Blowing chunks of heap love: an overview of the Microsoft Windows allocator and strategies

Chris Spencer 2006

This presentation will first delve into the inner workings of the Windows heap allocator. Heap buffer overflow techniques for manipulating arbitrary overwrites will be covered for pre xp-sp2/2003sp1 heap implementations. Afterwards, we will then take a look at the new heap protection features introduced in xpsp2 and 2003sp1, along with some strategies for working around them.

About Chris Spencer

Chris Spencer is the main organiser of RuxCon, Australia's second best computer security conference :). Previously he has been a member of the TESO Security Group, where in 2000 he was responsible for having the "Two years without a localhost hole in the default install!" slogan removed from the OpenBSD website. Additionally Chris has worked for Internet Security Systems X-FORCE team where he performed vulnerability research and development. After a long stint at an investment bank, Chris now works for SureSEC, a security company that specialises in providing it's customers with in-depth vulnerability research information and tools.