티스토리 뷰

728x90
반응형

[Reversing] 메모리 생성 방식에 따라 버퍼 기본값 변화


참조

https://www.codeguru.com/cpp/w-p/win32/tutorials/article.php/c9535/Inside-CRT-Debug-Heap-Management.htm


CVE-2017-8291 취약점에서의 Postscript aload 연산자를 살펴보던 중 0x020EADBA or 0x0DF0ADBA 같은 값이 있어 찾아본다.

메모리 생성 방식에 따라 버퍼의 기본 값이 정해진다.

HeapAlloc() 호출 후 메모리를 보면 아래와 같다.

ex)

주소

HeapAlloc () 이후
00320FD8 09 00 09 01
00320FDC E8 07 18 00
00320FE0 0D F0 AD BA
00320FE4 0D F0 AD BA
00320FE8 0D F0 AD BA
00320FEC 0D F0 AD BA
00320FF0 0D F0 AD BA
00320FF4 0D F0 AD BA
00320FF8 0D F0 AD BA


ValueNameDescription
0xCDClean MemoryAllocated memory via malloc or new but never written by the application.
0xDDDead MemoryMemory that has been released with delete or free. It is used to detect writing through dangling pointers.
0xFDFence MemoryAlso known as "no mans land." This is used to wrap the allocated memory (like surrounding it with fences) and is used to detect indexing arrays out of bounds.
0xAB(Allocated Block?)Memory allocated by LocalAlloc().
0xBAADF00DBad FoodMemory allocated by LocalAlloc() with LMEM_FIXED, but not yet written to.
0xCC When the code is compiled with the /GZ option, uninitialized variables are automatically assigned to this value (at byte level).



728x90
반응형
댓글
댓글쓰기 폼
반응형
250x250
공지사항
«   2020/11   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          
Total
167,145
Today
3