zcc1414

博客园 首页 联系 订阅 管理

最重要的对标有两种:

1 空表 freelist  128条


可看 溢出 利用chunk重设大小攻击堆

Freelist[0]  指向  ”尾块“

	HLOCAL h1,h2,h3,h4,h5,h6;
	HANDLE hp;
	hp = HeapCreate(0,0x1000,0x10000);
	__asm int 3

	h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,3);
	h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,5);
	h3 = HeapAlloc(hp,HEAP_ZERO_MEMORY,6);
	h4 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
	h5 = HeapAlloc(hp,HEAP_ZERO_MEMORY,19);
	h6 = HeapAlloc(hp,HEAP_ZERO_MEMORY,24);
	
	//free block and prevent coaleses·
	HeapFree(hp,0,h1); //free to freelist[2] 
	HeapFree(hp,0,h3); //free to freelist[2] 
	HeapFree(hp,0,h5); //free to freelist[4]
	
	HeapFree(hp,0,h4); //coalese h3,h4,h5,link the large block to freelist[8]
00401006     53               push ebx
00401007     56               push esi
00401008     57               push edi
00401009     68 00000100      push 10000                                  ; UNICODE "=::=::\"
0040100E     68 00100000      push 1000
00401013     6A 00            push 0
00401015     FF15 08504000    call dword ptr ds:[<&KERNEL32.HeapCreate>]  ; KERNEL32.HeapCreate

返回的函数  eax为 空表的地址:

00360000  C8 00 00 00 00 01 00 00 FF EE FF EE 00 10 00 00  ?.....??..		//这里是得到的地址 段表等信息!!!
00360010  00 00 00 00 00 FE 00 00 00 00 10 00 00 20 00 00  .....?..... ..
00360020  00 02 00 00 00 20 00 00 30 01 00 00 FF EF FD 7F  .... ..0..稞
00360030  04 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00  .............
00360040  00 00 00 00 98 05 36 00 0F 00 00 00 F8 FF FF FF  ....?6....?
00360050  50 00 36 00 50 00 36 00 40 06 36 00 00 00 00 00  P.6.P.6.@6.....
00360060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................     //这些事虚分配索引,因为堆刚刚初始化,没有任何虚分配记录,所以全部为0
00360080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360160  00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ...............
00360170  00 00 00 00 00 00 00 00 88 06 36 00 88 06 36 00  ........?6.?6.			这里是freelist[0] 指向尾块 偏移0x688
00360180  80 01 36 00 80 01 36 00 88 01 36 00 88 01 36 00  €6.€6.?6.?6.
00360190  90 01 36 00 90 01 36 00 98 01 36 00 98 01 36 00  ?6.?6.?6.?6.                         //这里是128对指针用来索引128条空闲双向链表,目前除了零号空表freelist[0]之外
003601A0  A0 01 36 00 A0 01 36 00 A8 01 36 00 A8 01 36 00  ?6.?6.?6.?6.                         //其他的全部都指向自身,也就是说这些空闲链表都为空
003601B0  B0 01 36 00 B0 01 36 00 B8 01 36 00 B8 01 36 00  ?6.?6.?6.?6.
003601C0  C0 01 36 00 C0 01 36 00 C8 01 36 00 C8 01 36 00  ?6.?6.?6.?6.
003601D0  D0 01 36 00 D0 01 36 00 D8 01 36 00 D8 01 36 00  ?6.?6.?6.?6.
003601E0  E0 01 36 00 E0 01 36 00 E8 01 36 00 E8 01 36 00  ?6.?6.?6.?6.
003601F0  F0 01 36 00 F0 01 36 00 F8 01 36 00 F8 01 36 00  ?6.?6.?6.?6.
00360200  00 02 36 00 00 02 36 00 08 02 36 00 08 02 36 00  .6..6.6.6.
00360210  10 02 36 00 10 02 36 00 18 02 36 00 18 02 36 00  6.6.6.6.
00360220  20 02 36 00 20 02 36 00 28 02 36 00 28 02 36 00   6. 6.(6.(6.
00360230  30 02 36 00 30 02 36 00 38 02 36 00 38 02 36 00  06.06.86.86.
00360240  40 02 36 00 40 02 36 00 48 02 36 00 48 02 36 00  @6.@6.H6.H6.
00360250  50 02 36 00 50 02 36 00 58 02 36 00 58 02 36 00  P6.P6.X6.X6.
00360260  60 02 36 00 60 02 36 00 68 02 36 00 68 02 36 00  `6.`6.h6.h6.
00360270  70 02 36 00 70 02 36 00 78 02 36 00 78 02 36 00  p6.p6.x6.x6.
00360280  80 02 36 00 80 02 36 00 88 02 36 00 88 02 36 00  €6.€6.?6.?6.
00360290  90 02 36 00 90 02 36 00 98 02 36 00 98 02 36 00  ?6.?6.?6.?6.
003602A0  A0 02 36 00 A0 02 36 00 A8 02 36 00 A8 02 36 00  ?6.?6.?6.?6.
003602B0  B0 02 36 00 B0 02 36 00 B8 02 36 00 B8 02 36 00  ?6.?6.?6.?6.
003602C0  C0 02 36 00 C0 02 36 00 C8 02 36 00 C8 02 36 00  ?6.?6.?6.?6.
003602D0  D0 02 36 00 D0 02 36 00 D8 02 36 00 D8 02 36 00  ?6.?6.?6.?6.
003602E0  E0 02 36 00 E0 02 36 00 E8 02 36 00 E8 02 36 00  ?6.?6.?6.?6.
003602F0  F0 02 36 00 F0 02 36 00 F8 02 36 00 F8 02 36 00  ?6.?6.?6.?6.
00360300  00 03 36 00 00 03 36 00 08 03 36 00 08 03 36 00  .6..6.6.6.
00360310  10 03 36 00 10 03 36 00 18 03 36 00 18 03 36 00  6.6.6.6.
00360320  20 03 36 00 20 03 36 00 28 03 36 00 28 03 36 00   6. 6.(6.(6.
00360330  30 03 36 00 30 03 36 00 38 03 36 00 38 03 36 00  06.06.86.86.
00360340  40 03 36 00 40 03 36 00 48 03 36 00 48 03 36 00  @6.@6.H6.H6.
00360350  50 03 36 00 50 03 36 00 58 03 36 00 58 03 36 00  P6.P6.X6.X6.
00360360  60 03 36 00 60 03 36 00 68 03 36 00 68 03 36 00  `6.`6.h6.h6.
00360370  70 03 36 00 70 03 36 00 78 03 36 00 78 03 36 00  p6.p6.x6.x6.
00360380  80 03 36 00 80 03 36 00 88 03 36 00 88 03 36 00  €6.€6.?6.?6.
00360390  90 03 36 00 90 03 36 00 98 03 36 00 98 03 36 00  ?6.?6.?6.?6.
003603A0  A0 03 36 00 A0 03 36 00 A8 03 36 00 A8 03 36 00  ?6.?6.?6.?6.
003603B0  B0 03 36 00 B0 03 36 00 B8 03 36 00 B8 03 36 00  ?6.?6.?6.?6.
