[分享]Win10的RtlCreateHeap分析-软件逆向-看雪安全社区

[分享]Win10的RtlCreateHeap分析
发表于: 2025-2-21 00:41 7578
[分享]Win10的RtlCreateHeap分析

xichang13
2025-2-21 00:41
7578
自己分析了一下Win10的堆，但是有很多地方有不明白的。也可能分析错误，不要见怪，请求指正。
 
系统堆
判断是否是系统堆，如果是，则在判断系统兼容性(RtlpHpAppCompatDontChangePolicy())后创建段堆(Segment Heap)。
 
段堆
如果不是系统堆则判断HEAP_CREATE_SEGMENT_HEAP(0x100)标志，如果是则调用(_RtlpHpEnvGetEnvHandleFromParams)获取上下文后调用(_RtlpHpHeapCreate())创建段堆，否则创建普通堆。
普通堆
 
NTSYSAPI PVOID RtlCreateHeap(
  [in]           ULONG                Flags,
  [in, optional] PVOID                HeapBase,
  [in, optional] SIZE_T               ReserveSize,
  [in, optional] SIZE_T               CommitSize,
  [in, optional] PVOID                Lock,
  [in, optional] PRTL_HEAP_PARAMETERS Parameters
);
NTSYSAPI PVOID RtlCreateHeap(
  [in]           ULONG                Flags,
  [in, optional] PVOID                HeapBase,
  [in, optional] SIZE_T               ReserveSize,
  [in, optional] SIZE_T               CommitSize,
  [in, optional] PVOID                Lock,
  [in, optional] PRTL_HEAP_PARAMETERS Parameters
);
PVOID RtlAllocateHeap(
    [in]           PVOID  HeapHandle,
    [in, optional] ULONG  Flags,
    [in]           SIZE_T Size
) {
    if (HeapHandle == NULL) {
        /*
        // 记录错误日志
        RtlpLogHeapFailure(0x13,0,0,0,0,0);
        */
    }
     
    if (*((DWORD*)HeapHandle + 2) == 0xDDEEDDEE) {
        /*
        // 分配内存与异常处理
        return RtlpHpAllocWithExceptionProtection(HeapHandle,Size,Flags);
        */
    }
     
    if (_RtlpHpHeapFeatures & 2 != 0) {
        /*
        // 分配内存
        RtlpHpTagAllocateHeap(HeapHandle,Size,Flags);
        */
    }
    // 分配内存
    return RtlpAllocateHeapInternal(HeapHandle, Size, Flags, 0);
}
PVOID RtlAllocateHeap(
    [in]           PVOID  HeapHandle,
    [in, optional] ULONG  Flags,
    [in]           SIZE_T Size
) {
    if (HeapHandle == NULL) {
        /*
        // 记录错误日志
        RtlpLogHeapFailure(0x13,0,0,0,0,0);
        */
    }
     
    if (*((DWORD*)HeapHandle + 2) == 0xDDEEDDEE) {
        /*
        // 分配内存与异常处理
        return RtlpHpAllocWithExceptionProtection(HeapHandle,Size,Flags);
        */
    }
     
    if (_RtlpHpHeapFeatures & 2 != 0) {
        /*
        // 分配内存
        RtlpHpTagAllocateHeap(HeapHandle,Size,Flags);
        */
    }
    // 分配内存
    return RtlpAllocateHeapInternal(HeapHandle, Size, Flags, 0);
}
BOOL RtlFreeHeap(
[in]           PVOID                 HeapHandle,
[in, optional] ULONG                 Flags,
_Frees_ptr_opt_ PVOID BaseAddress
) {
    if (!BaseAddress)
        return 1;
    if (!HeapHandle)
        /*
        // 记录错误日志
        RtlpLogHeapFailure(HeapHandle,0,0,0,0,0);
        */
    if (*(DWORD*)((DWORD)HeapHandle + 8) == 0xDDEEDDEE)
        /*
        // 在异常保护中释放内存
        return RtlpHpFreeWithExceptionProtection(HeapHandle,BaseAddress,Flags);
        */
    if ((RtlpHpHeapFeatures & 2) != 0)
        /*
        // LFH 快速堆分配的释放
            return RtlpHpTagFreeHeap(HeapHandle, BaseAddress,Flags);
        */
    /*
    // 释放内存
    return RtlpFreeHeapInternal(HeapHandle, BaseAddress, Flags, 0, 0);
    */
    return FALSE;
}
BOOL RtlFreeHeap(
[in]           PVOID                 HeapHandle,
[in, optional] ULONG                 Flags,
_Frees_ptr_opt_ PVOID BaseAddress
) {
    if (!BaseAddress)
        return 1;
    if (!HeapHandle)
        /*
        // 记录错误日志
        RtlpLogHeapFailure(HeapHandle,0,0,0,0,0);
        */
    if (*(DWORD*)((DWORD)HeapHandle + 8) == 0xDDEEDDEE)
        /*
        // 在异常保护中释放内存
        return RtlpHpFreeWithExceptionProtection(HeapHandle,BaseAddress,Flags);
        */
    if ((RtlpHpHeapFeatures & 2) != 0)
        /*
        // LFH 快速堆分配的释放
            return RtlpHpTagFreeHeap(HeapHandle, BaseAddress,Flags);
        */
    /*
    // 释放内存
    return RtlpFreeHeapInternal(HeapHandle, BaseAddress, Flags, 0, 0);
    */
    return FALSE;
}
DWORD dword_4B3A32DC = 0;
DWORD dword_4B3A32F4 = 0; // 函数?
DWORD dword_4B3A32E4 = 0;
// 堆特性
DWORD RtlpHpHeapFeatures = 0;
// 堆的错误处理行为
DWORD RtlpHeapErrorHandlerThreshold = 0;
DWORD dwAllocationGranularity = 0;
DWORD _RtlHeapKey = 0;
DWORD RtlpDisableHeapLookaside = 0;
DWORD _RtlpDisableHeapLookaside = 0;
DWORD _RtlpProcessHeapsListLock = 0;
 
