + 0x10
We dump 2 DWORD from address heap_base + 0x10
0:027> dd 00790000 + 0x10 L2
00790010 053a0010 007900a8
然后我们拿BLINK以上输出的第二个DWORD,即0x007900a8),并从那里转储2个DWROD。我们继续这样做,直到我们从我们开始的地方到达相同的指针,这是0x007900a8
Then we take the BLINK (which means the 2nd DWORD of above output, which is 0x007900a8) and dump 2 DWROD from there. And we keep doing it until we reach the same pointer from where we started, which is 0x007900a8
0:027> dd 007900a8 L2
007900a8 00790010 09ce0010
0:027> dd 09ce0010 L2
09ce0010 007900a8 063e0010
0:027> dd 063e0010 L2
063e0010 09ce0010 05d40010
0:027> dd 05d40010 L2
05d40010 063e0010 053a0010
0:027> dd 053a0010 L2
053a0010 05d40010 00790010
0:027> dd 00790010 L2
00790010 053a0010 007900a8
由于我们从我们开始的地方达到了同一点,我们可以在这里停下来
Since we reached the same point from where we started, we can stop here.
0:027> dd 007900a8 L2
007900a8 00790010 09ce0010
现在看看我们上面提到的值。如果从所有(除0x007900a8和0x007900a8除外)中减去16个,您将获得段基地址。
Now take a look at the values we got above. If you subtract 16 from all (except 0x007900a8 and 0x007900a8)them you will get Segment Base addresses.
0:027> ? 09ce0000 + 16
Evaluate expression: 164495382 = 09ce0016
哪些是
00790000
053a0000
05d40000
063e0000
09ce0000
这篇关于过程堆和其必要性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