003603C0  C0 03 36 00 C0 03 36 00 C8 03 36 00 C8 03 36 00  ?6.?6.?6.?6.
003603D0  D0 03 36 00 D0 03 36 00 D8 03 36 00 D8 03 36 00  ?6.?6.?6.?6.
003603E0  E0 03 36 00 E0 03 36 00 E8 03 36 00 E8 03 36 00  ?6.?6.?6.?6.
003603F0  F0 03 36 00 F0 03 36 00 F8 03 36 00 F8 03 36 00  ?6.?6.?6.?6.
00360400  00 04 36 00 00 04 36 00 08 04 36 00 08 04 36 00  .6..6.6.6.
00360410  10 04 36 00 10 04 36 00 18 04 36 00 18 04 36 00  6.6.6.6.
00360420  20 04 36 00 20 04 36 00 28 04 36 00 28 04 36 00   6. 6.(6.(6.
00360430  30 04 36 00 30 04 36 00 38 04 36 00 38 04 36 00  06.06.86.86.
00360440  40 04 36 00 40 04 36 00 48 04 36 00 48 04 36 00  @6.@6.H6.H6.
00360450  50 04 36 00 50 04 36 00 58 04 36 00 58 04 36 00  P6.P6.X6.X6.
00360460  60 04 36 00 60 04 36 00 68 04 36 00 68 04 36 00  `6.`6.h6.h6.
00360470  70 04 36 00 70 04 36 00 78 04 36 00 78 04 36 00  p6.p6.x6.x6.
00360480  80 04 36 00 80 04 36 00 88 04 36 00 88 04 36 00  €6.€6.?6.?6.
00360490  90 04 36 00 90 04 36 00 98 04 36 00 98 04 36 00  ?6.?6.?6.?6.
003604A0  A0 04 36 00 A0 04 36 00 A8 04 36 00 A8 04 36 00  ?6.?6.?6.?6.
003604B0  B0 04 36 00 B0 04 36 00 B8 04 36 00 B8 04 36 00  ?6.?6.?6.?6.
003604C0  C0 04 36 00 C0 04 36 00 C8 04 36 00 C8 04 36 00  ?6.?6.?6.?6.
003604D0  D0 04 36 00 D0 04 36 00 D8 04 36 00 D8 04 36 00  ?6.?6.?6.?6.
003604E0  E0 04 36 00 E0 04 36 00 E8 04 36 00 E8 04 36 00  ?6.?6.?6.?6.
003604F0  F0 04 36 00 F0 04 36 00 F8 04 36 00 F8 04 36 00  ?6.?6.?6.?6.
00360500  00 05 36 00 00 05 36 00 08 05 36 00 08 05 36 00  .6..6.6.6.
00360510  10 05 36 00 10 05 36 00 18 05 36 00 18 05 36 00  6.6.6.6.
00360520  20 05 36 00 20 05 36 00 28 05 36 00 28 05 36 00   6. 6.(6.(6.
00360530  30 05 36 00 30 05 36 00 38 05 36 00 38 05 36 00  06.06.86.86.
00360540  40 05 36 00 40 05 36 00 48 05 36 00 48 05 36 00  @6.@6.H6.H6.
00360550  50 05 36 00 50 05 36 00 58 05 36 00 58 05 36 00  P6.P6.X6.X6.
00360560  60 05 36 00 60 05 36 00 68 05 36 00 68 05 36 00  `6.`6.h6.h6.
00360570  70 05 36 00 70 05 36 00 08 06 36 00 00 00 00 00  p6.p6.6.....
00360580  00 00 00 00 00 00 00 00 00 00 00 00 00 10 36 00  .............6.
00360590  00 F0 00 00 00 00 00 00 A8 05 36 00 00 00 00 00  .?.....?6.....
003605A0  00 00 00 00 00 00 00 00 B8 05 36 00 00 00 00 00  ........?6.....
003605B0  00 00 00 00 00 00 00 00 C8 05 36 00 00 00 00 00  ........?6.....
003605C0  00 00 00 00 00 00 00 00 D8 05 36 00 00 00 00 00  ........?6.....
003605D0  00 00 00 00 00 00 00 00 E8 05 36 00 00 00 00 00  ........?6.....
003605E0  00 00 00 00 00 00 00 00 F8 05 36 00 00 00 00 00  ........?6.....
003605F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360600  00 00 00 00 00 00 00 00 40 F8 FC 77 FF FF FF FF  ........@w
00360610  00 00 00 00 00 00 00 00 2C 00 00 00 00 00 00 00  ........,.......
00360620  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360630  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360640  08 00 C8 00 00 01 00 00 EE FF EE FF 00 00 00 00  .?...??....
00360650  00 00 36 00 00 F0 00 00 00 00 36 00 10 00 00 00  ..6..?...6....
00360660  80 06 36 00 00 00 37 00 0F 00 00 00 01 00 00 00  €6...7.......
00360670  88 05 36 00 00 00 00 00 80 06 36 00 00 00 00 00  ?6.....€6.....
00360680  30 01 08 00 00 10 00 00 78 01 36 00 78 01 36 00  0....x6.x6.	     //这里是尾块  指向 freelist[0] 构成双向链表  前面的0x0130 是尾块目前的大小 计算单位是8个字节  也就是 0x980字节
00360690  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................	//注意:堆块大小包含 块首在内的
003606A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003606B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................



