#include <rz_windows.h>
#include <rz_core.h>
#include <TlHelp32.h>
#include <windows_heap.h>
#include "..\..\debug\p\native\maps\windows_maps.h"
#include "..\..\bin\pdb\pdb_downloader.h"
#include "..\..\bin\pdb\pdb.h"

Classes
struct	_th_query_params

Macros
#define	PDI_MODULES 0x01

#define	PDI_HEAPS 0x04

#define	PDI_HEAP_TAGS 0x08

#define	PDI_HEAP_BLOCKS 0x10

#define	PDI_HEAP_ENTRIES_EX 0x200

#define	CHECK_INFO(heapInfo)

#define	CHECK_INFO_RETURN_NULL(heapInfo)

#define	UPDATE_FLAGS(hb, flags)

#define	GROW_BLOCKS()

#define	GROW_PBLOCKS()

Typedefs
typedef struct _th_query_params	th_query_params

Functions
static bool	__is_windows_ten (void)

static char *	get_type (WPARAM flags)

static bool	initialize_windows_ntdll_query_api_functions (void)

static bool	is_segment_heap (HANDLE h_proc, PVOID heapBase)

static bool	GetFirstHeapBlock (PDEBUG_HEAP_INFORMATION heapInfo, PHeapBlock hb)

static bool	GetNextHeapBlock (PDEBUG_HEAP_INFORMATION heapInfo, PHeapBlock hb)

static void	free_extra_info (PDEBUG_HEAP_INFORMATION heap)

static bool	has_heap_globals (void)

static bool	GetHeapGlobalsOffset (RzDebug *dbg, HANDLE h_proc)

static bool	GetLFHKey (RzDebug dbg, HANDLE h_proc, bool segment, WPARAM lfhKey)

static bool	DecodeHeapEntry (RzDebug *dbg, PHEAP heap, PHEAP_ENTRY entry)

static bool	DecodeLFHEntry (RzDebug *dbg, PHEAP heap, PHEAP_ENTRY entry, PHEAP_USERDATA_HEADER userBlocks, WPARAM key, WPARAM addr)

static DWORD WINAPI	__th_QueryDebugBuffer (void *param)

static RzList *	GetListOfHeaps (RzDebug *dbg, HANDLE ph)

static PDEBUG_BUFFER	InitHeapInfo (RzDebug *dbg, DWORD mask)

static bool	__lfh_segment_loop (HANDLE h_proc, PHeapBlockBasicInfo blocks, SIZE_T allocated, WPARAM lfhKey, WPARAM *count, WPARAM first, WPARAM next)

static bool	GetSegmentHeapBlocks (RzDebug dbg, HANDLE h_proc, PVOID heapBase, PHeapBlockBasicInfo blocks, WPARAM count, SIZE_T allocated)

static PDEBUG_BUFFER	GetHeapBlocks (DWORD pid, RzDebug *dbg)

static PHeapBlock	GetSingleSegmentBlock (RzDebug *dbg, HANDLE h_proc, PSEGMENT_HEAP heapBase, WPARAM offset)

static PHeapBlock	GetSingleBlock (RzDebug *dbg, ut64 offset)

static RzTable *	__new_heapblock_tbl (void)

RZ_IPI void	rz_heap_list_w32 (RzCore *core, RzOutputMode mode)

static void	w32_list_heaps_blocks (RzCore *core, RzOutputMode mode, bool flag)

RZ_IPI void	rz_heap_debug_block_win (RzCore core, const char addr, RzOutputMode mode, bool flag)

RZ_IPI RzList *	rz_heap_blocks_list (RzCore *core)

RZ_IPI RzList *	rz_heap_list (RzCore *core)

Variables
static size_t	RtlpHpHeapGlobalsOffset = 0

static size_t	RtlpLFHKeyOffset = 0

Macro Definition Documentation

◆ CHECK_INFO

#define CHECK_INFO ( heapInfo )

Value:

    if (!heapInfo) { \
        eprintf("It wasn't possible to get the heap information\n"); \
        return; \
    } \
    if (!heapInfo->count) { \
        rz_cons_print("No heaps for this process\n"); \
        return; \
    }

Definition at line 61 of file windows_heap.c.

◆ CHECK_INFO_RETURN_NULL

#define CHECK_INFO_RETURN_NULL ( heapInfo )

Value:

    if (!heapInfo) { \
        eprintf("It wasn't possible to get the heap information\n"); \
        return NULL; \
    } \
    if (!heapInfo->count) { \
        rz_cons_print("No heaps for this process\n"); \
        return NULL; \
    }

Definition at line 71 of file windows_heap.c.

◆ GROW_BLOCKS

#define GROW_BLOCKS ( )

Value:

    if (allocated <= count * sizeof(HeapBlockBasicInfo)) { \
        SIZE_T old_alloc = allocated; \
        allocated *= 2; \
        PVOID tmp = blocks; \
        blocks = realloc(blocks, allocated); \
        if (!blocks) { \
            blocks = tmp; \
            goto err; \
        } \
        memset((BYTE *)blocks + old_alloc, 0, old_alloc); \
    }

Definition at line 579 of file windows_heap.c.

◆ GROW_PBLOCKS

#define GROW_PBLOCKS ( )

Value:

    if (*allocated <= *count * sizeof(HeapBlockBasicInfo)) { \
        SIZE_T old_alloc = *allocated; \
        *allocated *= 2; \
        PVOID tmp = *blocks; \
        tmp = realloc(*blocks, *allocated); \
        if (!tmp) { \
            return false; \
        } \
        *blocks = tmp; \
        memset((BYTE *)(*blocks) + old_alloc, 0, old_alloc); \
    }

Definition at line 592 of file windows_heap.c.

◆ PDI_HEAP_BLOCKS

#define PDI_HEAP_BLOCKS 0x10

Definition at line 55 of file windows_heap.c.

◆ PDI_HEAP_ENTRIES_EX

#define PDI_HEAP_ENTRIES_EX 0x200

Definition at line 56 of file windows_heap.c.

◆ PDI_HEAP_TAGS

#define PDI_HEAP_TAGS 0x08

Definition at line 54 of file windows_heap.c.

◆ PDI_HEAPS

#define PDI_HEAPS 0x04

Definition at line 53 of file windows_heap.c.

◆ PDI_MODULES

#define PDI_MODULES 0x01

Definition at line 52 of file windows_heap.c.

◆ UPDATE_FLAGS

#define UPDATE_FLAGS	(	hb,
		flags
	)

Value:

    if (((flags)&0xf1) || ((flags)&0x0200)) { \
        hb->dwFlags = LF32_FIXED; \
    } else if ((flags)&0x20) { \
        hb->dwFlags = LF32_MOVEABLE; \
    } else if ((flags)&0x0100) { \
        hb->dwFlags = LF32_FREE; \
    } \
    hb->dwFlags |= ((flags) >> SHIFT) << SHIFT;

Definition at line 81 of file windows_heap.c.

Typedef Documentation

◆ th_query_params

typedef struct _th_query_params th_query_params

Function Documentation

◆ __is_windows_ten()

static bool __is_windows_ten ( void )

static

Definition at line 91 of file windows_heap.c.

                                    {
     int major = 0;
     RSysInfo *info = rz_sys_info();
     if (info && info->version) {
         char *dot = strchr(info->version, '.');
         if (dot) {
             *dot = '\0';
             major = atoi(info->version);
         }
     }
     rz_sys_info_free(info);
     return major == 10;
 }

References info(), major, rz_sys_info(), and rz_sys_info_free().

Referenced by InitHeapInfo(), rz_heap_blocks_list(), rz_heap_list(), rz_heap_list_w32(), and w32_list_heaps_blocks().

◆ __lfh_segment_loop()

static bool __lfh_segment_loop	(	HANDLE	h_proc,
		PHeapBlockBasicInfo *	blocks,
		SIZE_T *	allocated,
		WPARAM	lfhKey,
		WPARAM *	count,
		WPARAM	first,
		WPARAM	next
	)

static

Definition at line 605 of file windows_heap.c.

                                                                                                                                                        {
     while ((first != next) && next) {
         HEAP_LFH_SUBSEGMENT subsegment;
         ReadProcessMemory(h_proc, (void *)next, &subsegment, sizeof(HEAP_LFH_SUBSEGMENT), NULL);
         subsegment.BlockOffsets.EncodedData ^= (DWORD)lfhKey ^ ((DWORD)next >> 0xC);
         WPARAM mask = 1, offset = 0;
         int l;
         for (l = 0; l < subsegment.BlockCount; l++) {
             if (!mask) {
                 mask = 1;
                 offset++;
                 ReadProcessMemory(h_proc, (WPARAM *)(next + offsetof(HEAP_LFH_SUBSEGMENT, BlockBitmap)) + offset,
                     &subsegment.BlockBitmap, sizeof(WPARAM), NULL);
             }
             if (subsegment.BlockBitmap[0] & mask) {
                 GROW_PBLOCKS();
                 WPARAM off = (WPARAM)subsegment.BlockOffsets.FirstBlockOffset + l * (WPARAM)subsegment.BlockOffsets.BlockSize;
                 (*blocks)[*count].address = next + off;
                 (*blocks)[*count].size = subsegment.BlockOffsets.BlockSize;
                 (*blocks)[*count].flags = 1 | SEGMENT_HEAP_BLOCK | LFH_BLOCK;
                 PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
                 if (!extra) {
                     return false;
                 }
                 extra->segment = next;
                 extra->granularity = sizeof(HEAP_ENTRY);
                 (*blocks)[*count].extra = EXTRA_FLAG | (WPARAM)extra;
                 *count += 1;
             }
             mask <<= 2;
         }
         next = (WPARAM)subsegment.ListEntry.Flink;
     }
     return true;
 }

References _HEAP_LFH_SUBSEGMENT::BlockBitmap, _HEAP_LFH_SUBSEGMENT::BlockCount, _HEAP_LFH_SUBSEGMENT::BlockOffsets, _HEAP_LFH_SUBSEGMENT_ENCODED_OFFSETS::BlockSize, count, DWORD, _HEAP_LFH_SUBSEGMENT_ENCODED_OFFSETS::EncodedData, EXTRA_FLAG, _HEAP_LFH_SUBSEGMENT_ENCODED_OFFSETS::FirstBlockOffset, _HeapBlockExtraInfo::granularity, GROW_PBLOCKS, LFH_BLOCK, _HEAP_LFH_SUBSEGMENT::ListEntry, mask, NULL, off, offsetof, RZ_NEW0, _HeapBlockExtraInfo::segment, and SEGMENT_HEAP_BLOCK.

Referenced by GetSegmentHeapBlocks().

◆ __new_heapblock_tbl()

static RzTable* __new_heapblock_tbl ( void )

static

Definition at line 1226 of file windows_heap.c.

                                           {
     RzTable *tbl = rz_table_new();
     rz_table_add_column(tbl, rz_table_type("number"), "HeaderAddress", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "UserAddress", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "Size", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "Granularity", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "Unused", -1);
     rz_table_add_column(tbl, rz_table_type("String"), "Type", -1);
     return tbl;
 }

References rz_table_add_column(), rz_table_new(), and rz_table_type().

Referenced by rz_heap_debug_block_win(), and w32_list_heaps_blocks().

◆ __th_QueryDebugBuffer()

static DWORD WINAPI __th_QueryDebugBuffer ( void * param )

static

Definition at line 451 of file windows_heap.c.

                                                        {
     th_query_params *params = (th_query_params *)param;
     params->ret = RtlQueryProcessDebugInformation(params->dbg->pid, params->mask, params->db);
     params->fin = true;
     if (params->hanged) {
         RtlDestroyQueryDebugBuffer(params->db);
         free(params);
     }
     return 0;
 }

References _th_query_params::db, _th_query_params::dbg, _th_query_params::fin, free(), _th_query_params::hanged, _th_query_params::mask, rz_debug_t::pid, and _th_query_params::ret.