PVOID RtlCreateHeap(
    ULONG                Flags,
    PVOID                HeapBase,
    SIZE_T               ReserveSize,
    SIZE_T               CommitSize,
    PVOID                Lock,
    PRTL_HEAP_PARAMETERS Parameters
) {
    DWORD SizeOfHeap;
    DWORD var_C0 = CommitSize;
    DWORD RandValue;
    _PEB32* peb = (_PEB32*)NtCurrentTeb()->ProcessEnvironmentBlock;
    DWORD NtGlobalFlag = peb->NtGlobalFlag;
    DWORD var_E4 = 0;
    _HEAP* pHeapBase = 0;
    DWORD var_D0 = 0;
    DWORD var_4C;
    DWORD var_DC;
    DWORD var_D8;
    DWORD var_E0;
    DWORD var_CC;
 
    DWORD edi = (DWORD)Parameters;
    DWORD esi = 0;
    DWORD eax = 0;
 
    if (dword_4B3A32DC != 0) { // 是否是系统堆
        if (HeapBase == 0 && Lock == 0) {
            /*
            RtlpHpAppCompatDontChangePolicy() // 不允许应用程序更改兼容性策略
            DWORD Result = dword_4B3A32F4(Flags, 0, ReserveSize, CommitSize, 0, edi);
            if(Result != 0)
                return Result;
            if(edi != 0xFFFFFFFF)
                return NULL;
            */
            edi = 0;
        }
    }
    else {
        if (dword_4B3A32E4 != 0) {
            if (edi == 1) {
                if ((Flags & 0x100) != 0)
                    edi = 0;
            }
        }
    }
     
    Flags &= 0xF1FFFFFF;
    if ((Flags & 0x100) != 0) { //HEAP_CREATE_SEGMENT_HEAP        0x00000100
        if (Flags & 0x2 == 0 || HeapBase != 0 || ReserveSize != 0
            || CommitSize != 0 || Lock != 0)
            return NULL;
        if (edi == 0xFFFFFFFF && dword_4B3A32E4 != 0) {
            edi = 0;
        }
        if (edi == 0) {
            esi = (DWORD)&var_4C;
        }
        else {
            esi = edi;
            /*
            // 检查参数是否合法
            if(!RtlpHpParametersVerify(edi))
                return NULL;
            */
        }
    }
    else if (RtlpHpHeapFeatures & 1 != 0) {
        if (Flags & 0x2 != 0 && HeapBase == 0) {
            if (edi != 0) {
                /*
                // 检查参数是否合法
                if(!RtlpHpParametersVerify(edi))
                    goto return53;
                */
            }
            eax = 2;
            if (Lock == 0)
                esi = (DWORD)&var_4C;
        }
    }
return53:
    eax = 2;
return52:
    if (esi != 0) {
        // 创建一个有异常保护的堆
        // return RtlpHpCreateHeap;
    }
 
    if (Flags & 0x10000000 == 0) {
        if (RtlpHeapErrorHandlerThreshold >= eax) {
            // 打印日志
        }
        if (Flags & 0xFFF80C00 != 0) {
            Flags &= 0x7F3FF;
        }
    }
    RTL_HEAP_PARAMETERS stParameters = { 0 };
    DWORD var_4;
    if (Parameters != 0) {
        var_4 = 0;
        if (Parameters->Length == 48) {
            memcpy(&stParameters, Parameters, 12);
        }
        var_4 = 0xFFFFFFFE;
    }
 
    // 修改flag
    if (NtGlobalFlag & 0x10 != 0) {
        Flags |= 0x20;
    }
    if (NtGlobalFlag & 0x20 != 0) {
        Flags |= 0x40;
    }
    if (NtGlobalFlag & 0x200000 != 0) {
        Flags |= 0x80;
    }
    if (NtGlobalFlag & 0x40 != 0) {
        Flags |= 0x40000000;
    }
    if (NtGlobalFlag & 0x80 != 0) {
        Flags |= 0x20000000;
    }
    if (NtGlobalFlag & 0x1000 != 0) {
        Flags |= 0x8000000;
    }
 
