Ok so, im trying to write a procedure that resolves a pointer to either the heap space or the stack space, or alternatively global space. I have the following;
call @test
ret
@test:
push ebp
mov ebp, esp
mov eax, ebp
push eax
call IsPointerStack
nop
leave
retn
IsPointerStack uses ebx esi edi PROC pVoid:DWORD
assume fs:nothing
mov eax, fs:[04h]
m2m esi, eax
mov eax, fs:[08h]
m2m edi, eax
mov eax, pVoid
cmp eax, esi
jg @false
cmp eax, edi
jl @false
xor eax, eax
inc eax
ret
@false:
xor eax, eax
ret
IsPointerStack ENDP
I'm aware that fs:[4] and fs:[8] point to the base allocation and end allocation of the stack space. Is there a similiar means to finding the available space for the HEAP? If the informaiton is available via the FS that would be great, if not, im more than curious to hear the method.
Cheers, Ks.
OK, with a little bit of digging i've learned that the base address of the heap can be read using kernel32.GetProcessHeap which is;
@kernel32!GetProcessHeap:
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOV EAX,DWORD PTR DS:[EAX+18]
RET
Half of my problem solved. Just interested now in obtain the end address (or alternately, the size of the heap space).
Cheers, Ks.
hmmmm
that is a good question - lol
i think you may assume 7FFFFFFF
although, i also think windows will shuffle things around if you ask for more
i would try a few experiments, but that gives you an address to play with
Hello,
Why do simple when we can do complicated ?
Quote
Heap32ListFirst
Heap32ListNext
Ksbunker,
Are you sure that your method is valid across different versions of Windows?