Referenced by InitHeapInfo().

◆ DecodeHeapEntry()

static bool DecodeHeapEntry	(	RzDebug *	dbg,
		PHEAP	heap,
		PHEAP_ENTRY	entry
	)

static

Definition at line 416 of file windows_heap.c.

                                                                          {
     rz_return_val_if_fail(heap && entry, false);
     if (dbg->bits == RZ_SYS_BITS_64) {
         entry = (PHEAP_ENTRY)((ut8 *)entry + dbg->bits);
     }
     if (heap->EncodeFlagMask && (*(UINT32 *)entry & heap->EncodeFlagMask)) {
         if (dbg->bits == RZ_SYS_BITS_64) {
             heap = (PHEAP)((ut8 *)heap + dbg->bits);
         }
         *(WPARAM *)entry ^= *(WPARAM *)&heap->Encoding;
     }
     return !(((BYTE *)entry)[0] ^ ((BYTE *)entry)[1] ^ ((BYTE *)entry)[2] ^ ((BYTE *)entry)[3]);
 }

References rz_debug_t::bits, dbg, rz_return_val_if_fail, and RZ_SYS_BITS_64.

Referenced by GetHeapBlocks(), and GetSingleBlock().

◆ DecodeLFHEntry()

static bool DecodeLFHEntry	(	RzDebug *	dbg,
		PHEAP	heap,
		PHEAP_ENTRY	entry,
		PHEAP_USERDATA_HEADER	userBlocks,
		WPARAM	key,
		WPARAM	addr
	)

static

Definition at line 430 of file windows_heap.c.

                                                                                                                                    {
     rz_return_val_if_fail(heap && entry, false);
     if (dbg->bits == RZ_SYS_BITS_64) {
         entry = (PHEAP_ENTRY)((ut8 *)entry + dbg->bits);
     }
  
     if (heap->EncodeFlagMask) {
         *(DWORD *)entry ^= PtrToInt(heap->BaseAddress) ^ (DWORD)(((DWORD)addr - PtrToInt(userBlocks)) << 0xC) ^ (DWORD)key ^ (addr >> 4);
     }
     return !(((BYTE *)entry)[0] ^ ((BYTE *)entry)[1] ^ ((BYTE *)entry)[2] ^ ((BYTE *)entry)[3]);
 }

References addr, rz_debug_t::bits, dbg, DWORD, key, rz_return_val_if_fail, and RZ_SYS_BITS_64.

Referenced by GetHeapBlocks(), and GetSingleBlock().

◆ free_extra_info()

static void free_extra_info ( PDEBUG_HEAP_INFORMATION heap )

static

Definition at line 257 of file windows_heap.c.

                                                           {
     rz_return_if_fail(heap);
     HeapBlock hb;
     if (GetFirstHeapBlock(heap, &hb)) {
         do {
             RZ_FREE(hb.extraInfo);
         } while (GetNextHeapBlock(heap, &hb));
     }
 }

References _HeapBlock::extraInfo, GetFirstHeapBlock(), GetNextHeapBlock(), RZ_FREE, and rz_return_if_fail.

Referenced by GetHeapBlocks(), rz_heap_blocks_list(), rz_heap_list(), rz_heap_list_w32(), and w32_list_heaps_blocks().

◆ get_type()

static char* get_type ( WPARAM flags )

static

Definition at line 105 of file windows_heap.c.

                                     {
     char *state = "";
     switch (flags & 0xFFFF) {
     case LF32_FIXED:
         state = "(FIXED)";
         break;
     case LF32_FREE:
         state = "(FREE)";
         break;
     case LF32_MOVEABLE:
         state = "(MOVEABLE)";
         break;
     }
     char *heaptype = "";
     if (flags & SEGMENT_HEAP_BLOCK) {
         heaptype = "Segment";
     } else if (flags & NT_BLOCK) {
         heaptype = "NT";
     }
     char *type = "";
     if (flags & LFH_BLOCK) {
         type = "/LFH";
     } else if (flags & LARGE_BLOCK) {
         type = "/LARGE";
     } else if (flags & BACKEND_BLOCK) {
         type = "/BACKEND";
     } else if (flags & VS_BLOCK) {
         type = "/VS";
     }
     return rz_str_newf("%s %s%s", state, heaptype, type);
 }

References BACKEND_BLOCK, flags, LARGE_BLOCK, LFH_BLOCK, NT_BLOCK, rz_str_newf(), SEGMENT_HEAP_BLOCK, type, and VS_BLOCK.

Referenced by rz_heap_blocks_list(), rz_heap_debug_block_win(), and w32_list_heaps_blocks().

◆ GetFirstHeapBlock()

static bool GetFirstHeapBlock	(	PDEBUG_HEAP_INFORMATION	heapInfo,
		PHeapBlock	hb
	)

static

Definition at line 168 of file windows_heap.c.

                                                                                {
     rz_return_val_if_fail(heapInfo && hb, false);
     PHeapBlockBasicInfo block;
  
     hb->index = 0;
     hb->dwAddress = 0;
     hb->dwFlags = 0;
     hb->extraInfo = NULL;
  
     block = (PHeapBlockBasicInfo)heapInfo->Blocks;
     if (!block) {
         return false;
     }
  
     SIZE_T index = hb->index;
     do {
         if (index > heapInfo->BlockCount) {
             return false;
         }
         hb->dwAddress = block[index].address;
         hb->dwSize = block->size;
         if (block[index].extra & EXTRA_FLAG) {
             PHeapBlockExtraInfo extra = (PHeapBlockExtraInfo)(block[index].extra & ~EXTRA_FLAG);
             hb->dwSize -= extra->unusedBytes;
             hb->extraInfo = extra;
             hb->dwAddress = (WPARAM)hb->dwAddress + extra->granularity;
         } else {
             hb->dwAddress = (WPARAM)hb->dwAddress + heapInfo->Granularity;
             hb->extraInfo = NULL;
         }
         index++;
     } while (block[index].flags & 2);
  
     WPARAM flags = block[hb->index].flags;
     UPDATE_FLAGS(hb, flags);
  
     hb->index = index;
     return true;
 }

References _HeapBlockBasicInfo::address, _DEBUG_HEAP_INFORMATION::BlockCount, _DEBUG_HEAP_INFORMATION::Blocks, _HeapBlock::dwAddress, _HeapBlock::dwFlags, _HeapBlock::dwSize, EXTRA_FLAG, _HeapBlock::extraInfo, flags, _HeapBlockBasicInfo::flags, _HeapBlockExtraInfo::granularity, _DEBUG_HEAP_INFORMATION::Granularity, if(), _HeapBlock::index, NULL, rz_return_val_if_fail, _HeapBlockBasicInfo::size, _HeapBlockExtraInfo::unusedBytes, and UPDATE_FLAGS.

Referenced by free_extra_info(), rz_heap_blocks_list(), and w32_list_heaps_blocks().

◆ GetHeapBlocks()

static PDEBUG_BUFFER GetHeapBlocks	(	DWORD	pid,
		RzDebug *	dbg
	)

static

Definition at line 780 of file windows_heap.c.

                                                             {
     // TODO:
     // - Break this behemoth
     // - x86 vs x64 vs WOW64 (use dbg->bits or new structs or just a big union with both versions)
 #if defined(_M_X64)
     if (dbg->bits == RZ_SYS_BITS_32) {
         return NULL; // Nope nope nope
     }
 #endif
     WPARAM bytesRead;
     HANDLE h_proc = NULL;
     PDEBUG_BUFFER db = InitHeapInfo(dbg, PDI_HEAPS);
     if (!db || !db->HeapInformation) {
         RZ_LOG_ERROR("InitHeapInfo Failed\n");
         goto err;
     }
     h_proc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
     if (!h_proc) {
         RZ_LOG_ERROR("OpenProcess failed\n");
         goto err;
     }
  
     WPARAM lfhKey;
     if (!GetLFHKey(dbg, h_proc, false, &lfhKey)) {
         RtlDestroyQueryDebugBuffer(db);
         CloseHandle(h_proc);
         eprintf("GetHeapBlocks: Failed to get LFH key.\n");
         return NULL;
     }
  
     PHeapInformation heapInfo = db->HeapInformation;
     int i;
     for (i = 0; i < heapInfo->count; i++) {
         WPARAM from = 0;
         ut64 count = 0;
         PDEBUG_HEAP_INFORMATION heap = &heapInfo->heaps[i];
         HEAP_ENTRY heapEntry;
         HEAP heapHeader;
         const SIZE_T sz_entry = sizeof(HEAP_ENTRY);
         ReadProcessMemory(h_proc, heap->Base, &heapHeader, sizeof(HEAP), &bytesRead);
  
         SIZE_T allocated = 128 * sizeof(HeapBlockBasicInfo);
         PHeapBlockBasicInfo blocks = calloc(allocated, 1);
         if (!blocks) {
             RZ_LOG_ERROR("Memory Allocation failed\n");
             goto err;
         }
  
         // SEGMENT_HEAP
         if (heapHeader.SegmentSignature == 0xddeeddee) {
             bool ret = GetSegmentHeapBlocks(dbg, h_proc, heap->Base, &blocks, &count, &allocated);
             heap->Blocks = blocks;
             heap->BlockCount = count;
             if (!ret) {
                 goto err;
             }
             continue;
         }
  
         // VirtualAlloc'd blocks
         PLIST_ENTRY fentry = (PVOID)((WPARAM)heapHeader.BaseAddress + offsetof(HEAP, VirtualAllocdBlocks));
         PLIST_ENTRY entry = heapHeader.VirtualAllocdBlocks.Flink;
         while (entry && (entry != fentry)) {
             HEAP_VIRTUAL_ALLOC_ENTRY vAlloc;
             ReadProcessMemory(h_proc, entry, &vAlloc, sizeof(HEAP_VIRTUAL_ALLOC_ENTRY), &bytesRead);
             DecodeHeapEntry(dbg, &heapHeader, &vAlloc.BusyBlock);
             GROW_BLOCKS();
             blocks[count].address = (WPARAM)entry;
             blocks[count].flags = 1 | ((vAlloc.BusyBlock.Flags | NT_BLOCK | LARGE_BLOCK) & ~2ULL);
             blocks[count].size = vAlloc.ReserveSize;
             PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
             if (!extra) {
                 goto err;
             }
             extra->granularity = sizeof(HEAP_VIRTUAL_ALLOC_ENTRY);
             extra->unusedBytes = vAlloc.ReserveSize - vAlloc.CommitSize;
             blocks[count].extra = EXTRA_FLAG | (WPARAM)extra;
             count++;
             entry = vAlloc.Entry.Flink;
         }
  
         // LFH Activated
         if (heapHeader.FrontEndHeap && heapHeader.FrontEndHeapType == 0x2) {
             LFH_HEAP lfhHeader;
             if (!ReadProcessMemory(h_proc, heapHeader.FrontEndHeap, &lfhHeader, sizeof(LFH_HEAP), &bytesRead)) {
                 rz_sys_perror("ReadProcessMemory");
                 goto err;
             }
  
             PLIST_ENTRY curEntry, firstEntry = (PVOID)((WPARAM)heapHeader.FrontEndHeap + offsetof(LFH_HEAP, SubSegmentZones));
             curEntry = lfhHeader.SubSegmentZones.Flink;
  
             // Loops through all _HEAP_SUBSEGMENTs
             do { // (curEntry != firstEntry)
                 HEAP_LOCAL_SEGMENT_INFO info;
                 HEAP_LOCAL_DATA localData;
                 HEAP_SUBSEGMENT subsegment;
                 HEAP_USERDATA_HEADER userdata;
                 LFH_BLOCK_ZONE blockZone;
  