    // 填充结构体
    if (stParameters.SegmentReserve == 0)
        stParameters.SegmentReserve = peb->HeapSegmentReserve;
    if (stParameters.SegmentCommit == 0)
        stParameters.SegmentCommit = peb->HeapSegmentCommit;
    if (stParameters.DeCommitFreeBlockThreshold == 0)
        stParameters.DeCommitFreeBlockThreshold = peb->HeapDeCommitFreeBlockThreshold;
    if (stParameters.DeCommitTotalFreeThreshold == 0)
        stParameters.DeCommitTotalFreeThreshold = peb->HeapDeCommitTotalFreeThreshold;
 
    if (dwAllocationGranularity == 0) {
        /*
        // 获取分配粒度
        NtQuerySystemInformation
        dwAllocationGranularity = dwAllocationGranularity;
        // 失败 
        return NULL;
        */
    }
    if (stParameters.MaximumAllocationSize == 0)
        stParameters.MaximumAllocationSize = dwAllocationGranularity - 0x11000;
    if (stParameters.VirtualMemoryThreshold == 0 || stParameters.VirtualMemoryThreshold > 0x7F000)
        stParameters.VirtualMemoryThreshold = 0x7F000;
 
    DWORD var_C4 = (CommitSize + 0xFFF) & 0xFFFFF000;
    DWORD var_BC = (var_C4 + 0xFFF) & 0xFFFFF000;
    if (ReserveSize != 0) {
        var_BC = (ReserveSize + 0xFFF) & 0xFFFFF000;
    }
    if (var_C4 > var_BC) {
        var_C4 = var_BC;
    }
    esi = var_C4;
    edi = (DWORD)HeapBase;
    if (Flags & 2 != 0 && HeapBase == 0) {
        NtGlobalFlag = 0x1000;
        var_E4 = 2;
        if (var_BC - 0x1000 < var_C4) {
            var_BC += 0x10FFF;
            var_BC &= 0xFFFF0000;
        }
    }
    else {
        NtGlobalFlag = 0;
    }
    DWORD ecx = var_BC;
 
    if (esi == 0)
        return NULL;
    if (var_BC == 0)
        return NULL;
    if (Flags & 0x61000000 != 0 && Flags & 0x10000000 != 0) {
        /*
        return RtlDebugCreateHeap(x,x,x,x,x,x);
        */
    }
 
    SizeOfHeap = 0x258;
    if (Flags & 1 != 0) {
        if (Lock == 0)
            goto return28;
        return NULL;
    }
    if (Lock != 0) {
        Flags |= 0x80000000;
    }
    var_D0 = (DWORD)Lock == 0 ? 0 : (DWORD)Lock;
    SizeOfHeap = (DWORD)Lock == 0 ? 0x270 : 0x258;
return28:
    if (edi != 0) {
        if (stParameters.CommitRoutine != 0) {
            if (stParameters.InitialCommit == 0
                || stParameters.InitialReserve == 0
                || stParameters.InitialCommit > stParameters.InitialReserve
                || Flags & 2 != 0)
                return NULL;
            var_CC = edi;
            var_C0 = edi + stParameters.InitialCommit;
            var_BC = stParameters.InitialReserve;
            memset((void*)edi, 0, 0x1000);
        }
        else {
            MEMORY_BASIC_INFORMATION32 MemInfo1 = { 0 };
            MEMORY_BASIC_INFORMATION32 MemInfo2 = { 0 };
            int Ret = 0;
            /*
            // 查询 HeapBase 内存页面信息
            Ret = NtQueryVirtualMemory(0xFFFFFFFF,(DWORD)HeapBase,3,&MemInfo1,0x1C,0);
            */
            if (Ret < 0) {
                return NULL;
            }
            var_C0 = MemInfo1.BaseAddress;
            if (MemInfo1.BaseAddress != edi) {
                return NULL;
            }
            if (MemInfo1.State == 0x10000)
                return NULL;
            var_CC = MemInfo1.BaseAddress;
            if (MemInfo1.State != 0x1000) {
                var_BC = MemInfo1.RegionSize;
                if (var_C4 > MemInfo1.RegionSize) {
                    var_C4 = MemInfo1.RegionSize;
                }
                if (var_C4 < 0x1000) {
                    return NULL;
                }
            }
            else {
                if (Flags & 0x40000 != 0 && MemInfo1.Protect & 0x40 == 0)
                    return NULL;
                /*
                // 查询 HeapBase 内存页面信息
                Ret = NtQueryVirtualMemory(0xFFFFFFFF,(DWORD)HeapBase,3,&MemInfo2,0x1C,0);
                */
                if (Ret < 0) {
                    return NULL;
                }
                var_BC = MemInfo2.RegionSize;
                var_C4 = MemInfo1.RegionSize;
                var_C0 = MemInfo1.RegionSize + var_CC;
            }
        }
        var_E4 |= 1;
        pHeapBase = (_HEAP*)edi;
        edi = Flags & 0x40000;
        ecx = var_C0;
        eax = var_CC;
    }
    else {
        var_DC = 0;
        if (stParameters.CommitRoutine != 0)
            return NULL;
        /*
        // 生成随机数
        RandValue = RtlpHeapGenerateRandomValue32();
        */
        RandValue = 0;
        /*
        var_D8 = (RtlpHeapGenerateRandomValue32() & 1Fh) << 0x10;
        */
        var_D8 = 0;
        var_E0 = var_D8 + var_BC;
        if (var_E0 < var_BC) {
            var_E0 = var_BC;
            var_D8 = 0;
        }
        /*
        // 申请内存
        int result = NtAllocateVirtualMemory(0xFFFFFFFF, &var_DC, 0, &var_E0, 0x2000, Flags & 0x40000 == 0 ? 0 : 0x40);;
        if(result < 0)
            return 0;
        */
        pHeapBase = (_HEAP*)var_DC;
        var_BC = var_E0;
        if (var_D8 != 0) {
            /*
            // 释放内存
            RtlpSecMemFreeVirtualMemory(&var_DC,var_BC,&var_D8,0x8000);
            */
            pHeapBase = (_HEAP*)(var_DC + var_D8);
            var_BC = var_E0 - var_D8;
        }
        var_CC = (DWORD)pHeapBase;
        var_C0 = (DWORD)pHeapBase;
    }
 