因为在  编程时   HeapCreate(0,0x1000,0x1000);  不可扩展  不可使用块表

要想使用块表  用  HeapCreate(0,0,0); 也就是lookaside

第三个参数的设置,如果指定为0的话,则堆可以在需要的情况下不断增大


分配时不断修改尾块块首中的size信息,最终把 freelist[0] 指向新的尾块位置

6次分配内存HeapAlloc 后

00360668  0F 00 00 00 01 00 00 00 88 05 36 00 00 00 00 00         ......?6.....			//上面的省略
00360678  00 07 36 00 00 00 00 00 02 00 08 00 00 01 0D 00         .6..........			//h1 块首	 大小0x2
00360688  00 00 00 00 78 01 36 00 02 00 02 00 00 01 0B 00         ....x6.....
00360698  00 00 00 00 00 01 36 00 02 00 02 00 00 01 0A 00         .....6......
003606A8  00 00 00 00 00 00 36 00 02 00 02 00 00 01 08 00         ......6.....
003606B8  00 00 00 00 00 00 00 00 04 00 02 00 00 01 0D 00         .............			//h5块首  大小0x4
003606C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606D8  00 00 00 00 00 00 00 00 04 00 04 00 00 01 08 00         ............
003606E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606F8  00 00 00 00 00 00 00 00 20 01 04 00 00 10 00 00         ........ ....	     //块尾 块首 大小 0x130 - 0x2*4-0x4*2 = 0x120
00360708  78 01 36 00 78 01 36 00 00 00 00 00 00 00 00 00         x6.x6.........



3次  HeapFree后:

00360680  02 00 08 00 00 00 0D 00 A8 06 36 00 88 01 36 00         ......?6.?6.//Free h1 指向  0x6A8
00360690  02 00 02 00 00 01 0B 00 00 00 00 00 00 01 36 00         ... ......6.
003606A0  02 00 02 00 00 00 0A 00 88 01 36 00 88 06 36 00         ......?6.?6.//Free h3  指向0x188
003606B0  02 00 02 00 00 01 08 00 00 00 00 00 00 00 00 00         ............
003606C0  04 00 02 00 00 00 0D 00 98 01 36 00 98 01 36 00         ......?6.?6.  //Free h5  指向0x198
003606D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606E0  04 00 04 00 00 01 08 00 00 00 00 00 00 00 00 00         ............
003606F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360700  20 01 04 00 00 10 00 00 78 01 36 00 78 01 36 00          ....x6.x6.

00360138  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360148  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360158  14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ...............
00360168  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00         ...............
00360178  08 07 36 00 08 07 36 00 80 01 36 00 80 01 36 00         6.6.€6.€6.
00360188  88 06 36 00 A8 06 36 00 90 01 36 00 90 01 36 00         ?6.?6.?6.?6.//freelist[2]   h1 h3
00360198  C8 06 36 00 C8 06 36 00 A0 01 36 00 A0 01 36 00         ?6.?6.?6.?6.//freelist[4]   h5
003601A8  A8 01 36 00 A8 01 36 00 B0 01 36 00 B0 01 36 00         ?6.?6.?6.?6.
003601B8  B8 01 36 00 B8 01 36 00 C0 01 36 00 C0 01 36 00         ?6.?6.?6.?6.


h1  h3  被链入 freelist[2] 的空表

h5   被链入  freelist[4]  

最后一次 释放内存:


00360138  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360148  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360158  04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............
00360168  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00         ...............
00360178  08 07 36 00 08 07 36 00 80 01 36 00 80 01 36 00         6.6.€6.€6.
00360188  88 06 36 00 88 06 36 00 90 01 36 00 90 01 36 00         ?6.?6.?6.?6.
00360198  98 01 36 00 98 01 36 00 A0 01 36 00 A0 01 36 00         ?6.?6.?6.?6.//Freelist[4] 原来的空闲块 h5被摘下
003601A8  A8 01 36 00 A8 01 36 00 B0 01 36 00 B0 01 36 00         ?6.?6.?6.?6.
003601B8  A8 06 36 00 A8 06 36 00 C0 01 36 00 C0 01 36 00         ?6.?6.?6.?6.//h3 h4 h5 合并的块 freelist[8]
003601C8  C8 01 36 00 C8 01 36 00 D0 01 36 00 D0 01 36 00         ?6.?6.?6.?6.
003601D8  D8 01 36 00 D8 01 36 00 E0 01 36 00 E0 01 36 00         ?6.?6.?6.?6.
003601E8  E8 01 36 00 E8 01 36 00 F0 01 36 00 F0 01 36 00         ?6.?6.?6.?6.