                 WPARAM curSubsegment = (WPARAM)(curEntry + 2);
                 int next = 0;
                 do { // (next < blockZone.NextIndex)
                     if (!ReadProcessMemory(h_proc, (PVOID)curSubsegment, &subsegment, sizeof(HEAP_SUBSEGMENT), &bytesRead) || !subsegment.BlockSize || !ReadProcessMemory(h_proc, subsegment.LocalInfo, &info, sizeof(HEAP_LOCAL_SEGMENT_INFO), &bytesRead) || !ReadProcessMemory(h_proc, info.LocalData, &localData, sizeof(HEAP_LOCAL_DATA), &bytesRead) || !ReadProcessMemory(h_proc, localData.CrtZone, &blockZone, sizeof(LFH_BLOCK_ZONE), &bytesRead)) {
                         break;
                     }
  
                     if (!subsegment.UserBlocks || !subsegment.BlockSize) {
                         goto next_subsegment;
                     }
  
                     size_t sz = subsegment.BlockSize * sizeof(HEAP_ENTRY);
                     ReadProcessMemory(h_proc, subsegment.UserBlocks, &userdata, sizeof(HEAP_USERDATA_HEADER), &bytesRead);
                     userdata.EncodedOffsets.StrideAndOffset ^= PtrToInt(subsegment.UserBlocks) ^ PtrToInt(heapHeader.FrontEndHeap) ^ (WPARAM)lfhKey;
                     size_t bitmapsz = (userdata.BusyBitmap.SizeOfBitMap + 8 - userdata.BusyBitmap.SizeOfBitMap % 8) / 8;
                     WPARAM *bitmap = calloc(bitmapsz > sizeof(WPARAM) ? bitmapsz : sizeof(WPARAM), 1);
                     if (!bitmap) {
                         goto err;
                     }
                     ReadProcessMemory(h_proc, userdata.BusyBitmap.Buffer, bitmap, bitmapsz, &bytesRead);
                     WPARAM mask = 1;
                     // Walk through the busy bitmap
                     int j;
                     size_t offset;
                     for (j = 0, offset = 0; j < userdata.BusyBitmap.SizeOfBitMap; j++) {
                         if (!mask) {
                             mask = 1;
                             offset++;
                         }
                         // Only if block is busy
                         if (*(bitmap + offset) & mask) {
                             GROW_BLOCKS();
                             WPARAM off = userdata.EncodedOffsets.FirstAllocationOffset + sz * j;
                             from = (WPARAM)subsegment.UserBlocks + off;
                             ReadProcessMemory(h_proc, (PVOID)from, &heapEntry, sz_entry, &bytesRead);
                             DecodeLFHEntry(dbg, &heapHeader, &heapEntry, subsegment.UserBlocks, lfhKey, from);
                             blocks[count].address = from;
                             blocks[count].flags = 1 | NT_BLOCK | LFH_BLOCK;
                             blocks[count].size = sz;
                             PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
                             if (!extra) {
                                 goto err;
                             }
                             extra->granularity = sizeof(HEAP_ENTRY);
                             extra->segment = curSubsegment;
                             blocks[count].extra = EXTRA_FLAG | (WPARAM)extra;
                             count++;
                         }
                         mask <<= 1;
                     }
                     free(bitmap);
                 next_subsegment:
                     curSubsegment += sizeof(HEAP_SUBSEGMENT);
                     next++;
                 } while (next < blockZone.NextIndex || subsegment.BlockSize);
  
                 LIST_ENTRY entry;
                 ReadProcessMemory(h_proc, curEntry, &entry, sizeof(entry), &bytesRead);
                 curEntry = entry.Flink;
             } while (curEntry != firstEntry);
         }
  
         HEAP_SEGMENT oldSegment, segment;
         WPARAM firstSegment = (WPARAM)heapHeader.SegmentList.Flink;
         ReadProcessMemory(h_proc, (PVOID)(firstSegment - offsetof(HEAP_SEGMENT, SegmentListEntry)), &segment, sizeof(HEAP_SEGMENT), &bytesRead);
         // NT Blocks (Loops through all _HEAP_SEGMENTs)
         do {
             from = (WPARAM)segment.FirstEntry;
             if (!from) {
                 goto next;
             }
             do {
                 if (!ReadProcessMemory(h_proc, (PVOID)from, &heapEntry, sz_entry, &bytesRead)) {
                     break;
                 }
                 DecodeHeapEntry(dbg, &heapHeader, &heapEntry);
                 if (!heapEntry.Size) {
                     // Last Heap block
                     count--;
                     break;
                 }
  
                 SIZE_T real_sz = heapEntry.Size * sz_entry;
  
                 GROW_BLOCKS();
                 PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
                 if (!extra) {
                     goto err;
                 }
                 extra->granularity = sizeof(HEAP_ENTRY);
                 extra->segment = (WPARAM)segment.BaseAddress;
                 blocks[count].extra = EXTRA_FLAG | (WPARAM)extra;
                 blocks[count].address = from;
                 blocks[count].flags = heapEntry.Flags | NT_BLOCK | BACKEND_BLOCK;
                 blocks[count].size = real_sz;
                 from += real_sz;
                 count++;
             } while (from <= (WPARAM)segment.LastValidEntry);
         next:
             oldSegment = segment;
             from = (WPARAM)segment.SegmentListEntry.Flink - offsetof(HEAP_SEGMENT, SegmentListEntry);
             ReadProcessMemory(h_proc, (PVOID)from, &segment, sizeof(HEAP_SEGMENT), &bytesRead);
         } while ((WPARAM)oldSegment.SegmentListEntry.Flink != firstSegment);
         heap->Blocks = blocks;
         heap->BlockCount = count;
  
         if (!heap->Committed && !heap->Allocated) {
             heap->Committed = heapHeader.Counters.TotalMemoryCommitted;
             heap->Allocated = heapHeader.Counters.LastPolledSize;
         }
     }
     CloseHandle(h_proc);
     return db;
 err:
     if (h_proc) {
         CloseHandle(h_proc);
     }
     if (db) {
         int i;
         for (i = 0; i < heapInfo->count; i++) {
             PDEBUG_HEAP_INFORMATION heap = &heapInfo->heaps[i];
             free_extra_info(heap);
             RZ_FREE(heap->Blocks);
         }
         RtlDestroyQueryDebugBuffer(db);
     }
     return NULL;
 }

References BACKEND_BLOCK, _HEAP_SEGMENT::BaseAddress, _HEAP::BaseAddress, rz_debug_t::bits, blocks, _HEAP_SUBSEGMENT::BlockSize, _RTL_BITMAP_EX::Buffer, _HEAP_USERDATA_HEADER::BusyBitmap, _HEAP_VIRTUAL_ALLOC_ENTRY::BusyBlock, calloc(), _HEAP_VIRTUAL_ALLOC_ENTRY::CommitSize, count, _HeapInformation::count, _HEAP::Counters, _HEAP_LOCAL_DATA::CrtZone, dbg, DecodeHeapEntry(), DecodeLFHEntry(), _HEAP_USERDATA_HEADER::EncodedOffsets, _HEAP_VIRTUAL_ALLOC_ENTRY::Entry, eprintf, err, EXTRA_FLAG, FALSE, _HEAP_USERDATA_OFFSETS::FirstAllocationOffset, _HEAP_SEGMENT::FirstEntry, _HEAP_ENTRY::Flags, free(), free_extra_info(), from, _HEAP::FrontEndHeap, _HEAP::FrontEndHeapType, GetLFHKey(), GetSegmentHeapBlocks(), _HeapBlockExtraInfo::granularity, GROW_BLOCKS, HANDLE, _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, if(), info(), InitHeapInfo(), LARGE_BLOCK, _HEAP_COUNTERS::LastPolledSize, _HEAP_SEGMENT::LastValidEntry, LFH_BLOCK, mask, _LFH_BLOCK_ZONE::NextIndex, NT_BLOCK, NULL, off, offsetof, PDI_HEAPS, pid, PVOID, _HEAP_VIRTUAL_ALLOC_ENTRY::ReserveSize, RZ_FREE, RZ_LOG_ERROR, RZ_NEW0, RZ_SYS_BITS_32, rz_sys_perror, _HeapBlockExtraInfo::segment, _HEAP::SegmentList, _HEAP_SEGMENT::SegmentListEntry, _HEAP::SegmentSignature, _RTL_BITMAP_EX::SizeOfBitMap, _HEAP_USERDATA_OFFSETS::StrideAndOffset, _LFH_HEAP::SubSegmentZones, _HEAP_COUNTERS::TotalMemoryCommitted, _HeapBlockExtraInfo::unusedBytes, ut64(), and _HEAP::VirtualAllocdBlocks.

Referenced by rz_heap_blocks_list(), rz_heap_list(), rz_heap_list_w32(), and w32_list_heaps_blocks().

◆ GetHeapGlobalsOffset()

static bool GetHeapGlobalsOffset	(	RzDebug *	dbg,
		HANDLE	h_proc
	)

static

Definition at line 271 of file windows_heap.c.

                                                               {
     if (has_heap_globals()) {
         return true;
     }
     RzCore *core = dbg->corebind.core;
     RzList *modules = rz_w32_dbg_modules(dbg);
     RzListIter *it;
     RzDebugMap *map;
     bool found = false;
     rz_list_foreach (modules, it, map) {
         if (!strcmp(map->name, "ntdll.dll")) {
             found = true;
             break;
         }
     }
     if (!found) {
         eprintf("ntdll.dll not loaded.\n");
         rz_list_free(modules);
         return false;
     }
  
     ut64 baseaddr = map->addr;
  
     // Open ntdll.dll file
     int fd;
     if ((fd = rz_io_fd_open(core->io, map->file, RZ_PERM_R, 0)) == -1) {
         rz_list_free(modules);
         return false;
     }
  
     rz_list_free(modules);
  
     // Load ntdll.dll in RzBin to get its GUID
     RzBinOptions opt = { 0 };
     opt.fd = fd;
     opt.sz = rz_io_fd_size(core->io, fd);
     opt.obj_opts.baseaddr = baseaddr;
     RzBinFile *obf = rz_bin_cur(core->bin);
     RzBinFile *bf = rz_bin_open_io(core->bin, &opt);
     if (!bf) {
         rz_io_fd_close(core->io, fd);
         return false;
     }
     RzBinInfo *info = rz_bin_get_info(core->bin);
     if (!info) {
         goto fail;
     }
     char *pdb_path = rz_str_newf("%s\\ntdll.pdb\\%s\\ntdll.pdb",
         rz_config_get(core->config, "pdb.symstore"), info->guid);
     if (!pdb_path) {
         goto fail;
     }
     if (!rz_file_exists(pdb_path)) {
         // Download ntdll.pdb
         SPDBOptions opts;
         opts.extract = rz_config_get_i(core->config, "pdb.extract");
         opts.symbol_store_path = rz_config_get(core->config, "pdb.symstore");
         opts.symbol_server = rz_config_get(core->config, "pdb.server");
         if (rz_bin_pdb_download(core->bin, NULL, false, &opts)) {
             eprintf("Failed to download ntdll.pdb file\n");
             free(pdb_path);
             goto fail;
         }
     }
  
     // Get ntdll.dll PDB info and parse json output
     RzPdb *pdb = rz_bin_pdb_parse_from_file(pdb_path);
     if (!pdb) {
         free(pdb_path);
         goto fail;
     }
  
     free(pdb_path);
     ut64 baddr = rz_config_get_i(core->config, "bin.baddr");
     if (core->bin->cur && core->bin->cur->o && core->bin->cur->o->opts.baseaddr) {
         baddr = core->bin->cur->o->opts.baseaddr;
     } else {
         eprintf("Warning: Cannot find base address, flags will probably be misplaced\n");
     }
     PJ *pj = pj_new();
     if (!pj) {
         rz_bin_pdb_free(pdb);
         goto fail;
     }
     char *j = rz_core_bin_pdb_gvars_as_string(pdb, baddr, pj, RZ_OUTPUT_MODE_JSON);
     if (!j) {
         rz_bin_pdb_free(pdb);
         pj_free(pj);
         goto fail;
     }
     pj_free(pj);
     rz_bin_pdb_free(pdb);
     RzJson *json = rz_json_parse(j);
     if (!json) {
         RZ_LOG_ERROR("rz_core_pdb_info returned invalid JSON");
         free(j);
         goto fail;
     }
     free(j);
  