    if (var_CC == var_C0) {
        char* p = NULL;
        /*
        // 申请内存
        int result = NtAllocateVirtualMemory(0xFFFFFFFF, &var_CC, 0, &var_C4, 0x1000, Flags & 0x40000 == 0 ? 0 : 0x40);;
        if(result < 0)
            return 0;
        // 获取会话ID
        char *p = NULL;
        if(RtlGetCurrentServiceSessionId()){
            p = _PEB.SharedData + 0x226;
        }else{
            p = 0x7FFE0380;
        }
        */
        if (*p != 0) {
            if (peb->___u71.TracingFlags != 1) {
                /*
                // 记录堆提交操作
                RtlpLogHeapCommit(pHeapBase,var_CC,var_C4,1);
                */
            }
        }
        var_C0 += var_C4;
    }
    edi = (DWORD)pHeapBase + 0x258;
    if (peb->NtGlobalFlag & 0x800 != 0) {
        // 进程被调试
        pHeapBase->PseudoTagEntries = (_HEAP_PSEUDO_TAG_ENTRY * )(((DWORD)pHeapBase + 0x25F) & 0x0FFFFFFF8);
        SizeOfHeap = 0x60C;
        edi = (DWORD)pHeapBase->PseudoTagEntries + 0x60C;
        Flags |= 0x4000000;
        esi = Flags;
    }
    RandValue = (SizeOfHeap + 7) & 0xFFFFFFF8;
    pHeapBase->___u0.Segment.Entry.___u0.__s1.Size = (RandValue >> 3) & 0xFFFF;
    pHeapBase->___u0.Segment.Entry.___u0.__s1.Flags = 1;
    pHeapBase->___u0.Segment.Entry.___u0.ExtendedEntry.ExtendedBlockSignature = 1;
    pHeapBase->Signature = 0xEEFFEEFF;
    pHeapBase->Flags = esi;
    pHeapBase->Interceptor = 0;
    memset(&pHeapBase->Counters, 0, sizeof(pHeapBase->Counters));
    /*
    // 初始化 Encoding 成员
    RtlpCreateHeapEncoding(pHeapBase);
    */
    pHeapBase->Counters.HeapPollInterval = 1;
    if (pHeapBase->Flags & 0x8000000 != 0) {
        int result = 0;
        /*
        // 记录调试日志
        result = RtlpGetHeapInterceptorIndex(&RtlpStackTraceDatabaseLogPrefix);
        */
        pHeapBase->Interceptor &= (result & 0xFFFF);
    }
    pHeapBase->ForceFlags = Flags & 0x6001007D;
    pHeapBase->HeaderValidateLength = edi - (DWORD)pHeapBase;
    pHeapBase->HeaderValidateCopy = NULL;
    pHeapBase->FreeLists.Blink = &pHeapBase->FreeLists;
    pHeapBase->FreeLists.Flink = &pHeapBase->FreeLists;
    pHeapBase->VirtualAllocdBlocks.Blink = &pHeapBase->VirtualAllocdBlocks;
    pHeapBase->VirtualAllocdBlocks.Flink = &pHeapBase->VirtualAllocdBlocks;
    pHeapBase->SegmentList.Blink = &pHeapBase->SegmentList;
    pHeapBase->SegmentList.Flink = &pHeapBase->SegmentList;
    pHeapBase->UCRList.Blink = &pHeapBase->UCRList;
    pHeapBase->UCRList.Flink = &pHeapBase->UCRList;
    if (var_D0 == 0 && Flags & 1 == 0) {
        var_D0 = edi;
        int Ret = 0;
        /*
        // 线程同步
        Ret = RtlInitializeCriticalSectionEx(var_D0,0,0x10000000);
        */
        if (Ret < 0) {
            return NULL;
        }
        edi += 0x18;
        ecx = var_D0;
    }
    pHeapBase->LockVariable = (_HEAP_LOCK * )var_D0;
    pHeapBase->CompatibilityFlags |= 0x80000000;
    int Ret = 0;
    /*
    // 初始化堆段
    Ret = RtlpInitializeHeapSegment((DWORD)pHeapBase,(DWORD)pHeapBase,RandValue + 0x238,pHeapBase->LockVariable,var_E4,var_CC,var_C0,var_CC - NtGlobalFlag + var_BC);
    */
    if (Ret == 0) {
        return NULL;
    }
    esi = 0x80;
    if (pHeapBase->___u0.Segment.Entry.___u0.__s5.InterceptorValue != 0) {
        memset((void*)edi, 0, 0x80);
    }
    char* p = (char*)edi;
    *(DWORD*)(p + 4) = 0x80;
    *(DWORD*)(p + 0x1C) = (DWORD)(p+0x24);
    *(DWORD*)(p + 0x18) = (DWORD)&pHeapBase->FreeLists;
    *(DWORD*)(p + 0x20) = (DWORD)(p + 0x34);
    /*
    // 初始化堆块
    RtlpPopulateListIndex(pHeapBase,edi);
    */
    pHeapBase->ProcessHeapsListIndex = 0;
    pHeapBase->SegmentReserve = stParameters.SegmentReserve;
    pHeapBase->SegmentCommit = stParameters.SegmentCommit;
    pHeapBase->DeCommitFreeBlockThreshold = stParameters.DeCommitFreeBlockThreshold >> 3;
