Heap Sandbox Wiki

Allocate, write to, and free heap chunks

Status: Alpha

Brought to you by: njv299

Home

Authors:

Attachments

heap_debugging.png (13554 bytes)

What is the Heap Sandbox?

The Heap Sandbox is a test application that provides a simple command line interface to allocate, write to, and free heap chunks. This is useful for experimenting with the Windows heap, and let's you try out some simple exploitation methods in a controlled environment.

How to use it:

First, either build it yourself using gcc, MinGW, Visual Studio, or whatever other favorite Windows compiler you prefer, or download the attached executable and run it on the command line. Building with debugging symbols can help you out later, but it isn't really necessary.
Example build command: gcc heap_sandbox.c -g -o heap_sandbox.exe
Next, run the heap_sandbox.exe executable.
Follow the prompts to allocate, write to, and free chunks as desired.

So now you're up and running. Next, you'll want to hook up with a debugger and actually see what's going on in the heap. Keep in mind that user input is not validated, and it is really easy to crash the program. It's an exploit test tool, don't expect stability!

Debugging the Heap Sandbox

Prerequisites

Install the following tools and make sure they run:

gflags.exe - Comes with the Debugging Tools for Windows package (where you get WinDbg)
Immunity Debugger - http://www.immunityinc.com/products-immdbg.shtml
Mona.py immunity plug-in - http://redmine.corelan.be/projects/mona/repository
- Place in the 'PyCommands' folder in the Immunity Debugger application directory

Procedure

Disable all system-wide heap debugging options. If these aren't disabled, the heap allocator will perform dramatically different while debugging then it does under normal operation!
- Add a system environment variable called '_NO_DEBUG_HEAP' and set its value to '1'
- Run gflags.exe /p to list all processes with Page Heap monitoring enabled.
  - If the Heap Sandbox is in that list, run the following command to disable it:
    gflags.exe /p /disable <path to="" heap_sandbox.exe=""></path>
Open Immunity Debugger and choose File->Open. Select the Heap Sandbox executable. The program should load and pause at the entry point.
Before continuing, run the following command on the Immunity Debugger command line (at the bottom of the window) to ensure that debug heap allocator is not used: !hidedebug All_Debug
If you attach to the process instead of starting from within Immunity, this step is not necessary!

To see the chunks in the application's heap, run the command: !mona heap -h <heap_addr> -t chunks</heap_addr>
Where 'heap' is the address of the heap reported in the heap_sandbox console output.
The following screenshot shows the output from this command after allocating 3 chunks of 100, 200, and 300 bytes on a Windows XP SP3 system. If all steps have been followed so far, your output should look very similar!

Operate the program from the command line. When desired, use Immunity command line tools such as !mona, !heap, and !lookaside to examine heap structures.