     // Go through gvars array and search for the heap globals symbols
     const RzJson *gvars = rz_json_get(json, "gvars");
     gvars = gvars->children.first;
     do {
         const RzJson *gdata_name = rz_json_get(gvars, "gdata_name");
         if (!strcmp(gdata_name->str_value, "RtlpHpHeapGlobals")) {
             const RzJson *address = rz_json_get(gvars, "address");
             RtlpHpHeapGlobalsOffset = address->num.u_value;
         } else if (!strcmp(gdata_name->str_value, "RtlpLFHKey")) {
             const RzJson *address = rz_json_get(gvars, "address");
             RtlpLFHKeyOffset = address->num.u_value;
         }
     } while ((gvars = gvars->next) && !has_heap_globals());
  
     free(json);
 fail:
     rz_bin_file_delete(core->bin, bf);
     rz_bin_file_set_cur_binfile(core->bin, obf);
     rz_io_fd_close(core->io, fd);
     return has_heap_globals();
 }

References baddr(), baseaddr, rz_bin_file_load_options_t::baseaddr, rz_core_t::bin, rz_json_t::children, rz_core_t::config, rz_core_bind_t::core, rz_debug_t::corebind, rz_bin_t::cur, dbg, eprintf, SPDBOptions::extract, fail, fd, found, free(), rz_bin_info_t::guid, has_heap_globals(), info(), rz_core_t::io, map(), regress::modules, rz_json_t::next, NULL, rz_json_t::num, rz_bin_file_t::o, rz_bin_object_t::opts, pj_free(), pj_new(), RtlpHpHeapGlobalsOffset, RtlpLFHKeyOffset, rz_bin_cur(), rz_bin_file_delete(), rz_bin_file_set_cur_binfile(), rz_bin_get_info(), rz_bin_open_io(), rz_bin_pdb_download(), rz_bin_pdb_free(), rz_bin_pdb_parse_from_file(), rz_config_get(), rz_config_get_i(), rz_core_bin_pdb_gvars_as_string(), rz_file_exists(), rz_io_fd_close(), rz_io_fd_open(), rz_io_fd_size(), rz_json_get(), rz_json_parse(), rz_list_free(), RZ_LOG_ERROR, RZ_OUTPUT_MODE_JSON, RZ_PERM_R, rz_str_newf(), rz_w32_dbg_modules(), rz_json_t::str_value, SPDBOptions::symbol_server, SPDBOptions::symbol_store_path, and ut64().

Referenced by GetLFHKey().

◆ GetLFHKey()

static bool GetLFHKey	(	RzDebug *	dbg,
		HANDLE	h_proc,
		bool	segment,
		WPARAM *	lfhKey
	)

static

Definition at line 393 of file windows_heap.c.

                                                                                  {
     rz_return_val_if_fail(dbg, 0);
     WPARAM lfhKeyLocation;
  
     if (!GetHeapGlobalsOffset(dbg, h_proc)) {
         *lfhKey = 0;
         return false;
     }
  
     if (segment) {
         lfhKeyLocation = RtlpHpHeapGlobalsOffset + sizeof(WPARAM);
     } else {
         lfhKeyLocation = RtlpLFHKeyOffset; // ntdll!RtlpLFHKey
     }
     if (!ReadProcessMemory(h_proc, (PVOID)lfhKeyLocation, lfhKey, sizeof(WPARAM), NULL)) {
         rz_sys_perror("ReadProcessMemory");
         eprintf("LFH key not found.\n");
         *lfhKey = 0;
         return false;
     }
     return true;
 }

References dbg, eprintf, GetHeapGlobalsOffset(), NULL, PVOID, RtlpHpHeapGlobalsOffset, RtlpLFHKeyOffset, rz_return_val_if_fail, and rz_sys_perror.

Referenced by GetHeapBlocks(), GetSingleBlock(), and GetSingleSegmentBlock().

◆ GetListOfHeaps()

static RzList* GetListOfHeaps	(	RzDebug *	dbg,
		HANDLE	ph
	)

static

Definition at line 462 of file windows_heap.c.

                                                        {
     PROCESS_BASIC_INFORMATION pib;
     if (w32_NtQueryInformationProcess(ph, ProcessBasicInformation, &pib, sizeof(pib), NULL)) {
         rz_sys_perror("NtQueryInformationProcess");
         return NULL;
     }
     PEB peb;
     ReadProcessMemory(ph, pib.PebBaseAddress, &peb, sizeof(PEB), NULL);
     RzList *heaps = rz_list_new();
     PVOID heapAddress;
     PVOID *processHeaps;
     ULONG numberOfHeaps;
     if (dbg->bits == RZ_SYS_BITS_64) {
         processHeaps = *((PVOID *)(((ut8 *)&peb) + 0xF0));
         numberOfHeaps = *((ULONG *)(((ut8 *)&peb) + 0xE8));
     } else {
         processHeaps = *((PVOID *)(((ut8 *)&peb) + 0x90));
         numberOfHeaps = *((ULONG *)(((ut8 *)&peb) + 0x88));
     }
     do {
         ReadProcessMemory(ph, processHeaps, &heapAddress, sizeof(PVOID), NULL);
         rz_list_push(heaps, heapAddress);
         processHeaps += 1;
     } while (--numberOfHeaps);
     return heaps;
 }

References rz_debug_t::bits, dbg, NULL, ph, PVOID, rz_list_new(), rz_list_push(), RZ_SYS_BITS_64, rz_sys_perror, and ULONG.

Referenced by InitHeapInfo().

◆ GetNextHeapBlock()

static bool GetNextHeapBlock	(	PDEBUG_HEAP_INFORMATION	heapInfo,
		PHeapBlock	hb
	)

static

Definition at line 208 of file windows_heap.c.

                                                                               {
     rz_return_val_if_fail(heapInfo && hb, false);
     PHeapBlockBasicInfo block;
  
     block = (PHeapBlockBasicInfo)heapInfo->Blocks;
     SIZE_T index = hb->index;
  
     if (index > heapInfo->BlockCount) {
         return false;
     }
  
     if (block[index].flags & 2) {
         do {
             if (index > heapInfo->BlockCount) {
                 return false;
             }
  
             // new address = curBlockAddress + Granularity;
             hb->dwAddress = block[index].address + heapInfo->Granularity;
  
             index++;
             hb->dwSize = block->size;
         } while (block[index].flags & 2);
         hb->index = index;
     } else {
         hb->dwSize = block[index].size;
         if (block[index].extra & EXTRA_FLAG) {
             PHeapBlockExtraInfo extra = (PHeapBlockExtraInfo)(block[index].extra & ~EXTRA_FLAG);
             hb->extraInfo = extra;
             hb->dwSize -= extra->unusedBytes;
             hb->dwAddress = block[index].address + extra->granularity;
         } else {
             hb->extraInfo = NULL;
             hb->dwAddress = (WPARAM)hb->dwAddress + hb->dwSize;
         }
         hb->index++;
     }
  
     WPARAM flags;
     if (block[index].extra & EXTRA_FLAG) {
         flags = block[index].flags;
     } else {
         flags = (USHORT)block[index].flags;
     }
     UPDATE_FLAGS(hb, flags);
  
     return true;
 }

References _HeapBlockBasicInfo::address, _DEBUG_HEAP_INFORMATION::BlockCount, _DEBUG_HEAP_INFORMATION::Blocks, _HeapBlock::dwAddress, _HeapBlock::dwSize, EXTRA_FLAG, _HeapBlock::extraInfo, flags, _HeapBlockBasicInfo::flags, _HeapBlockExtraInfo::granularity, _DEBUG_HEAP_INFORMATION::Granularity, if(), _HeapBlock::index, NULL, rz_return_val_if_fail, _HeapBlockBasicInfo::size, _HeapBlockExtraInfo::unusedBytes, and UPDATE_FLAGS.

Referenced by free_extra_info(), rz_heap_blocks_list(), and w32_list_heaps_blocks().

◆ GetSegmentHeapBlocks()

static bool GetSegmentHeapBlocks	(	RzDebug *	dbg,
		HANDLE	h_proc,
		PVOID	heapBase,
		PHeapBlockBasicInfo *	blocks,
		WPARAM *	count,
		SIZE_T *	allocated
	)

static

Definition at line 641 of file windows_heap.c.

                                                                                                                                              {
     rz_return_val_if_fail(h_proc && blocks && count && allocated, false);
     WPARAM bytesRead;
     SEGMENT_HEAP segheapHeader;
     ReadProcessMemory(h_proc, heapBase, &segheapHeader, sizeof(SEGMENT_HEAP), &bytesRead);
  
     if (segheapHeader.Signature != 0xddeeddee) {
         return false;
     }
     WPARAM lfhKey;
     WPARAM lfhKeyLocation = RtlpHpHeapGlobalsOffset + sizeof(WPARAM);
     if (!ReadProcessMemory(h_proc, (PVOID)lfhKeyLocation, &lfhKey, sizeof(WPARAM), &bytesRead)) {
         rz_sys_perror("ReadProcessMemory");
         eprintf("LFH key not found.\n");
         return false;
     }
  
     // LFH
     size_t numBuckets = _countof(segheapHeader.LfhContext.Buckets);
     int j;
     for (j = 0; j < numBuckets; j++) {
         if ((WPARAM)segheapHeader.LfhContext.Buckets[j] & 1) {
             continue;
         }
         HEAP_LFH_BUCKET bucket;
         ReadProcessMemory(h_proc, segheapHeader.LfhContext.Buckets[j], &bucket, sizeof(HEAP_LFH_BUCKET), &bytesRead);
         HEAP_LFH_AFFINITY_SLOT affinitySlot, *paffinitySlot;
         ReadProcessMemory(h_proc, bucket.AffinitySlots, &paffinitySlot, sizeof(PHEAP_LFH_AFFINITY_SLOT), &bytesRead);
         bucket.AffinitySlots++;
         ReadProcessMemory(h_proc, paffinitySlot, &affinitySlot, sizeof(HEAP_LFH_AFFINITY_SLOT), &bytesRead);
         WPARAM first = (WPARAM)paffinitySlot + offsetof(HEAP_LFH_SUBSEGMENT_OWNER, AvailableSubsegmentList);
         WPARAM next = (WPARAM)affinitySlot.State.AvailableSubsegmentList.Flink;
         if (!__lfh_segment_loop(h_proc, blocks, allocated, lfhKey, count, first, next)) {
             return false;
         }
         first = (WPARAM)paffinitySlot + offsetof(HEAP_LFH_SUBSEGMENT_OWNER, FullSubsegmentList);
         next = (WPARAM)affinitySlot.State.FullSubsegmentList.Flink;
         if (!__lfh_segment_loop(h_proc, blocks, allocated, lfhKey, count, first, next)) {
             return false;
         }
     }
  