    pHeapBase->DeCommitTotalFreeThreshold = stParameters.DeCommitTotalFreeThreshold >> 3;
    pHeapBase->MaximumAllocationSize = stParameters.MaximumAllocationSize;
    pHeapBase->VirtualMemoryThreshold = (stParameters.VirtualMemoryThreshold + 7) >> 3;
    *(DWORD*)pHeapBase->CommitRoutine = (DWORD)stParameters.CommitRoutine ^ _RtlHeapKey;
    pHeapBase->TuningParameters.CommittThresholdShift = 4;
    pHeapBase->TuningParameters.MaxPreCommittThreshold = 0xFE000;
    if (RtlpDisableHeapLookaside & 1 != 0) {
        pHeapBase->CompatibilityFlags = 1;
    }
    if (Flags & 0x10000 == 0) {
        pHeapBase->AlignRound = 0xF;
        pHeapBase->AlignMask = 0xFFFFFFF8;
    }
    else {
        pHeapBase->AlignRound = 0x17;
        pHeapBase->AlignMask = 0xFFFFFFF0;
    }
    if (pHeapBase->Flags & 0x20 != 0) {
        pHeapBase->AlignRound += 8;
    }
    pHeapBase->FrontEndHeap = 0;
    pHeapBase->FrontHeapLockCount = 0;
    pHeapBase->FrontEndHeapType = 0;
    pHeapBase->RequestedFrontEndHeapType = 0;
    pHeapBase->UCRIndex = 0;
    if ((Flags & 3) == 2 ? 1 : 0 & _RtlpDisableHeapLookaside & 1 == 0 ? 1 : 0 != 0) {
        wchar_t* Ret = 0;
        /*
        // 申请内存
        Ret = RtlAllocateHeap(pHeapBase,0x80000A,0x256);
        */
        pHeapBase->FrontEndHeapUsageData = Ret;
        if (pHeapBase->FrontEndHeapUsageData == 0) {
            return NULL;
        }
        *(pHeapBase->FrontEndHeapUsageData - 1) = 1;
        pHeapBase->FrontEndHeapMaximumIndex = 0x80;
    }
    /*
    // 进入临界区
    RtlEnterCriticalSection(&_RtlpProcessHeapsListLock);
    // 添加到堆列表
    RtlpAddHeapToUnprotectedList(pHeapBase);
    // 退出临界区
    RtlEnterCriticalSection(&_RtlpProcessHeapsListLock);
    */
    if (pHeapBase->ProcessHeapsListIndex == 0) {
        return NULL;
    }
    DWORD SessionId = 0;
    /*
    // 获取会话ID
    SessionId = RtlGetCurrentServiceSessionId();
    */
    if (SessionId != 0) {
        SessionId = (DWORD)peb->SharedData + 0x226;
    }
    else {
        SessionId = 0x7FFE0380;
    }
    if (*(char*)SessionId != 0 && peb->___u71.TracingFlags & 1 != 0) {
        /*
        // 获取会话ID
        SessionId = RtlGetCurrentServiceSessionId();
        */
        if (SessionId != 0) {
            SessionId = (DWORD)peb->SharedData + 0x226;
        }
        /*
        // 记录日志
        RtlpLogHeapCreateEvent(pHeapBase,Flags,var_BC,var_C4,*(char*)SessionId);
        */
    }
    else {
        esi = Flags;
    }
    /*
    // 获取会话ID
    SessionId = RtlGetCurrentServiceSessionId();
    */
    if (SessionId != 0) {
        SessionId = (DWORD)peb->SharedData + 0x230;
    }
    else {
        SessionId = 0x7FFE038A;
    }
    if (*(char*)SessionId != 0) {
        /*
        // 获取会话ID
        SessionId = RtlGetCurrentServiceSessionId();
        */
        if (SessionId != 0) {
            SessionId = (DWORD)peb->SharedData + 0x230;
        }
        /*
        // 记录日志
        RtlpLogHeapCreateEvent(pHeapBase,Flags,var_BC,var_C4,*(char*)SessionId);
        */
    }
    /*
    // 获取会话ID
    SessionId = RtlGetCurrentServiceSessionId();
    */
    if (SessionId != 0) {
        SessionId = (DWORD)peb->SharedData + 0x22E;
    }
    else {
        SessionId = 0x7FFE0388;
    }
    if (*(char*)SessionId != 0) {
        /*
        RtlpHeapLogRangeCreate(pHeapBase,var_BC,Flags);
        */
    }
    pHeapBase->CompatibilityFlags = 0x7FFFFFFF;
    pHeapBase->StackTraceInitVar.Ptr = NULL;
    return (PVOID)pHeapBase;
}
DWORD dword_4B3A32DC = 0;
DWORD dword_4B3A32F4 = 0; // 函数?
DWORD dword_4B3A32E4 = 0;
// 堆特性
DWORD RtlpHpHeapFeatures = 0;
// 堆的错误处理行为
DWORD RtlpHeapErrorHandlerThreshold = 0;
DWORD dwAllocationGranularity = 0;
DWORD _RtlHeapKey = 0;
DWORD RtlpDisableHeapLookaside = 0;
DWORD _RtlpDisableHeapLookaside = 0;
DWORD _RtlpProcessHeapsListLock = 0;
 
