The Heap - Gr00t's Security Research Lab

# The Heap: Dynamic Memory's Playground Ever stared at your program's memory and thought, "I wish I had somewhere to store stuff that needs to stick around longer than a quick function call"? Well, you're in luck! While [[The Stack]] is brilliant for temporary storage (like that mental note you make while reading this), sometimes we need something more flexible. Enter the heap - think of it as your program's storage locker, where memory can hang out for as long as you need it. ## What's the Heap All About? Unlike the stack's "last in, first out" approach (imagine a stack of plates where you can only take from the top), the heap is more like your kitchen drawer - wonderfully flexible but potentially chaotic if you're not careful! You can grab any space you need, use it however you want, and return it whenever you're done. Pretty cool. But remember - with great power comes great responsibility. You've got to manage this memory yourself! ### How's it Different from the Stack? Let's break it down. | Feature | Stack | Heap | | ------------------------- | ------------------------------------------------ | ------------------------------------- | | Memory Management | On autopilot (like your phone's storage cleanup) | Manual (like organising your garage) | | Speed of Getting Space | Lightning fast | A bit slower (but still quick!) | | Can it Get Messy? | Nope, always tidy | Oh yes - fragmentation is real! | | Size Limits | Fixed when you start | Limited by your system's memory | | How Long Does Stuff Stay? | Just during function calls | Until you explicitly say, "I'm done!" | | Which Way Does it Grow? | Downward (like building a tower underground) | Upward (like building a skyscraper) | ## Getting Your Hands on Some Heap Memory ### Need Some Space? Just Ask! Different programming languages handle this in their own special ways. Here's how C and C++ do it: ```c // C-style: "Hey, can I have space for 5 integers?" int* numbers = (int*)malloc(5 * sizeof(int)); // Need it cleared out first? No problem! char* text = (char*)calloc(100, sizeof(char)); // All zeroes, nice and clean // Changed your mind about the size? int* more_numbers = (int*)realloc(numbers, 10 * sizeof(int)); ``` ```cpp // C++ style: Same idea, fancier syntax int* numbers = new int[5]; char* text = new char[100]; ``` ### Cleaning Up After Yourself Just like returning your library books, you've got to give back memory when you're done: ```c // C-style cleanup free(numbers); free(text); ``` ```cpp // C++ cleanup delete[] numbers; delete[] text; ``` ## The Windows Heap: A Tale of Two Architectures Let's talk about how Windows manages its heap - and trust me, it's got some interesting quirks depending on whether you're running 32-bit or 64-bit Windows. ### 32-bit Windows: Working with Limited Space Imagine trying to fit your entire wardrobe into a tiny apartment - that's kind of what 32-bit Windows has to deal with. You've got a maximum of 4GB to play with (and realistically, you'll only get about 1.4GB to 1.6GB for your heap). It's like having a studio apartment - you can do a lot with it, but you've got to be clever about space management! > Fun fact: 32-bit Windows is a tetchy roommate when it comes to moving stuff around. There's no `VirtualReAlloc()` function, so if you need to resize a big chunk of memory, you've got to do this whole song and dance of: > > 1. Find a new spot > 2. Move everything over > 3. Clean up the old space It's like having to rent a new apartment just because you bought a bigger couch! ### 64-bit Windows: Living Large Now, 64-bit Windows? That's like upgrading from that studio apartment to a mansion! We're talking about an absolutely massive amount of addressable space (264). It's almost comical how much room you've got to play with. But here's a quirky difference - 64-bit Windows is a bit more particular about how it organises things. While 32-bit Windows works with 8-byte chunks, 64-bit Windows insists on 16-byte chunks. Think of it like organising your closet - the 64-bit version wants everything in slightly bigger boxes. It could be just thinking about the future, with more room to grow? ### Windows API: Your Memory Management Toolkit Windows comes with a whole Swiss Army knife of functions for managing heap memory. Think of these as your professional-grade memory management tools: |Function|What It Does|Think of It Like...| |---|---|---| |`GetProcessHeap`|Gets a handle to your process's heap|Getting the key to your storage unit| |`RtlAllocateHeap`|Grabs a chunk of memory|Reserving a specific space in that unit| |`RtlReAllocateHeap`|Resizes an existing block|Moving to a bigger (or smaller) storage space| |`RtlFreeHeap`|Returns memory to the heap|Clearing out your storage space| Want to see how malware authors abuse these functions? Pop over to [[Windows API Malware Patterns]] - it's quite an eye-opener! 