     // Large Blocks
     if (segheapHeader.LargeAllocMetadata.Root) {
         PRTL_BALANCED_NODE node = malloc(sizeof(RTL_BALANCED_NODE));
         RzStack *s = rz_stack_new(segheapHeader.LargeReservedPages);
         PRTL_BALANCED_NODE curr = segheapHeader.LargeAllocMetadata.Root;
         do { // while (!rz_stack_is_empty(s));
             GROW_PBLOCKS();
             while (curr) {
                 rz_stack_push(s, curr);
                 ReadProcessMemory(h_proc, curr, node, sizeof(RTL_BALANCED_NODE), &bytesRead);
                 curr = node->Left;
             };
             curr = (PRTL_BALANCED_NODE)rz_stack_pop(s);
             HEAP_LARGE_ALLOC_DATA entry;
             ReadProcessMemory(h_proc, curr, &entry, sizeof(HEAP_LARGE_ALLOC_DATA), &bytesRead);
             (*blocks)[*count].address = entry.VirtualAddess - entry.UnusedBytes; // This is a union
             (*blocks)[*count].flags = 1 | SEGMENT_HEAP_BLOCK | LARGE_BLOCK;
             (*blocks)[*count].size = ((entry.AllocatedPages >> 12) << 12);
             PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
             if (!extra) {
                 return false;
             }
             extra->unusedBytes = entry.UnusedBytes;
             ReadProcessMemory(h_proc, (void *)(*blocks)[*count].address, &extra->granularity, sizeof(USHORT), &bytesRead);
             (*blocks)[*count].extra = EXTRA_FLAG | (WPARAM)extra;
             curr = entry.TreeNode.Right;
             *count += 1;
         } while (curr || !rz_stack_is_empty(s));
         rz_stack_free(s);
         free(node);
     }
  
     WPARAM RtlpHpHeapGlobal;
     ReadProcessMemory(h_proc, (PVOID)RtlpHpHeapGlobalsOffset, &RtlpHpHeapGlobal, sizeof(WPARAM), &bytesRead);
     // Backend Blocks (And VS)
     int i;
     for (i = 0; i < 2; i++) {
         HEAP_SEG_CONTEXT ctx = segheapHeader.SegContexts[i];
         WPARAM ctxFirstEntry = (WPARAM)heapBase + offsetof(SEGMENT_HEAP, SegContexts) + sizeof(HEAP_SEG_CONTEXT) * i + offsetof(HEAP_SEG_CONTEXT, SegmentListHead);
         HEAP_PAGE_SEGMENT pageSegment;
         WPARAM currPageSegment = (WPARAM)ctx.SegmentListHead.Flink;
         do {
             if (!ReadProcessMemory(h_proc, (PVOID)currPageSegment, &pageSegment, sizeof(HEAP_PAGE_SEGMENT), &bytesRead)) {
                 break;
             }
             for (WPARAM j = 2; j < 256; j++) {
                 if ((pageSegment.DescArray[j].RangeFlags &
                         (PAGE_RANGE_FLAGS_FIRST | PAGE_RANGE_FLAGS_ALLOCATED)) ==
                     (PAGE_RANGE_FLAGS_FIRST | PAGE_RANGE_FLAGS_ALLOCATED)) {
                     GROW_PBLOCKS();
                     (*blocks)[*count].address = currPageSegment + j * 0x1000;
                     (*blocks)[*count].size = (WPARAM)pageSegment.DescArray[j].UnitSize * 0x1000;
                     (*blocks)[*count].flags = SEGMENT_HEAP_BLOCK | BACKEND_BLOCK | 1;
                     PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
                     if (!extra) {
                         return false;
                     }
                     extra->segment = currPageSegment;
                     extra->unusedBytes = pageSegment.DescArray[j].UnusedBytes;
                     (*blocks)[*count].extra = EXTRA_FLAG | (WPARAM)extra;
                     *count += 1;
                 }
                 // Hack (i don't know if all blocks like this are VS or not)
                 if (pageSegment.DescArray[j].RangeFlags & 0xF && pageSegment.DescArray[j].UnusedBytes == 0x1000) {
                     HEAP_VS_SUBSEGMENT vsSubsegment;
                     WPARAM start, from = currPageSegment + j * 0x1000;
                     ReadProcessMemory(h_proc, (PVOID)from, &vsSubsegment, sizeof(HEAP_VS_SUBSEGMENT), &bytesRead);
                     // Walk through subsegment
                     start = from += sizeof(HEAP_VS_SUBSEGMENT);
                     while (from < (WPARAM)start + vsSubsegment.Size * sizeof(HEAP_VS_CHUNK_HEADER)) {
                         HEAP_VS_CHUNK_HEADER vsChunk;
                         ReadProcessMemory(h_proc, (PVOID)from, &vsChunk, sizeof(HEAP_VS_CHUNK_HEADER), &bytesRead);
                         vsChunk.Sizes.HeaderBits ^= from ^ RtlpHpHeapGlobal;
                         WPARAM sz = vsChunk.Sizes.UnsafeSize * sizeof(HEAP_VS_CHUNK_HEADER);
                         if (vsChunk.Sizes.Allocated) {
                             GROW_PBLOCKS();
                             (*blocks)[*count].address = from;
                             (*blocks)[*count].size = sz;
                             (*blocks)[*count].flags = VS_BLOCK | SEGMENT_HEAP_BLOCK | 1;
                             PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
                             if (!extra) {
                                 return false;
                             }
                             extra->granularity = sizeof(HEAP_VS_CHUNK_HEADER) * 2;
                             (*blocks)[*count].extra = EXTRA_FLAG | (WPARAM)extra;
                             *count += 1;
                         }
                         from += sz;
                     }
                 }
             }
             currPageSegment = (WPARAM)pageSegment.ListEntry.Flink;
         } while (currPageSegment && currPageSegment != ctxFirstEntry);
     }
     return true;
 }

References __lfh_segment_loop(), _HEAP_LFH_BUCKET::AffinitySlots, _HEAP_VS_CHUNK_HEADER_SIZE::Allocated, _HEAP_LFH_SUBSEGMENT_OWNER::AvailableSubsegmentList, BACKEND_BLOCK, blocks, _HEAP_LFH_CONTEXT::Buckets, count, _HEAP_PAGE_SEGMENT::DescArray, eprintf, EXTRA_FLAG, free(), from, _HEAP_LFH_SUBSEGMENT_OWNER::FullSubsegmentList, _HeapBlockExtraInfo::granularity, GROW_PBLOCKS, _HEAP_VS_CHUNK_HEADER_SIZE::HeaderBits, i, if(), LARGE_BLOCK, _SEGMENT_HEAP::LargeAllocMetadata, _SEGMENT_HEAP::LargeReservedPages, _RTL_BALANCED_NODE::Left, _SEGMENT_HEAP::LfhContext, _HEAP_PAGE_SEGMENT::ListEntry, malloc(), offsetof, PAGE_RANGE_FLAGS_ALLOCATED, PAGE_RANGE_FLAGS_FIRST, PVOID, _HEAP_PAGE_RANGE_DESCRIPTOR::RangeFlags, _RTL_RB_TREE::Root, RtlpHpHeapGlobalsOffset, RZ_NEW0, rz_return_val_if_fail, rz_stack_free(), rz_stack_is_empty(), rz_stack_new(), rz_stack_pop(), rz_stack_push(), rz_sys_perror, s, _SEGMENT_HEAP::SegContexts, _HeapBlockExtraInfo::segment, SEGMENT_HEAP_BLOCK, _SEGMENT_HEAP::Signature, _HEAP_VS_SUBSEGMENT::Size, _HEAP_VS_CHUNK_HEADER::Sizes, start, _HEAP_LFH_AFFINITY_SLOT::State, _HEAP_PAGE_RANGE_DESCRIPTOR::UnitSize, _HEAP_VS_CHUNK_HEADER_SIZE::UnsafeSize, _HEAP_PAGE_RANGE_DESCRIPTOR::UnusedBytes, _HeapBlockExtraInfo::unusedBytes, and VS_BLOCK.

Referenced by GetHeapBlocks().

◆ GetSingleBlock()

static PHeapBlock GetSingleBlock	(	RzDebug *	dbg,
		ut64	offset
	)

static

Definition at line 1112 of file windows_heap.c.

                                                             {
     PHeapBlock hb = RZ_NEW0(HeapBlock);
     PDEBUG_BUFFER db = NULL;
     PHeapBlockExtraInfo extra = NULL;
  
     if (!hb) {
         RZ_LOG_ERROR("GetSingleBlock: Allocation failed.\n");
         return NULL;
     }
     HANDLE h_proc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dbg->pid);
     if (!h_proc) {
         rz_sys_perror("GetSingleBlock/OpenProcess");
         goto err;
     }
     db = InitHeapInfo(dbg, PDI_HEAPS);
     if (!db) {
         goto err;
     }
     extra = RZ_NEW0(HeapBlockExtraInfo);
     if (!extra) {
         RZ_LOG_ERROR("GetSingleBlock: Allocation failed.\n");
         goto err;
     }
     WPARAM NtLFHKey;
     GetLFHKey(dbg, h_proc, false, &NtLFHKey);
     PHeapInformation heapInfo = db->HeapInformation;
     int i;
     for (i = 0; i < heapInfo->count; i++) {
         DEBUG_HEAP_INFORMATION heap = heapInfo->heaps[i];
         if (is_segment_heap(h_proc, heap.Base)) {
             free(hb);
             RZ_FREE(extra);
             hb = GetSingleSegmentBlock(dbg, h_proc, heap.Base, offset);
             if (!hb) {
                 goto err;
             }
             break;
         } else {
             HEAP h;
             HEAP_ENTRY entry;
             WPARAM entryOffset = offset - heap.Granularity;
             if (!ReadProcessMemory(h_proc, heap.Base, &h, sizeof(HEAP), NULL) ||
                 !ReadProcessMemory(h_proc, (PVOID)entryOffset, &entry, sizeof(HEAP_ENTRY), NULL)) {
                 goto err;
             }
             extra->granularity = heap.Granularity;
             hb->extraInfo = extra;
             HEAP_ENTRY tmpEntry = entry;
             if (DecodeHeapEntry(dbg, &h, &tmpEntry)) {
                 entry = tmpEntry;
                 hb->dwAddress = offset;
                 UPDATE_FLAGS(hb, (DWORD)entry.Flags | NT_BLOCK);
                 if (entry.UnusedBytes == 0x4) {
                     HEAP_VIRTUAL_ALLOC_ENTRY largeEntry;
                     if (ReadProcessMemory(h_proc, (PVOID)(offset - sizeof(HEAP_VIRTUAL_ALLOC_ENTRY)), &largeEntry, sizeof(HEAP_VIRTUAL_ALLOC_ENTRY), NULL)) {
                         hb->dwSize = largeEntry.CommitSize;
                         hb->dwFlags |= LARGE_BLOCK;
                         extra->unusedBytes = largeEntry.ReserveSize - largeEntry.CommitSize;
                         extra->granularity = sizeof(HEAP_VIRTUAL_ALLOC_ENTRY);
                     }
                 } else {
                     hb->dwSize = (WPARAM)entry.Size * heap.Granularity;
                     hb->dwFlags |= BACKEND_BLOCK;
                 }
                 break;
             }
             // LFH
             if (entry.UnusedBytes & 0x80) {
                 tmpEntry = entry;
                 WPARAM userBlocksOffset;
                 if (dbg->bits == RZ_SYS_BITS_64) {
                     *(((WPARAM *)&tmpEntry) + 1) ^= PtrToInt(h.BaseAddress) ^ (entryOffset >> 0x4) ^ (DWORD)NtLFHKey;
                     userBlocksOffset = entryOffset - (USHORT)((*(((WPARAM *)&tmpEntry) + 1)) >> 0xC);
                 } else {
                     *((WPARAM *)&tmpEntry) ^= PtrToInt(h.BaseAddress) ^ ((DWORD)(entryOffset) >> 0x4) ^ (DWORD)NtLFHKey;
                     userBlocksOffset = entryOffset - (USHORT)(*((WPARAM *)&tmpEntry) >> 0xC);
                 }
                 // Confirm it is LFH
                 if (DecodeLFHEntry(dbg, &h, &entry, (PVOID)userBlocksOffset, NtLFHKey, entryOffset)) {
                     HEAP_USERDATA_HEADER UserBlocks;
                     HEAP_SUBSEGMENT subsegment;
                     if (!ReadProcessMemory(h_proc, (PVOID)userBlocksOffset, &UserBlocks, sizeof(HEAP_USERDATA_HEADER), NULL)) {
                         rz_sys_perror("GetSingleBlock/ReadProcessMemory");
                         continue;
                     }
                     if (!ReadProcessMemory(h_proc, (PVOID)UserBlocks.SubSegment, &subsegment, sizeof(HEAP_SUBSEGMENT), NULL)) {
                         continue;
                     }
                     hb->dwAddress = offset;
                     hb->dwSize = (WPARAM)subsegment.BlockSize * heap.Granularity;
                     hb->dwFlags = 1 | LFH_BLOCK | NT_BLOCK;
                     break;
                 }
             }
         }
     }
     if (!hb->dwSize) {
         goto err;
     }
     RtlDestroyQueryDebugBuffer(db);
     CloseHandle(h_proc);
     return hb;
 err:
     if (h_proc) {
         CloseHandle(h_proc);
     }
     if (db) {
         RtlDestroyQueryDebugBuffer(db);
     }
     free(hb);
     free(extra);
     return NULL;
 }