PVOID RtlCreateHeap(
    ULONG                Flags,
    PVOID                HeapBase,
    SIZE_T               ReserveSize,
    SIZE_T               CommitSize,
    PVOID                Lock,
    PRTL_HEAP_PARAMETERS Parameters
) {
    DWORD SizeOfHeap;
    DWORD var_C0 = CommitSize;
    DWORD RandValue;
    _PEB32* peb = (_PEB32*)NtCurrentTeb()->ProcessEnvironmentBlock;
    DWORD NtGlobalFlag = peb->NtGlobalFlag;
    DWORD var_E4 = 0;
    _HEAP* pHeapBase = 0;
    DWORD var_D0 = 0;
    DWORD var_4C;
    DWORD var_DC;
    DWORD var_D8;
    DWORD var_E0;
    DWORD var_CC;
 
    DWORD edi = (DWORD)Parameters;
    DWORD esi = 0;
    DWORD eax = 0;
 
    if (dword_4B3A32DC != 0) { // 是否是系统堆
        if (HeapBase == 0 && Lock == 0) {
            /*
            RtlpHpAppCompatDontChangePolicy() // 不允许应用程序更改兼容性策略
            DWORD Result = dword_4B3A32F4(Flags, 0, ReserveSize, CommitSize, 0, edi);
            if(Result != 0)
                return Result;
            if(edi != 0xFFFFFFFF)
                return NULL;
            */
            edi = 0;
        }
    }
    else {
        if (dword_4B3A32E4 != 0) {
            if (edi == 1) {
                if ((Flags & 0x100) != 0)
                    edi = 0;
            }
        }
    }
     
    Flags &= 0xF1FFFFFF;
    if ((Flags & 0x100) != 0) { //HEAP_CREATE_SEGMENT_HEAP        0x00000100
        if (Flags & 0x2 == 0 || HeapBase != 0 || ReserveSize != 0
            || CommitSize != 0 || Lock != 0)
            return NULL;
        if (edi == 0xFFFFFFFF && dword_4B3A32E4 != 0) {
            edi = 0;
        }
        if (edi == 0) {
            esi = (DWORD)&var_4C;
        }
        else {
            esi = edi;
            /*
            // 检查参数是否合法
            if(!RtlpHpParametersVerify(edi))
                return NULL;
            */
        }
    }
    else if (RtlpHpHeapFeatures & 1 != 0) {
        if (Flags & 0x2 != 0 && HeapBase == 0) {
            if (edi != 0) {
                /*
                // 检查参数是否合法
                if(!RtlpHpParametersVerify(edi))
                    goto return53;
                */
            }
            eax = 2;
            if (Lock == 0)
                esi = (DWORD)&var_4C;
        }
    }
return53:
    eax = 2;
return52:
    if (esi != 0) {
        // 创建一个有异常保护的堆
        // return RtlpHpCreateHeap;
    }
 
