• 前言：一般情况下,我们使用的malloc和new分配堆上内存,We direct operation returns a pointer to the,Finished with this is the right time to release inside

• 异常：The above operation process appears to be nothing wrong with,But when a heap memory be destroyed,不像栈被破坏Is will directly affect the function of nearby stack frame,Abnormal program immediately（shellcodeExcept the damage）,堆内存被破坏It is often difficult to in memory be destroyed immediately found the problem,因此找到bug的难度更大

• 建议：In order to stack overflow,Can have localization mentality and use the corresponding tool,In normal times will accumulate more knowledge of heap memory（出现bugIn general are urgent problems,Basic no learning time）

1.堆块

The following first introduce basic will not come into contact with regular programming term：堆块
What is a pile of pieces？
简单理解,Is what you call amalloc或者new,The operating system will be automatically assigned a heap block,And then will be operating part（The user data area）The first address of the return to you,It is the foundation of learning heap structure,The following is a pile of block diagram,先有一个直观的印象

After the completion of the heap to create,Equivalent to have a large contiguous memory can give application services;The contents of the application to use the heap,Involved in the distribution of the pile block and release

• 分配：The application heap manager function called application memory,Heap manager from their maintenance of memory area divided into a piece of meet the requirements of the block of memory（chunk,堆块）,Will the memory blockCan be the starting address of the user access to return to the application（HeapAlloc函数的返回值）
• 释放：Applications run out,Calling the heap manager function to release（The program will merge heap block, etc）

注意：Of the allocation and release of involves heap memory split and merge operations such as temporary not introduce

Following, we often use from two dimensions to heap allocation function is introduced;Heap manager forHeapAlloc函数的支持,以及CRT堆对malloc、new的支持

2.Correlation function of the heap manager

Directly from the heap allocation can be usedHeapAlloc函数,对应的释放函数是HeapFree

//声明
DECLSPEC_ALLOCATOR LPVOID HeapAlloc(
  [in] HANDLE hHeap,			//A handle to the memory heap
  [in] DWORD  dwFlags,		
  [in] SIZE_T dwBytes			//Need the number of bytes of memory block
);

调用成功时,Return to the assigned heap blockUsers can use area的指针（Simple understanding is that we can use the starting address of the memory block）

#HeapAlloc函数实际上就是RtlAllocateHeapThe function of simple packaging
#查看栈回溯,HeapAllocFunction call is not displayed in the stack frame,而是直接调用RtlAllocateHeap
0:000> k L
 # ChildEBP RetAddr 
00 006ff6d4 77076e3c ntdll!RtlpAllocateHeap
01 006ff770 77075dde ntdll!RtlpAllocateHeapInternal+0x104c
02 006ff78c 00851078 ntdll!RtlAllocateHeap+0x3e
03 006ff7b0 0085124d test_heap!WinMain+0x38

3.CRT分配函数

The compiler's runtime library in the initialization phase will createCRT堆（Is usually a system mode：CRTPile based onWin32堆上,即最终会调用HeapAlloc函数）,The pile is mainly used to usmalloc和newSuch as memory allocation functions or operators to use

注意：下面2A stack traceback example isVS2010编译器的Release版本（DebugVersion will add some intermediate function）

• C语言：最常使用的是malloc函数,对应的释放函数是free

#源码：int *p_malloc = (int*)malloc(0x100);
#malloc调用HeapAlloc（即RtlAllocateHeap）的过程
0:000> k L
 # ChildEBP RetAddr 
00 00a0f898 009010ea ntdll!RtlAllocateHeap				#HeapAlloc（即RtlAllocateHeap）
01 00a0f8b8 0090105a test_malloc!malloc+0x4b
02 00a0f8c0 009012ae test_malloc!main+0xa
03 00a0f908 76f4fa29 test_malloc!__tmainCRTStartup+0x10b
04 00a0f918 77097a9e KERNEL32!BaseThreadInitThunk+0x19
05 00a0f974 77097a6e ntdll!__RtlUserThreadStart+0x2f
06 00a0f984 00000000 ntdll!_RtlUserThreadStart+0x1b

• C++：最常使用newThe operator to create objects and allocate memory（可以简单理解成是malloc的包装）,The release of the corresponding operator isdelete

;int *p = new int[35];					;35 * 4bytes = 140 = 0x8c
;反汇编（Release版本）
00ed1280 688c000000      push    8Ch	;参数
00ed1285 e8fa030000      call    test_new!operator new (00ed1684)

#1.WinDbgView the stack information
0:000> kb L
 # ChildEBP RetAddr Args to Child 
00 00e0f938 00ed409c 00ec0000 00000000 0000008c ntdll!RtlAllocateHeap
01 00e0f958 00ed16a3 0000008c 00ed50a6 00e0f954 test_new!malloc+0x4b		#内存大小（8c）
02 00e0f974 00ed128a 0000008c 00ed3ff4 00ed4008 test_new!operator new+0x1f	#内存大小（8c）
03 00e0f998 00ed188e 00000001 00ec1ef8 00ec1f48 test_new!main+0x1a
04 00e0f9e0 77406359 011fd000 77406340 00e0fa4c test_new!__tmainCRTStartup+0x10b

#2.The parameter converted to decimal and once againint类型的大小
0:000> ? 8c;? 8c/4
Evaluate expression: 140 = 0000008c		
Evaluate expression: 35 = 00000023		#转成int类型的大小是35


;delete p;
;3.反汇编（Release版本）
00ed128a 50              push    eax
00ed128b e874030000      call    test_new!operator delete (00ed1604)
00ed1290 83c408          add     esp,8 