References BACKEND_BLOCK, rz_debug_t::bits, _HEAP_SUBSEGMENT::BlockSize, _HEAP_VIRTUAL_ALLOC_ENTRY::CommitSize, _HeapInformation::count, dbg, DecodeHeapEntry(), DecodeLFHEntry(), _HeapBlock::dwAddress, _HeapBlock::dwFlags, DWORD, _HeapBlock::dwSize, err, _HeapBlock::extraInfo, FALSE, free(), GetLFHKey(), GetSingleSegmentBlock(), _HeapBlockExtraInfo::granularity, h, HANDLE, _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, InitHeapInfo(), is_segment_heap(), LARGE_BLOCK, LFH_BLOCK, NT_BLOCK, NULL, PDI_HEAPS, rz_debug_t::pid, PVOID, _HEAP_VIRTUAL_ALLOC_ENTRY::ReserveSize, RZ_FREE, RZ_LOG_ERROR, RZ_NEW0, RZ_SYS_BITS_64, rz_sys_perror, _HEAP_USERDATA_HEADER::SubSegment, _HeapBlockExtraInfo::unusedBytes, and UPDATE_FLAGS.

Referenced by rz_heap_debug_block_win().

◆ GetSingleSegmentBlock()

static PHeapBlock GetSingleSegmentBlock	(	RzDebug *	dbg,
		HANDLE	h_proc,
		PSEGMENT_HEAP	heapBase,
		WPARAM	offset
	)

static

Definition at line 1009 of file windows_heap.c.

                                                                                                             {
     // TODO:
     // - Backend (Is this needed?)
     PHeapBlock hb = RZ_NEW0(HeapBlock);
     if (!hb) {
         RZ_LOG_ERROR("GetSingleSegmentBlock: Allocation failed.\n");
         return NULL;
     }
     PHeapBlockExtraInfo extra = RZ_NEW0(HeapBlockExtraInfo);
     if (!extra) {
         RZ_LOG_ERROR("GetSingleSegmentBlock: Allocation failed.\n");
         goto err;
     }
     hb->extraInfo = extra;
     extra->heap = (WPARAM)heapBase;
     WPARAM granularity = (WPARAM)dbg->bits * 2;
     WPARAM headerOff = offset - granularity;
     SEGMENT_HEAP heap;
     ReadProcessMemory(h_proc, heapBase, &heap, sizeof(SEGMENT_HEAP), NULL);
     WPARAM RtlpHpHeapGlobal;
     ReadProcessMemory(h_proc, (PVOID)RtlpHpHeapGlobalsOffset, &RtlpHpHeapGlobal, sizeof(WPARAM), NULL);
  
     WPARAM pgSegOff = headerOff & heap.SegContexts[0].SegmentMask;
     WPARAM segSignature;
     ReadProcessMemory(h_proc, (PVOID)(pgSegOff + sizeof(LIST_ENTRY)), &segSignature, sizeof(WPARAM), NULL); // HEAP_PAGE_SEGMENT.Signature
     WPARAM test = RtlpHpHeapGlobal ^ pgSegOff ^ segSignature ^ ((WPARAM)heapBase + offsetof(SEGMENT_HEAP, SegContexts));
     if (test == 0xa2e64eada2e64ead) { // Hardcoded in ntdll
         HEAP_PAGE_SEGMENT segment;
         ReadProcessMemory(h_proc, (PVOID)pgSegOff, &segment, sizeof(HEAP_PAGE_SEGMENT), NULL);
         WPARAM pgRangeDescOff = ((headerOff - pgSegOff) >> heap.SegContexts[0].UnitShift) << 5;
         WPARAM pageIndex = pgRangeDescOff / sizeof(HEAP_PAGE_RANGE_DESCRIPTOR);
         if (!(segment.DescArray[pageIndex].RangeFlags & PAGE_RANGE_FLAGS_FIRST)) {
             pageIndex -= segment.DescArray[pageIndex].UnitOffset;
         }
         // VS
         WPARAM subsegmentOffset = pgSegOff + pageIndex * 0x1000;
         if (segment.DescArray[pageIndex].RangeFlags & 0xF && segment.DescArray[pageIndex].UnusedBytes == 0x1000) {
             HEAP_VS_SUBSEGMENT subsegment;
             ReadProcessMemory(h_proc, (PVOID)subsegmentOffset, &subsegment, sizeof(HEAP_VS_SUBSEGMENT), NULL);
             if ((subsegment.Size ^ 0x2BED) == subsegment.Signature) {
                 HEAP_VS_CHUNK_HEADER header;
                 ReadProcessMemory(h_proc, (PVOID)(headerOff - sizeof(HEAP_VS_CHUNK_HEADER)), &header, sizeof(HEAP_VS_CHUNK_HEADER), NULL);
                 header.Sizes.HeaderBits ^= RtlpHpHeapGlobal ^ headerOff;
                 hb->dwAddress = offset;
                 hb->dwSize = header.Sizes.UnsafeSize * sizeof(HEAP_VS_CHUNK_HEADER);
                 hb->dwFlags = 1 | SEGMENT_HEAP_BLOCK | VS_BLOCK;
                 extra->granularity = granularity + sizeof(HEAP_VS_CHUNK_HEADER);
                 extra->segment = subsegmentOffset;
                 return hb;
             }
         }
         // LFH
         if (segment.DescArray[pageIndex].RangeFlags & PAGE_RANGE_FLAGS_LFH_SUBSEGMENT) {
             HEAP_LFH_SUBSEGMENT subsegment;
             ReadProcessMemory(h_proc, (PVOID)subsegmentOffset, &subsegment, sizeof(HEAP_LFH_SUBSEGMENT), NULL);
             WPARAM lfhKey;
             GetLFHKey(dbg, h_proc, true, &lfhKey);
             subsegment.BlockOffsets.EncodedData ^= (DWORD)lfhKey ^ ((DWORD)subsegmentOffset >> 0xC);
             hb->dwAddress = offset;
             hb->dwSize = subsegment.BlockOffsets.BlockSize;
             hb->dwFlags = 1 | SEGMENT_HEAP_BLOCK | LFH_BLOCK;
             extra->granularity = granularity;
             extra->segment = subsegmentOffset;
             return hb;
         }
     }
  
     // Try Large Blocks
     if ((offset & 0xFFFF) < 0x100) {
         if (!heap.LargeAllocMetadata.Root) {
             goto err;
         }
         RTL_BALANCED_NODE node;
         WPARAM curr = (WPARAM)heap.LargeAllocMetadata.Root;
         ReadProcessMemory(h_proc, (PVOID)curr, &node, sizeof(RTL_BALANCED_NODE), NULL);
  
         while (curr) {
             HEAP_LARGE_ALLOC_DATA entry;
             ReadProcessMemory(h_proc, (PVOID)curr, &entry, sizeof(HEAP_LARGE_ALLOC_DATA), NULL);
             WPARAM VirtualAddess = entry.VirtualAddess - entry.UnusedBytes;
             if ((offset & ~0xFFFFULL) > VirtualAddess) {
                 curr = (WPARAM)node.Right;
             } else if ((offset & ~0xFFFFULL) < VirtualAddess) {
                 curr = (WPARAM)node.Left;
             } else {
                 hb->dwAddress = VirtualAddess;
                 hb->dwSize = ((entry.AllocatedPages >> 12) << 12) - entry.UnusedBytes;
                 hb->dwFlags = SEGMENT_HEAP_BLOCK | LARGE_BLOCK | 1;
                 extra->unusedBytes = entry.UnusedBytes;
                 ReadProcessMemory(h_proc, (PVOID)hb->dwAddress, &extra->granularity, sizeof(USHORT), NULL);
                 return hb;
             }
             if (curr) {
                 ReadProcessMemory(h_proc, (PVOID)curr, &node, sizeof(RTL_BALANCED_NODE), NULL);
             }
         }
     }
 err:
     free(hb);
     free(extra);
     return NULL;
 }

References rz_debug_t::bits, _HEAP_LFH_SUBSEGMENT::BlockOffsets, _HEAP_LFH_SUBSEGMENT_ENCODED_OFFSETS::BlockSize, dbg, _HEAP_PAGE_SEGMENT::DescArray, _HeapBlock::dwAddress, _HeapBlock::dwFlags, DWORD, _HeapBlock::dwSize, _HEAP_LFH_SUBSEGMENT_ENCODED_OFFSETS::EncodedData, err, _HeapBlock::extraInfo, free(), GetLFHKey(), _HeapBlockExtraInfo::granularity, header, _HeapBlockExtraInfo::heap, LARGE_BLOCK, _RTL_BALANCED_NODE::Left, LFH_BLOCK, NULL, offsetof, PAGE_RANGE_FLAGS_FIRST, PAGE_RANGE_FLAGS_LFH_SUBSEGMENT, PVOID, _HEAP_PAGE_RANGE_DESCRIPTOR::RangeFlags, _RTL_BALANCED_NODE::Right, RtlpHpHeapGlobalsOffset, RZ_LOG_ERROR, RZ_NEW0, _HeapBlockExtraInfo::segment, SEGMENT_HEAP_BLOCK, _HEAP_VS_SUBSEGMENT::Signature, _HEAP_VS_SUBSEGMENT::Size, _HEAP_PAGE_RANGE_DESCRIPTOR::UnitOffset, _HEAP_PAGE_RANGE_DESCRIPTOR::UnusedBytes, _HeapBlockExtraInfo::unusedBytes, and VS_BLOCK.

Referenced by GetSingleBlock().

◆ has_heap_globals()

static bool has_heap_globals ( void )

inlinestatic

Definition at line 267 of file windows_heap.c.

                                           {
     return RtlpHpHeapGlobalsOffset && RtlpLFHKeyOffset;
 }

References RtlpHpHeapGlobalsOffset, and RtlpLFHKeyOffset.

Referenced by GetHeapGlobalsOffset().

◆ InitHeapInfo()

static PDEBUG_BUFFER InitHeapInfo	(	RzDebug *	dbg,
		DWORD	mask
	)

static

Definition at line 496 of file windows_heap.c.