    if (Flags & 0x10000000 == 0) {
        if (RtlpHeapErrorHandlerThreshold >= eax) {
            // 打印日志
        }
        if (Flags & 0xFFF80C00 != 0) {
            Flags &= 0x7F3FF;
        }
    }
    RTL_HEAP_PARAMETERS stParameters = { 0 };
    DWORD var_4;
    if (Parameters != 0) {
        var_4 = 0;
        if (Parameters->Length == 48) {
            memcpy(&stParameters, Parameters, 12);
        }
        var_4 = 0xFFFFFFFE;
    }
 
    // 修改flag
    if (NtGlobalFlag & 0x10 != 0) {
        Flags |= 0x20;
    }
    if (NtGlobalFlag & 0x20 != 0) {
        Flags |= 0x40;
    }
    if (NtGlobalFlag & 0x200000 != 0) {
        Flags |= 0x80;
    }
    if (NtGlobalFlag & 0x40 != 0) {
        Flags |= 0x40000000;
    }
    if (NtGlobalFlag & 0x80 != 0) {
        Flags |= 0x20000000;
    }
    if (NtGlobalFlag & 0x1000 != 0) {
        Flags |= 0x8000000;
    }
 
    // 填充结构体
    if (stParameters.SegmentReserve == 0)
        stParameters.SegmentReserve = peb->HeapSegmentReserve;
    if (stParameters.SegmentCommit == 0)
        stParameters.SegmentCommit = peb->HeapSegmentCommit;
    if (stParameters.DeCommitFreeBlockThreshold == 0)
        stParameters.DeCommitFreeBlockThreshold = peb->HeapDeCommitFreeBlockThreshold;
    if (stParameters.DeCommitTotalFreeThreshold == 0)
        stParameters.DeCommitTotalFreeThreshold = peb->HeapDeCommitTotalFreeThreshold;
 
    if (dwAllocationGranularity == 0) {
        /*
        // 获取分配粒度
        NtQuerySystemInformation
        dwAllocationGranularity = dwAllocationGranularity;
        // 失败 
        return NULL;
        */
    }
    if (stParameters.MaximumAllocationSize == 0)
        stParameters.MaximumAllocationSize = dwAllocationGranularity - 0x11000;
    if (stParameters.VirtualMemoryThreshold == 0 || stParameters.VirtualMemoryThreshold > 0x7F000)
        stParameters.VirtualMemoryThreshold = 0x7F000;
 
    DWORD var_C4 = (CommitSize + 0xFFF) & 0xFFFFF000;
    DWORD var_BC = (var_C4 + 0xFFF) & 0xFFFFF000;
    if (ReserveSize != 0) {
        var_BC = (ReserveSize + 0xFFF) & 0xFFFFF000;
    }
    if (var_C4 > var_BC) {
        var_C4 = var_BC;
    }
    esi = var_C4;
    edi = (DWORD)HeapBase;
    if (Flags & 2 != 0 && HeapBase == 0) {
        NtGlobalFlag = 0x1000;
        var_E4 = 2;
        if (var_BC - 0x1000 < var_C4) {
            var_BC += 0x10FFF;
            var_BC &= 0xFFFF0000;
        }
    }
    else {
        NtGlobalFlag = 0;
    }
    DWORD ecx = var_BC;
 
    if (esi == 0)
        return NULL;
    if (var_BC == 0)
        return NULL;
    if (Flags & 0x61000000 != 0 && Flags & 0x10000000 != 0) {
        /*
        return RtlDebugCreateHeap(x,x,x,x,x,x);
        */
    }
 
