Win32: dump file analysis of heap corruption

• win32 Heap structure

         Before solving practical problems , Let's first understand the related concepts

        1. Heap structure

         Pile up -> paragraph -> block

         The heap consists of segments , Segments are made up of blocks , Block is the data structure of virtual memory that the user finally applies to the system .（ At present, our user mode programs only need to understand blocks ）

        2. _HEAP_ENTRY structure

Each heap , Each segment , Each block will have a corresponding _HEAP_ENTRY structure , It describes the content of the area . Like block _HEAP_ENTRY Structure stores the heap to which it belongs , paragraph , Information such as the previous item size and current size .

• windbg Heap related commands

1. View overview information of all heaps ：!heap -s
2. All segment and block information of a heap ：!heap -a 0xXXXXXXXX
3. Check the location of a memory address _HEAP_ENTRY Information ：!heap -x 0xXXXXXXXX
4. Count the overview information of a heap ：!heap -stat -h 0xXXXXXXXX
5. List all sizes X The block address of ：!heap -flt s X
6. View heap debugging support ：!gflag
7. View the contents of the memory block dc 0xXXXXXXXX

• Debugging of heap corruption

        1.  What is called heap destruction

         Heap destruction is actually block destruction , Because of reading and writing to the space beyond the allocated address , Cause to destroy _HEAP_ENTRY structure （ If it is CRT Pile up , Just destroyed CRT Check the structure at the end of the heap , It even destroys the structure of the next block ）

        2. An example of heap corruption

         Here is a deliberate operation beyond the boundary , Translate it into release edition , use windbg Hang up

         Check it out. ptr Value

         Check it out. ptr Where _HEAP_ENTRY structure , Discovery belongs to 00b30000 This pile , stay 00b34420 Inside this block

         We see that the above blocks and subsequent blocks have been destroyed , So the characteristics of heap failure are basically like this . But this routine does not cause a crash .

        3. Summarize the analysis ideas

        a) Find the heap where the crashed block is located （ You can judge according to the address range ）.

        b) View all block information of the heap .

        c) Find the corresponding information from the last block that has not been destroyed .（ If the business logic is written from small to large , It will destroy the backward block , Otherwise, it is the opposite ）