heap
defined, 5
DLLs (Dynamic Link Libraries), 108109
First In First Out (FIFO), 5
fragmented , 92
free() system call, 85
GetDefaultHeap() function, 109
growing up the address space, 5
malloc() system call, 85
non-fragmented, 92
normalizing, 99
realloc() system call, 85
segments, 8485
Windows
dynamic heaps, 167
how it works, 168172
LIST_ENTRY structures, 168169
process heap, 167
requesting space, 168
heap overflows
articles and papers, 341342
atexit handlers, 101
basic theory of, 8788
defined, 86
dlmalloc, 83
.DTORS, 101
format string bugs , 82
free() system call, 8792
global function pointers, 100
GOT entries, 100
grep , 86
heapoverflow.c Windows shellcode, 126142
integer overflow heap overflow combination, 86
kernel-level vulnerabilities, 530
ltrace program, 99
malloc implementations , 83, 8992
malloc() system call, 8788, 9399
Microsoft IIS, 86
protecting against, 8687
samba, 86
Solaris Login, 86
Solaris Xsun, 86
Solaris/SPARC
arbitrary free vulnerabilities, 262
Bottom chunk , 259
chunk consolidation, 254
double free vulnerabilities, 261262
example, 262266
function pointers, 233234, 258259
limitations, 257258
off-by-one overflows, 261
small chunk corruption, 260
static data overflows, 267
style tricks, 286288
t_delete() function, 254256
tree structure, 234254
stack values, 101
threads, 502
triggering, 8889
what to overwrite, 100
Windows
calling Win32 API functions, 109
COM objects, 187188
first vectored handler at 77FC3210, 175178
logic program control data, 188
repairing the heap, 185187
RtlEnterCriticalSection in the PEB, 172174
Thread Environment Block (TEB), 184185
Unhandled Exception Filter, 178184