                                                             {
     // Check:
     //  RtlpQueryProcessDebugInformationFromWow64
     //  RtlpQueryProcessDebugInformationRemote
     PDEBUG_BUFFER db = RtlCreateQueryDebugBuffer(0, FALSE);
     if (!db) {
         return NULL;
     }
     th_query_params *params = RZ_NEW0(th_query_params);
     if (!params) {
         RtlDestroyQueryDebugBuffer(db);
         return NULL;
     }
     *params = (th_query_params){ dbg, mask, db, 0, false, false };
     HANDLE th = CreateThread(NULL, 0, &__th_QueryDebugBuffer, params, 0, NULL);
     if (th) {
         WaitForSingleObject(th, 5000);
     } else {
         RtlDestroyQueryDebugBuffer(db);
         return NULL;
     }
     if (!params->fin) {
         // why after it fails the first time it blocks on the second? That's annoying
         // It stops blocking if i pause rizin in the debugger. is it a race?
         // why it fails with 1000000 allocs? also with processes with segment heap enabled?
         params->hanged = true;
         eprintf("RtlQueryProcessDebugInformation hanged\n");
         db = NULL;
     } else if (params->ret) {
         RtlDestroyQueryDebugBuffer(db);
         db = NULL;
         rz_sys_perror("RtlQueryProcessDebugInformation");
     }
     CloseHandle(th);
     if (db) {
         return db;
     }
  
     // TODO: Not do this
     if (mask == PDI_HEAPS && __is_windows_ten()) {
         db = RtlCreateQueryDebugBuffer(0, FALSE);
         if (!db) {
             return NULL;
         }
         PHeapInformation heapInfo = RZ_NEW0(HeapInformation);
         if (!heapInfo) {
             RtlDestroyQueryDebugBuffer(db);
             return NULL;
         }
         HANDLE h_proc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dbg->pid);
         if (!h_proc) {
             RZ_LOG_ERROR("OpenProcess failed\n");
             free(heapInfo);
             RtlDestroyQueryDebugBuffer(db);
             return NULL;
         }
         RzList *heaps = GetListOfHeaps(dbg, h_proc);
         CloseHandle(h_proc);
         heapInfo->count = heaps->length;
         void *tmp = realloc(heapInfo, sizeof(DEBUG_HEAP_INFORMATION) * heapInfo->count + sizeof(heapInfo));
         if (!tmp) {
             free(heapInfo);
             RtlDestroyQueryDebugBuffer(db);
             return NULL;
         }
         heapInfo = tmp;
         int i = 0;
         RzListIter *it;
         void *heapBase;
         rz_list_foreach (heaps, it, heapBase) {
             heapInfo->heaps[i].Base = heapBase;
             heapInfo->heaps[i].Granularity = sizeof(HEAP_ENTRY);
             heapInfo->heaps[i].Allocated = 0;
             heapInfo->heaps[i].Committed = 0;
             i++;
         }
         db->HeapInformation = heapInfo;
         rz_list_free(heaps);
         return db;
     }
     return NULL;
 }

References __is_windows_ten(), __th_QueryDebugBuffer(), _DEBUG_HEAP_INFORMATION::Allocated, _DEBUG_HEAP_INFORMATION::Base, _DEBUG_HEAP_INFORMATION::Committed, _HeapInformation::count, dbg, eprintf, FALSE, _th_query_params::fin, free(), GetListOfHeaps(), _DEBUG_HEAP_INFORMATION::Granularity, HANDLE, _th_query_params::hanged, _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, rz_list_t::length, mask, NULL, PDI_HEAPS, rz_debug_t::pid, realloc(), _th_query_params::ret, rz_list_free(), RZ_LOG_ERROR, RZ_NEW0, rz_sys_perror, and autogen_x86imm::tmp.

Referenced by GetHeapBlocks(), GetSingleBlock(), rz_heap_blocks_list(), rz_heap_list(), rz_heap_list_w32(), and w32_list_heaps_blocks().

◆ initialize_windows_ntdll_query_api_functions()

static bool initialize_windows_ntdll_query_api_functions ( void )

static

Definition at line 137 of file windows_heap.c.

                                                                {
     HANDLE ntdll = LoadLibrary(TEXT("ntdll.dll"));
     if (!ntdll) {
         return false;
     }
     if (!RtlCreateQueryDebugBuffer) {
         RtlCreateQueryDebugBuffer = (PDEBUG_BUFFER(NTAPI *)(DWORD, BOOLEAN))GetProcAddress(ntdll, "RtlCreateQueryDebugBuffer");
     }
     if (!RtlQueryProcessDebugInformation) {
         RtlQueryProcessDebugInformation = (NTSTATUS(NTAPI *)(DWORD, DWORD, PDEBUG_BUFFER))GetProcAddress(ntdll, "RtlQueryProcessDebugInformation");
     }
     if (!RtlDestroyQueryDebugBuffer) {
         RtlDestroyQueryDebugBuffer = (NTSTATUS(NTAPI *)(PDEBUG_BUFFER))GetProcAddress(ntdll, "RtlDestroyQueryDebugBuffer");
     }
     if (!w32_NtQueryInformationProcess) {
         w32_NtQueryInformationProcess = (NTSTATUS(NTAPI *)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(ntdll, "NtQueryInformationProcess");
     }
     return true;
 }

References DWORD, HANDLE, PULONG, PVOID, and ULONG.

Referenced by rz_heap_blocks_list(), rz_heap_debug_block_win(), rz_heap_list(), and rz_heap_list_w32().

◆ is_segment_heap()

static bool is_segment_heap	(	HANDLE	h_proc,
		PVOID	heapBase
	)

static

Definition at line 157 of file windows_heap.c.

                                                            {
     HEAP heap;
     if (ReadProcessMemory(h_proc, heapBase, &heap, sizeof(HEAP), NULL)) {
         if (heap.SegmentSignature == 0xddeeddee) {
             return true;
         }
     }
     return false;
 }

References NULL.

Referenced by GetSingleBlock().

◆ rz_heap_blocks_list()

RZ_IPI RzList* rz_heap_blocks_list ( RzCore * core )

Definition at line 1412 of file windows_heap.c.

                                                  {
     initialize_windows_ntdll_query_api_functions();
     DWORD pid = core->dbg->pid;
     PDEBUG_BUFFER db;
     RzList *blocks_list = rz_list_newf(free);
     if (__is_windows_ten()) {
         db = GetHeapBlocks(pid, core->dbg);
     } else {
         db = InitHeapInfo(core->dbg, PDI_HEAPS | PDI_HEAP_BLOCKS);
     }
     if (!db) {
         eprintf("Couldn't get heap info.\n");
         return blocks_list;
     }
  
     PHeapInformation heapInfo = db->HeapInformation;
     CHECK_INFO_RETURN_NULL(heapInfo);
     HeapBlock *block = malloc(sizeof(HeapBlock));
     for (int i = 0; i < heapInfo->count; i++) {
         bool go = true;
         char *type;
         if (GetFirstHeapBlock(&heapInfo->heaps[i], block) & go) {
             do {
                 type = get_type(block->dwFlags);
                 if (!type) {
                     type = "";
                 }
                 ut64 granularity = block->extraInfo ? block->extraInfo->granularity : heapInfo->heaps[i].Granularity;
                 ut64 address = (ut64)block->dwAddress - granularity;
                 ut64 unusedBytes = block->extraInfo ? block->extraInfo->unusedBytes : 0;
  
                 // add blocks to list
                 RzWindowsHeapBlock *heap_block = RZ_NEW0(RzWindowsHeapBlock);
                 if (!heap_block) {
                     rz_list_free(blocks_list);
                     RtlDestroyQueryDebugBuffer(db);
                     return NULL;
                 }
                 heap_block->headerAddress = address;
                 heap_block->userAddress = (ut64)block->dwAddress;
                 heap_block->size = block->dwSize;
                 strcpy(heap_block->type, type);
                 heap_block->unusedBytes = unusedBytes;
                 heap_block->granularity = granularity;
  
                 rz_list_append(blocks_list, heap_block);
             } while (GetNextHeapBlock(&heapInfo->heaps[i], block));
         }
         if (!(db->InfoClassMask & PDI_HEAP_BLOCKS)) {
             // RtlDestroyQueryDebugBuffer wont free this for some reason
             free_extra_info(&heapInfo->heaps[i]);
             RZ_FREE(heapInfo->heaps[i].Blocks);
         }
     }
     RtlDestroyQueryDebugBuffer(db);
     return blocks_list;
 }

References __is_windows_ten(), _DEBUG_HEAP_INFORMATION::Blocks, CHECK_INFO_RETURN_NULL, _HeapInformation::count, rz_core_t::dbg, _HeapBlock::dwAddress, _HeapBlock::dwFlags, DWORD, _HeapBlock::dwSize, eprintf, _HeapBlock::extraInfo, free(), free_extra_info(), get_type(), GetFirstHeapBlock(), GetHeapBlocks(), GetNextHeapBlock(), _HeapBlockExtraInfo::granularity, _DEBUG_HEAP_INFORMATION::Granularity, _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, _DEBUG_BUFFER::InfoClassMask, InitHeapInfo(), initialize_windows_ntdll_query_api_functions(), malloc(), NULL, PDI_HEAP_BLOCKS, PDI_HEAPS, rz_debug_t::pid, pid, RZ_FREE, rz_list_append(), rz_list_free(), rz_list_newf(), RZ_NEW0, type, _HeapBlockExtraInfo::unusedBytes, and ut64().

◆ rz_heap_debug_block_win()

RZ_IPI void rz_heap_debug_block_win	(	RzCore *	core,
		const char *	addr,
		RzOutputMode	mode,
		bool	flag
	)

Definition at line 1370 of file windows_heap.c.

                                                                                                   {
     initialize_windows_ntdll_query_api_functions();
     ut64 off = 0;
     if (!addr) {
         w32_list_heaps_blocks(core, mode, flag);
         return;
     }
  
     off = rz_num_math(core->num, addr);
     PHeapBlock hb = GetSingleBlock(core->dbg, off);
     if (!hb) {
         return;
     }
     ut64 granularity = hb->extraInfo->granularity;
     char *type = get_type(hb->dwFlags);
     if (!type) {
         type = "";
     }
     PJ *pj = pj_new();
     RzTable *tbl = __new_heapblock_tbl();
     ut64 headerAddr = off - granularity;
     if (mode == RZ_OUTPUT_MODE_STANDARD) {
         rz_table_add_rowf(tbl, "xxnnns", headerAddr, off, (ut64)hb->dwSize, granularity, (ut64)hb->extraInfo->unusedBytes, type);
         rz_cons_println(rz_table_tostring(tbl));
     } else if (mode == RZ_OUTPUT_MODE_JSON) {
         pj_o(pj);
         pj_kN(pj, "header_address", headerAddr);
         pj_kN(pj, "user_address", off);
         pj_ks(pj, "type", type);
         pj_kN(pj, "size", hb->dwSize);
         if (hb->extraInfo->unusedBytes) {
             pj_kN(pj, "unused", hb->extraInfo->unusedBytes);
         }
         pj_end(pj);
         rz_cons_println(pj_string(pj));
     }
     free(hb->extraInfo);
     free(hb);
     rz_table_free(tbl);
     pj_free(pj);
 }

References __new_heapblock_tbl(), addr, rz_core_t::dbg, _HeapBlock::dwFlags, _HeapBlock::dwSize, _HeapBlock::extraInfo, free(), get_type(), GetSingleBlock(), _HeapBlockExtraInfo::granularity, initialize_windows_ntdll_query_api_functions(), rz_core_t::num, off, pj_end(), pj_free(), pj_kN(), pj_ks(), pj_new(), pj_o(), pj_string(), rz_cons_println(), rz_num_math(), RZ_OUTPUT_MODE_JSON, RZ_OUTPUT_MODE_STANDARD, rz_table_add_rowf(), rz_table_free(), rz_table_tostring(), type, _HeapBlockExtraInfo::unusedBytes, ut64(), and w32_list_heaps_blocks().

◆ rz_heap_list()

RZ_IPI RzList* rz_heap_list ( RzCore * core )

Definition at line 1470 of file windows_heap.c.