#4.WinDbgView the stack information
0:000> k L
 # ChildEBP RetAddr 
00 0137fd1c 00ed3b4c ntdll!RtlFreeHeap+0x9
01 0137fd30 00ed1290 test_new!free+0x1c
02 0137fd58 00ed188e test_new!main+0x20
03 0137fda0 77406359 test_new!__tmainCRTStartup+0x10b

共性：C/C++The call stack back as you can see,最后都会间接调用ntdll!RtlAllocateHeap函数在堆上分配内存

4.To allocate and free simple summary

• 1、Distinguish between good corresponding relation：new/delete是一对,malloc/free是一对,HeapAlloc/HeapFree是一对

• 2、真正的调用顺序：new/delete -> malloc/free -> HeapAlloc/HeapFree -> RtlAllocateHeap/RtlFreeHeap

  Specific use which see actual demand to a function,The higher the efficiency of the underlying

• 3、细节区别：在Release版本中,new/deleteUsually directly is compiled for the jump instruction;在Debug版本中,Would add a lot of memory check function

• 4、Remove submission：free和deleteRelease the heap memory不一定Will be returned to the system,To satisfy the following2A condition will callNtFreeVitrualMemoryFunction to release heap memory to the system

  • 1.The release of the pile block size > HeapDeCommitFreeBlockThreshold
  • 2.The cumulative total free memory > HeapDeCommitTotalFreeThreshold

  上面的2个参数是哪里来的？创建堆时,会在PEBStructure in the recordHeapDeCommitFreeBlockThreshold和HeapDeCommitTotalFreeThreshold的初始值,WinDbg查看如下

  #[01]查看PEBOf the related structures to submit relevant information
  0:000> dt _PEB @$peb
     +0x018 ProcessHeap      : 0x00b50000 Void
     +0x080 HeapDeCommitTotalFreeThreshold : 0x10000				#64KB
     +0x084 HeapDeCommitFreeBlockThreshold : 0x1000				#4KB
  #解释：
  #1.The release of heap size more than4KB,And the total free space in the heap more than64KB,Heap manager will submit to the system's memory management a lift operation to truly free memory
  #2.分配粒度：Use within the heap manager 分配粒度 来表示HeapDeCommitFreeBlockThreshold和HeapDeCommitTotalFreeThreshold;
  # 且用GetSystemInfoFunction can view the distribution of particle size（通常是8bytes）
  
  #[02]!heap -v To observe the distribution of particle size and remove submitted threshold
  0:000> !heap 0x00b50000 -v										#0x00b50000Is the process of the default heap
  Index   Address  Name      Debugging options enabled			#Did not start any debug options
    1:   00b50000 
      Segment at 00b50000 to 00c4f000 (0000e000 bytes committed)	#Memory range and submit bytes
      Flags:                40000062			#Heap mark fields
      Granularity:          8 bytes			#Allocation granularity is8bytes
      Segment Reserve:      00100000			#Heap reserved space,1MB
      Segment Commit:       00002000			#Every time to submit the heap memory size,8KB
      DeCommit Block Thres: 00000200			#Remove submit single block threshold,0x200 * 分配粒度8bytes = 0x1000,4KB
      DeCommit Total Thres: 00002000			#Remove submit total free threshold,64KB
      Total Free Size:      000004d2			#The size of the heap free blocks
  

5.扩展：低碎片堆（LFH）

提示：Heap is repeatedly,Is not very timely in the release,Will appear the phenomenon of fragmentation,为了解决这个问题,就一定知道LFH的概念

• Heap fragmentation is introduced into the solution of the problem？

Heap memory function application must be a continuous interval;If the heap memory is constantly application and release,Could never find a piece of continuous space to meet the requirements of the application memory,Even if the free heap space meet the requirements,Allocate memory will fail,This phenomenon has been become a pile of debris（Heap Fragmentation）

• 操作系统支持

Introduce low debris heapLFH（Low Fragmentation Heap）,Through is called barrel（buckets）Unit to manage the distribution of

• LFHHow to reduce the fragmentation？

LFHWill have been allocated blocks of memory mapped to determine in advance the different size range of barrel,LFHWill be available space is divided into128个桶,Each barrel of space, in turn, increasing;Barrels in the distribution of particle size and scope as follows：

当需要从LFH上分配空间,The manager will according to the heap of function parameters,Find meet the conditions of minimum available barrels allocated;如分配5个bytes,1No barrels have free,就将1Bucket number allocated;Without free will find2号桶,Until find the right barrel

提示：Distribution of particle size can be used to understand for the distribution of the smallest unit;If the distribution is more than16384 bytes,LFHWill be forwarded directly to the underlying heap backend

• 是否生效？

由HeapSetInformationControl () function checks whether the supportLFH,HeapQueryInformationWhether can query a heap of supportLFH;Heap manager implements an automatic adjustment algorithm,在特定的条件下默认启动LFH

注意：Enable the heap in the process of debug options will affect all heap,So start any heap debug options will makeLFHBe automatically disabledAnd to use the core pile of;Do not heap is expanding and will not useLFH

• _LFH_HEAP结构：描述LFH的结构

0:000> dt _LFH_HEAP
ntdll!_LFH_HEAP
   +0x00c Heap             : Ptr32 Void				#LFHFather handle to heap（Or a pointer to the parent pile）
   +0x038 UserBlockCache   : [12] _USER_MEMORY_CACHE_ENTRY
   +0x1bc Buckets          : [129] _HEAP_BUCKET

6.参考

• 1.《软件调试》第二版,卷2的第23章
• 2.《Windows高级调试》,第6章
• 3.《深入解析Windows操作系统》第七版,第五章
• 4.《Windows编程调试技术内幕》