00360680  02 00 08 00 00 00 0D 00 88 01 36 00 88 01 36 00         ......?6.?6. //只剩下h1  以前的h3 摘下
00360690  02 00 02 00 00 01 0B 00 00 00 00 00 00 01 36 00         ... ......6.
003606A0  08 00 02 00 00 00 0A 00 B8 01 36 00 B8 01 36 00         ......?6.?6.//h3  指向合并快 freelist[8]
003606B0  02 00 02 00 00 01 08 00 00 00 00 00 00 00 00 00         ............
003606C0  04 00 04 00 00 00 0D 00 98 01 36 00 98 01 36 00         ......?6.?6.
003606D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................//这是 h3 h4 h5合并的块

003606E0  04 00 08 00 00 01 08 00 00 00 00 00 00 00 00 00         ............
003606F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360700  20 01 04 00 00 10 00 00 78 01 36 00 78 01 36 00          ....x6.x6.

堆块合并只发生在  空表中   

一般被禁止


2块表 lookaside  最多只有4项

可以看

利用快表lookaside进行对溢出

#include <stdio.h>
#include <windows.h>
void main()
{
	HLOCAL h1,h2,h3,h4;
	HANDLE hp;
	hp = HeapCreate(0,0,0);
	__asm int 3
	h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
	h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
	h3 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);
	h4 = HeapAlloc(hp,HEAP_ZERO_MEMORY,24);
	HeapFree(hp,0,h1);
	HeapFree(hp,0,h2);
	HeapFree(hp,0,h3);
	HeapFree(hp,0,h4);

	h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);
	HeapFree(hp,0,h2);
}

HeaoCreate(0,0,0) 创建一个可扩展的堆 才 能使用块表!!! 

分配内存时:

00360688  00 00 00 00 00 00 00 00 04 00 00 01 00 00 00 00         ..............
00360698  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606B8  00 00 00 00 00 00 00 00 04 00 00 01 00 00 00 00         ..............//lookaside[0]
003606C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................

003606E8  00 00 00 00 00 00 00 00 04 00 00 01 02 00 00 00         .............//lookaside[1]
003606F8  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ...............
00360708  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................

00360718  00 00 00 00 00 00 00 00 04 00 00 01 01 00 00 00         .............//lookaside[2]
00360728  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ...............
00360738  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................

00360748  00 00 00 00 00 00 00 00 04 00 00 01 01 00 00 00         .............
00360758  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ...............
00360768  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................


00360688  00 00 00 00 00 00 00 00 04 00 00 01 00 00 00 00         ..............
00360698  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606B8  00 00 00 00 00 00 00 00 04 00 00 01 00 00 00 00         ..............
003606C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
003606E8  A0 1E 36 00 02 00 02 00 04 00 00 01 02 00 00 00         ?6........//8字节堆块地址
003606F8  02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00         ..............
00360708  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360718  B0 1E 36 00 01 00 01 00 04 00 00 01 01 00 00 00          ?6........//16字节堆块地址
00360728  01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00         ..............
00360738  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360748  C8 1E 36 00 01 00 01 00 04 00 00 01 01 00 00 00            ?6......../24字节堆块地址
00360758  01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00         ..............
00360768  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................

释放后 标志位 为0x1  处于busy状态  所以 不能合并

00361E88  02 00 01 03 00 01 08 00 00 00 00 00 00 00 00 00         ...........
00361E98  02 00 02 00 00 01 08 00 90 1E 36 00 00 00 00 00         ....?6.....
00361EA8  03 00 02 00 00 01 08 00 00 00 00 00 00 00 00 00         ............
00361EB8  00 00 00 00 00 00 00 00 04 00 03 00 00 01 08 00         ............
00361EC8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................

再申请内存16字节:

003606E8  A0 1E 36 00 02 00 02 00 04 00 00 01 02 00 00 00         ?6........//lookaside[1]                                 
003606F8  02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00         ..............
00360708  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360718  00 00 00 00 00 00 02 00 04 00 00 01 02 00 00 00           ............//lookaside[2] 又为空 又被申请了
00360728  01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00         ..............
00360738  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
00360748  C8 1E 36 00 01 00 01 00 04 00 00 01 01 00 00 00         ?6........//lookaside[3]



posted on 2013-08-28 17:10  zcc1414  阅读(206)  评论(0编辑  收藏  举报