                                           {
     initialize_windows_ntdll_query_api_functions();
     ULONG pid = core->dbg->pid;
     PDEBUG_BUFFER db = InitHeapInfo(core->dbg, PDI_HEAPS | PDI_HEAP_BLOCKS);
     if (!db) {
         if (__is_windows_ten()) {
             db = GetHeapBlocks(pid, core->dbg);
         }
         if (!db) {
             eprintf("Couldn't get heap info.\n");
             return NULL;
         }
     }
  
     RzList *heaps_list = rz_list_newf(free);
     PHeapInformation heapInfo = db->HeapInformation;
     CHECK_INFO_RETURN_NULL(heapInfo);
     for (int i = 0; i < heapInfo->count; i++) {
         DEBUG_HEAP_INFORMATION heap = heapInfo->heaps[i];
         // add heaps to list
         RzWindowsHeapInfo *rzHeapInfo = RZ_NEW0(RzWindowsHeapInfo);
         if (!rzHeapInfo) {
             rz_list_free(heaps_list);
             RtlDestroyQueryDebugBuffer(db);
             return NULL;
         }
         rzHeapInfo->base = (ut64)heap.Base;
         rzHeapInfo->blockCount = (ut64)heap.BlockCount;
         rzHeapInfo->allocated = (ut64)heap.Allocated;
         rzHeapInfo->committed = (ut64)heap.Committed;
  
         rz_list_append(heaps_list, rzHeapInfo);
  
         if (!(db->InfoClassMask & PDI_HEAP_BLOCKS)) {
             free_extra_info(&heap);
             RZ_FREE(heap.Blocks);
         }
     }
  
     RtlDestroyQueryDebugBuffer(db);
     return heaps_list;
 }

References __is_windows_ten(), rz_heap_info::allocated, rz_heap_info::base, rz_heap_info::blockCount, CHECK_INFO_RETURN_NULL, rz_heap_info::committed, _HeapInformation::count, rz_core_t::dbg, eprintf, free(), free_extra_info(), GetHeapBlocks(), _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, _DEBUG_BUFFER::InfoClassMask, InitHeapInfo(), initialize_windows_ntdll_query_api_functions(), NULL, PDI_HEAP_BLOCKS, PDI_HEAPS, rz_debug_t::pid, pid, RZ_FREE, rz_list_append(), rz_list_free(), rz_list_newf(), RZ_NEW0, ULONG, and ut64().

◆ rz_heap_list_w32()

RZ_IPI void rz_heap_list_w32	(	RzCore *	core,
		RzOutputMode	mode
	)

Definition at line 1237 of file windows_heap.c.

                                                               {
     initialize_windows_ntdll_query_api_functions();
     ULONG pid = core->dbg->pid;
     PDEBUG_BUFFER db = InitHeapInfo(core->dbg, PDI_HEAPS | PDI_HEAP_BLOCKS);
     if (!db) {
         if (__is_windows_ten()) {
             db = GetHeapBlocks(pid, core->dbg);
         }
         if (!db) {
             eprintf("Couldn't get heap info.\n");
             return;
         }
     }
     PHeapInformation heapInfo = db->HeapInformation;
     CHECK_INFO(heapInfo);
     int i;
     RzTable *tbl = rz_table_new();
     rz_table_add_column(tbl, rz_table_type("number"), "Address", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "Blocks", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "Allocated", -1);
     rz_table_add_column(tbl, rz_table_type("number"), "Commited", -1);
     PJ *pj = pj_new();
     pj_a(pj);
     for (i = 0; i < heapInfo->count; i++) {
         DEBUG_HEAP_INFORMATION heap = heapInfo->heaps[i];
         if (mode == RZ_OUTPUT_MODE_JSON) {
             pj_o(pj);
             pj_kN(pj, "address", (ut64)heap.Base);
             pj_kN(pj, "count", (ut64)heap.BlockCount);
             pj_kN(pj, "allocated", (ut64)heap.Allocated);
             pj_kN(pj, "committed", (ut64)heap.Committed);
             pj_end(pj);
         } else {
             rz_table_add_rowf(tbl, "xnnn", (ut64)heap.Base, (ut64)heap.BlockCount, (ut64)heap.Allocated, (ut64)heap.Committed);
         }
         if (!(db->InfoClassMask & PDI_HEAP_BLOCKS)) {
             free_extra_info(&heap);
             RZ_FREE(heap.Blocks);
         }
     }
     if (mode == RZ_OUTPUT_MODE_JSON) {
         pj_end(pj);
         rz_cons_println(pj_string(pj));
     } else {
         rz_cons_println(rz_table_tostring(tbl));
     }
     rz_table_free(tbl);
     pj_free(pj);
     RtlDestroyQueryDebugBuffer(db);
 }

References __is_windows_ten(), CHECK_INFO, _HeapInformation::count, rz_core_t::dbg, eprintf, free_extra_info(), GetHeapBlocks(), _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, _DEBUG_BUFFER::InfoClassMask, InitHeapInfo(), initialize_windows_ntdll_query_api_functions(), PDI_HEAP_BLOCKS, PDI_HEAPS, rz_debug_t::pid, pid, pj_a(), pj_end(), pj_free(), pj_kN(), pj_new(), pj_o(), pj_string(), rz_cons_println(), RZ_FREE, RZ_OUTPUT_MODE_JSON, rz_table_add_column(), rz_table_add_rowf(), rz_table_free(), rz_table_new(), rz_table_tostring(), rz_table_type(), ULONG, and ut64().

◆ w32_list_heaps_blocks()

static void w32_list_heaps_blocks	(	RzCore *	core,
		RzOutputMode	mode,
		bool	flag
	)

static

Definition at line 1288 of file windows_heap.c.

                                                                               {
     DWORD pid = core->dbg->pid;
     PDEBUG_BUFFER db;
     if (__is_windows_ten()) {
         db = GetHeapBlocks(pid, core->dbg);
     } else {
         db = InitHeapInfo(core->dbg, PDI_HEAPS | PDI_HEAP_BLOCKS);
     }
     if (!db) {
         eprintf("Couldn't get heap info.\n");
         return;
     }
     PHeapInformation heapInfo = db->HeapInformation;
     CHECK_INFO(heapInfo);
     HeapBlock *block = malloc(sizeof(HeapBlock));
     int i;
     RzTable *tbl = __new_heapblock_tbl();
     PJ *pj = pj_new();
     pj_a(pj);
     for (i = 0; i < heapInfo->count; i++) {
         bool go = true;
         if (flag) {
             if (heapInfo->heaps[i].BlockCount > 50000) {
                 go = rz_cons_yesno('n', "Are you sure you want to add %lu flags? (y/N)", heapInfo->heaps[i].BlockCount);
             }
         } else if (mode == RZ_OUTPUT_MODE_JSON) {
             pj_o(pj);
             pj_kN(pj, "heap", (WPARAM)heapInfo->heaps[i].Base);
             pj_k(pj, "blocks");
             pj_a(pj);
         }
  
         char *type;
         if (GetFirstHeapBlock(&heapInfo->heaps[i], block) & go) {
             do {
                 type = get_type(block->dwFlags);
                 if (!type) {
                     type = "";
                 }
                 ut64 granularity = block->extraInfo ? block->extraInfo->granularity : heapInfo->heaps[i].Granularity;
                 ut64 address = (ut64)block->dwAddress - granularity;
                 ut64 unusedBytes = block->extraInfo ? block->extraInfo->unusedBytes : 0;
                 if (flag) {
                     char *name = rz_str_newf("alloc.%" PFMT64x "", address);
                     if (!rz_flag_set(core->flags, name, address, block->dwSize)) {
                         eprintf("Flag couldn't be set for block at 0x%" PFMT64x, address);
                     }
                     free(name);
                 } else if (mode == RZ_OUTPUT_MODE_JSON) {
                     pj_o(pj);
                     pj_kN(pj, "header_address", address);
                     pj_kN(pj, "user_address", (ut64)block->dwAddress);
                     pj_kN(pj, "unused", unusedBytes);
                     pj_kN(pj, "size", block->dwSize);
                     pj_ks(pj, "type", type);
                     pj_end(pj);
                 } else {
                     rz_table_add_rowf(tbl, "xxnnns", address, (ut64)block->dwAddress, block->dwSize, granularity, unusedBytes, type);
                 }
             } while (GetNextHeapBlock(&heapInfo->heaps[i], block));
         }
         if (mode == RZ_OUTPUT_MODE_JSON) {
             pj_end(pj);
             pj_end(pj);
         }
         if (!(db->InfoClassMask & PDI_HEAP_BLOCKS)) {
             // RtlDestroyQueryDebugBuffer wont free this for some reason
             free_extra_info(&heapInfo->heaps[i]);
             RZ_FREE(heapInfo->heaps[i].Blocks);
         }
     }
     if (mode == RZ_OUTPUT_MODE_JSON) {
         pj_end(pj);
         rz_cons_println(pj_string(pj));
     } else if (!flag) {
         rz_cons_println(rz_table_tostring(tbl));
     }
     rz_table_free(tbl);
     pj_free(pj);
     RtlDestroyQueryDebugBuffer(db);
 }

References __is_windows_ten(), __new_heapblock_tbl(), _DEBUG_HEAP_INFORMATION::Base, _DEBUG_HEAP_INFORMATION::BlockCount, _DEBUG_HEAP_INFORMATION::Blocks, CHECK_INFO, _HeapInformation::count, rz_core_t::dbg, _HeapBlock::dwAddress, _HeapBlock::dwFlags, DWORD, _HeapBlock::dwSize, eprintf, _HeapBlock::extraInfo, rz_core_t::flags, free(), free_extra_info(), get_type(), GetFirstHeapBlock(), GetHeapBlocks(), GetNextHeapBlock(), _HeapBlockExtraInfo::granularity, _DEBUG_HEAP_INFORMATION::Granularity, _DEBUG_BUFFER::HeapInformation, _HeapInformation::heaps, i, if(), _DEBUG_BUFFER::InfoClassMask, InitHeapInfo(), malloc(), PDI_HEAP_BLOCKS, PDI_HEAPS, PFMT64x, rz_debug_t::pid, pid, pj_a(), pj_end(), pj_free(), pj_k(), pj_kN(), pj_ks(), pj_new(), pj_o(), pj_string(), rz_cons_println(), rz_cons_yesno(), rz_flag_set(), RZ_FREE, RZ_OUTPUT_MODE_JSON, rz_str_newf(), rz_table_add_rowf(), rz_table_free(), rz_table_tostring(), type, _HeapBlockExtraInfo::unusedBytes, and ut64().

Referenced by rz_heap_debug_block_win().

Variable Documentation

◆ RtlpHpHeapGlobalsOffset

size_t RtlpHpHeapGlobalsOffset = 0

static

Definition at line 58 of file windows_heap.c.

Referenced by GetHeapGlobalsOffset(), GetLFHKey(), GetSegmentHeapBlocks(), GetSingleSegmentBlock(), and has_heap_globals().

◆ RtlpLFHKeyOffset

size_t RtlpLFHKeyOffset = 0

static

Definition at line 59 of file windows_heap.c.

Referenced by GetHeapGlobalsOffset(), GetLFHKey(), and has_heap_globals().

Classes

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ CHECK_INFO

◆ CHECK_INFO_RETURN_NULL

◆ GROW_BLOCKS

◆ GROW_PBLOCKS

◆ PDI_HEAP_BLOCKS

◆ PDI_HEAP_ENTRIES_EX

◆ PDI_HEAP_TAGS

◆ PDI_HEAPS

◆ PDI_MODULES

◆ UPDATE_FLAGS

Typedef Documentation

◆ th_query_params

Function Documentation

◆ __is_windows_ten()

◆ __lfh_segment_loop()

◆ __new_heapblock_tbl()

◆ __th_QueryDebugBuffer()

◆ DecodeHeapEntry()

◆ DecodeLFHEntry()

◆ free_extra_info()

◆ get_type()

◆ GetFirstHeapBlock()

◆ GetHeapBlocks()

◆ GetHeapGlobalsOffset()

◆ GetLFHKey()

◆ GetListOfHeaps()

◆ GetNextHeapBlock()

◆ GetSegmentHeapBlocks()

◆ GetSingleBlock()

◆ GetSingleSegmentBlock()

◆ has_heap_globals()

◆ InitHeapInfo()

◆ initialize_windows_ntdll_query_api_functions()

◆ is_segment_heap()

◆ rz_heap_blocks_list()

◆ rz_heap_debug_block_win()

◆ rz_heap_list()

◆ rz_heap_list_w32()

◆ w32_list_heaps_blocks()

Variable Documentation

◆ RtlpHpHeapGlobalsOffset

◆ RtlpLFHKeyOffset