👀 ## Inside the Heap: How Things Are Organised ### The Heap Block Header: Memory's Metadata Dance Every chunk of allocated memory comes with its own little name tag - we call this the header. It's like those little stickers you put on storage boxes to remember what's inside: <div style="font-family: monospace;"> +----------------+----------------+ | Size | Flags | Your Actual Data | +----------------+----------------+ ↑               ↑ Header Where your pointer points </div> ### Free List: Memory's Lost and Found Think of the free list as the heap's version of a thrift store - it keeps track of all the memory spaces that are available for use. When you free some memory, it goes back into this list, ready to be "purchased" by another part of your program. ![[Pasted image 20250110105845.png]] ## When Things Go Wrong: Common Heap Headaches ### Memory Leaks: The Silent Resource Vampire This is like leaving your lights on when you leave the house - sure, nothing explodes, but you're wasting resources: ```c void memory_leak() { char* data = malloc(1024); // Grab some memory // Oops! Forgot to free(data) } // That memory is now lost in the void forever ``` ### Use After Free: The Zombie Memory Problem Imagine trying to use a parking spot after someone else has already parked there. Not gonna end well... or reaching in for some more popcorn in the movies after the bucket is empty... ```c char* ptr = malloc(10); // Get a parking spot free(ptr); // Give up the spot ptr[0] = 'A'; // Try to park there anyway - CRASH! 🚗💥 ``` ### Double Free: The "Already Returned It" Blunder This is like trying to return the same library book twice. The librarian (your program) is not going to be happy: ```c char* ptr = malloc(10); free(ptr); // "Here's your book back!" free(ptr); // "No really, here it is again!" - BOOM! 💥 ``` ## Keeping Your Heap Safe and Sound ### Best Practices (or "How to Not Shoot Yourself in the Foot") **Always Match Your Allocations and Deallocations** ```cpp // C++17 makes life easier with smart pointers std::unique_ptr<int[]> safe_array(new int[10]); // Look Ma, no manual cleanup needed! 🎉 ``` **Check If Your Allocation Worked** ```c void* ptr = malloc(size); if (!ptr) { // Uh oh, something went wrong! return ERROR; } // All good, carry on! 👍 ``` ### Debugging Tools: Your Memory Detective Kit Need to track down heap problems? These tools are your new best friends: **Windows Debugging with WinDbg** <div style="font-family: monospace;"> !heap -s         // Heap statistics !heap -stat     // Detailed heap stats !heap -flt s 1000 // Find blocks by size </div> **Linux Memory Sleuthing** ```shell valgrind --leak-check=full ./program # Find those pesky leaks mtrace ./program # Track malloc/free calls ``` ## Heap Security: Keeping the Bad Guys Out ### When Malware Comes Knocking Just like how burglars look for unlocked windows, malware authors love finding heap vulnerabilities. Here's a classic target they look for: ```c // A recipe for trouble if we're not careful struct user_data { char name[8]; void (*callback)(); // Function pointer - juicy target! 🎯 }; // Write more than 8 chars to name and... // Oops, we just overwrote our function pointer! 💥 ``` Want to dive deeper into how malware messes with the heap? Check out [[Windows API Malware Patterns]] - it's like a true crime documentary, but for code. ### Modern Heap Protection: The Security System Modern systems have some pretty clever tricks up their sleeves to keep our heap safe: 1. **Guard Pages** - Like having security guards between memory blocks - If someone tries to overflow, BOOM! Caught red-handed 🚔 2. **Canaries** - Remember those canaries from [[The Stack]]? We've got them in the heap too! - Little values that scream for help if someone messes with them 3. **Metadata Protection** - Encrypting heap management data - Like keeping your security system's wiring behind a steel plate ## Advanced Heap Techniques: The Power User's Toolkit ### Binning: Organising Memory Like a Pro Most heap managers use something called "binning" - think of it like having different-sized boxes ready to go: ```c struct bin_t { size_t size; // How big are these boxes? block_t* free_list; // Where can we find empty ones? }; struct heap_t { bin_t bins[NUM_BINS]; // Our collection of different-sized boxes // Other bookkeeping stuff }; ``` ### Coalescing: The Memory Cleanup Crew When you free memory blocks next to each other, the heap manager gets clever: <div style="font-family: monospace;"> Before cleanup: [In Use][Free!][Also Free!][In Use] After some tidying: [In Use][   One Big Free Space   ][In Use] </div> It's like pushing two half-empty drawers together to make one big, helpful space! 🧹✨ ## Want to Level Up Your Heap Knowledge? Ready to dive deeper? Check out these related brain teasers: - [[Memory Layout Essentials]] - See how the heap fits into the bigger picture - [[Windows API Basics]] - Discover how Windows juggles heap management - [[Advanced Register Techniques]] - Get fancy with registers in heap operations - [[PE File Format Foundations]] - Understand how programs organise their heap usage. Remember, getting comfortable with heap management is like learning to juggle - it takes practice, but once you've got it, you'll wonder how you ever managed without it! Whether you're hunting down sneaky memory leaks or analysing how malware misbehaves, knowing your way around the heap is an essential skill in your programming toolkit. 🎯