Windows Heap Chunk Header Parsing and Size Calculation

Question

How can I calculate heap chunk size from raw bytes read from memory. I tried below thing.

0:001> !heap
Index   Address  Name      Debugging options enable         


        

Answer 1

Form Vista and later, the heap entries are scrambled so it’s a hard task to do any calculations. Check this link read about randomization.

The DT command are therefore unable do display any sensible information at all. Take a look at the offsets:

0:001> dt _HEAP_ENTRY
+0x000 Size                    
+0x000 FunctionIndex    
+0x000 InterceptorValue 
+0x000 AgregateCode    

A lot of elements with same offset, hence same memory.

Also observe your

+0x004 PreviousSize     : 0x1849

Does not correspond with the psize of 0000 from !heap –a.

On Win XP and earlier your technique was possible, but here the

_HEAP_ENTRY-> Size                  

was number of heap blocks, usually of 8 bytes.

Edit: I’m not aware of any manual method to decode the heap entry, but I guess it’s possible. I have used the !heap –i command to do it for me. First:

!heap –i    , in your case !heap –i 00500000

Then

!heap –I  , in your case !heap –I 00500588 (for second entry)

Sample:

address: psize . size  flags   state (requested size)
00240000: 00000 . 00588 [101] - busy (587)
00240588: 00588 . 00240 [101] - busy (23f)
....

0:000> !heap -i 00240000                
Heap context set to the heap 0x00240000
0:000> !heap -i 00240588
Detailed information for block entry 00240588
Assumed heap       : 0x00240000 (Use !heap -i NewHeapHandle to change)
Header content     : 0x32343AD9 0x0100B0F1 (decoded : 0x49010048 0x010000B1)
Owning segment     : 0x00240000 (offset 0)
Block flags        : 0x1 (busy )
Total block size   : 0x48 units (0x240 bytes)
Requested size     : 0x23f bytes (unused 0x1 bytes)
Previous block size: 0xb1 units (0x588 bytes)
Block CRC          : OK - 0x49  
Previous block     : 0x00240000
Next block         : 0x002407c8

See also : this link