Windows heap learning
Windows Heap Internals learning windows heap is divided into two types:NT heap and segment heap NT heap Exists since early versions of Windows NT. The default heap implementation up through Windows 7/8. Segment heap why not public Introduced in Windows 10 as the modern heap manager. Default for apps built with the Universal Windows Platform (UWP), Microsoft Edge, and newer apps. [heap pic]LFH) NT heap Some Structure _HEAP //0x2c0 bytes (sizeof) struct _HEAP { union { struct _HEAP_SEGMENT Segment; //0x0 struct { struct _HEAP_ENTRY Entry; //0x0 ULONG SegmentSignature; //0x10 ULONG SegmentFlags; //0x14 struct _LIST_ENTRY SegmentListEntry; //0x18 struct _HEAP* Heap; //0x28 VOID* BaseAddress; //0x30 ULONG NumberOfPages; //0x38 struct _HEAP_ENTRY* FirstEntry; //0x40 struct _HEAP_ENTRY* LastValidEntry; //0x48 ULONG NumberOfUnCommittedPages; //0x50 ULONG NumberOfUnCommittedRanges; //0x54 USHORT SegmentAllocatorBackTraceIndex; //0x58 USHORT Reserved; //0x5a struct _LIST_ENTRY UCRSegmentList; //0x60 }; }; ULONG Flags; //0x70 ULONG ForceFlags; //0x74 ULONG CompatibilityFlags; //0x78 ULONG EncodeFlagMask; //0x7c struct _HEAP_ENTRY Encoding; //0x80 ULONG Interceptor; //0x90 ULONG VirtualMemoryThreshold; //0x94 ULONG Signature; //0x98 ULONGLONG SegmentReserve; //0xa0 ULONGLONG SegmentCommit; //0xa8 ULONGLONG DeCommitFreeBlockThreshold; //0xb0 ULONGLONG DeCommitTotalFreeThreshold; //0xb8 ULONGLONG TotalFreeSize; //0xc0 ULONGLONG MaximumAllocationSize; //0xc8 USHORT ProcessHeapsListIndex; //0xd0 USHORT HeaderValidateLength; //0xd2 VOID* HeaderValidateCopy; //0xd8 USHORT NextAvailableTagIndex; //0xe0 USHORT MaximumTagIndex; //0xe2 struct _HEAP_TAG_ENTRY* TagEntries; //0xe8 struct _LIST_ENTRY UCRList; //0xf0 ULONGLONG AlignRound; //0x100 ULONGLONG AlignMask; //0x108 struct _LIST_ENTRY VirtualAllocdBlocks; //0x110 struct _LIST_ENTRY SegmentList; //0x120 USHORT AllocatorBackTraceIndex; //0x130 ULONG NonDedicatedListLength; //0x134 VOID* BlocksIndex; //0x138 VOID* UCRIndex; //0x140 struct _HEAP_PSEUDO_TAG_ENTRY* PseudoTagEntries; //0x148 struct _LIST_ENTRY FreeLists; //0x150 struct _HEAP_LOCK* LockVariable; //0x160 LONG (*CommitRoutine)(VOID* arg1, VOID** arg2, ULONGLONG* arg3); //0x168 union _RTL_RUN_ONCE StackTraceInitVar; //0x170 struct _RTL_HEAP_MEMORY_LIMIT_DATA CommitLimitData; //0x178 VOID* FrontEndHeap; //0x198 USHORT FrontHeapLockCount; //0x1a0 UCHAR FrontEndHeapType; //0x1a2 UCHAR RequestedFrontEndHeapType; //0x1a3 WCHAR* FrontEndHeapUsageData; //0x1a8 USHORT FrontEndHeapMaximumIndex; //0x1b0 volatile UCHAR FrontEndHeapStatusBitmap[129]; //0x1b2 struct _HEAP_COUNTERS Counters; //0x238 struct _HEAP_TUNING_PARAMETERS TuningParameters; //0x2b0 }; _HEAP_ENTRY //0x10 bytes (sizeof) struct _HEAP_ENTRY { union { struct _HEAP_UNPACKED_ENTRY UnpackedEntry; //0x0 struct { VOID* PreviousBlockPrivateData; //0x0 union { struct { USHORT Size; //0x8 UCHAR Flags; //0xa UCHAR SmallTagIndex; //0xb }; struct { ULONG SubSegmentCode; //0x8 USHORT PreviousSize; //0xc union { UCHAR SegmentOffset; //0xe UCHAR LFHFlags; //0xe }; UCHAR UnusedBytes; //0xf }; ULONGLONG CompactHeader; //0x8 }; }; struct _HEAP_EXTENDED_ENTRY ExtendedEntry; //0x0 struct { VOID* Reserved; //0x0 union { struct { USHORT FunctionIndex; //0x8 USHORT ContextValue; //0xa }; ULONG InterceptorValue; //0x8 }; USHORT UnusedBytesLength; //0xc UCHAR EntryOffset; //0xe UCHAR ExtendedBlockSignature; //0xf }; struct { VOID* ReservedForAlignment; //0x0 union { struct { ULONG Code1; //0x8 union { struct { USHORT Code2; //0xc UCHAR Code3; //0xe UCHAR Code4; //0xf }; ULONG Code234; //0xc }; }; ULONGLONG AgregateCode; //0x8 }; }; }; }; NT heap is divided into FrontEnd and BackEnd Allocators. ...