    SizeOfHeap = 0x258;
    if (Flags & 1 != 0) {
        if (Lock == 0)
            goto return28;
        return NULL;
    }
    if (Lock != 0) {
        Flags |= 0x80000000;
    }
    var_D0 = (DWORD)Lock == 0 ? 0 : (DWORD)Lock;
    SizeOfHeap = (DWORD)Lock == 0 ? 0x270 : 0x258;
return28:
    if (edi != 0) {
        if (stParameters.CommitRoutine != 0) {
            if (stParameters.InitialCommit == 0
                || stParameters.InitialReserve == 0
                || stParameters.InitialCommit > stParameters.InitialReserve
                || Flags & 2 != 0)
                return NULL;
            var_CC = edi;
            var_C0 = edi + stParameters.InitialCommit;
            var_BC = stParameters.InitialReserve;
            memset((void*)edi, 0, 0x1000);
        }
        else {
            MEMORY_BASIC_INFORMATION32 MemInfo1 = { 0 };
            MEMORY_BASIC_INFORMATION32 MemInfo2 = { 0 };
            int Ret = 0;
            /*
            // 查询 HeapBase 内存页面信息
            Ret = NtQueryVirtualMemory(0xFFFFFFFF,(DWORD)HeapBase,3,&MemInfo1,0x1C,0);
            */
            if (Ret < 0) {
                return NULL;
            }
            var_C0 = MemInfo1.BaseAddress;
            if (MemInfo1.BaseAddress != edi) {
                return NULL;
            }
            if (MemInfo1.State == 0x10000)
                return NULL;
            var_CC = MemInfo1.BaseAddress;
            if (MemInfo1.State != 0x1000) {
                var_BC = MemInfo1.RegionSize;
                if (var_C4 > MemInfo1.RegionSize) {
                    var_C4 = MemInfo1.RegionSize;
                }
                if (var_C4 < 0x1000) {
                    return NULL;
                }
            }
            else {
                if (Flags & 0x40000 != 0 && MemInfo1.Protect & 0x40 == 0)
                    return NULL;
                /*
                // 查询 HeapBase 内存页面信息
                Ret = NtQueryVirtualMemory(0xFFFFFFFF,(DWORD)HeapBase,3,&MemInfo2,0x1C,0);
                */
                if (Ret < 0) {
                    return NULL;
                }
                var_BC = MemInfo2.RegionSize;
                var_C4 = MemInfo1.RegionSize;
                var_C0 = MemInfo1.RegionSize + var_CC;
            }
        }
        var_E4 |= 1;
        pHeapBase = (_HEAP*)edi;
        edi = Flags & 0x40000;
        ecx = var_C0;
        eax = var_CC;
    }
    else {
        var_DC = 0;
        if (stParameters.CommitRoutine != 0)
            return NULL;
        /*
        // 生成随机数
        RandValue = RtlpHeapGenerateRandomValue32();
        */
        RandValue = 0;
        /*
        var_D8 = (RtlpHeapGenerateRandomValue32() & 1Fh) << 0x10;
        */
        var_D8 = 0;
        var_E0 = var_D8 + var_BC;
        if (var_E0 < var_BC) {
            var_E0 = var_BC;
            var_D8 = 0;
        }
        /*
        // 申请内存
        int result = NtAllocateVirtualMemory(0xFFFFFFFF, &var_DC, 0, &var_E0, 0x2000, Flags & 0x40000 == 0 ? 0 : 0x40);;
        if(result < 0)
            return 0;
        */
        pHeapBase = (_HEAP*)var_DC;
        var_BC = var_E0;
        if (var_D8 != 0) {
            /*
            // 释放内存
            RtlpSecMemFreeVirtualMemory(&var_DC,var_BC,&var_D8,0x8000);
            */
            pHeapBase = (_HEAP*)(var_DC + var_D8);
            var_BC = var_E0 - var_D8;
        }
        var_CC = (DWORD)pHeapBase;
        var_C0 = (DWORD)pHeapBase;
    }
 
    if (var_CC == var_C0) {
        char* p = NULL;
        /*
        // 申请内存
        int result = NtAllocateVirtualMemory(0xFFFFFFFF, &var_CC, 0, &var_C4, 0x1000, Flags & 0x40000 == 0 ? 0 : 0x40);;
        if(result < 0)
            return 0;
        // 获取会话ID
        char *p = NULL;
        if(RtlGetCurrentServiceSessionId()){
            p = _PEB.SharedData + 0x226;
        }else{
            p = 0x7FFE0380;
        }
        */
        if (*p != 0) {
            if (peb->___u71.TracingFlags != 1) {
                /*
                // 记录堆提交操作
                RtlpLogHeapCommit(pHeapBase,var_CC,var_C4,1);
                */
            }
        }
        var_C0 += var_C4;
    }
    edi = (DWORD)pHeapBase + 0x258;
    if (peb->NtGlobalFlag & 0x800 != 0) {
        // 进程被调试
        pHeapBase->PseudoTagEntries = (_HEAP_PSEUDO_TAG_ENTRY * )(((DWORD)pHeapBase + 0x25F) & 0x0FFFFFFF8);
        SizeOfHeap = 0x60C;
        edi = (DWORD)pHeapBase->PseudoTagEntries + 0x60C;
        Flags |= 0x4000000;
        esi = Flags;
    }
    RandValue = (SizeOfHeap + 7) & 0xFFFFFFF8;
    pHeapBase->___u0.Segment.Entry.___u0.__s1.Size = (RandValue >> 3) & 0xFFFF;
    pHeapBase->___u0.Segment.Entry.___u0.__s1.Flags = 1;
    pHeapBase->___u0.Segment.Entry.___u0.ExtendedEntry.ExtendedBlockSignature = 1;
    pHeapBase->Signature = 0xEEFFEEFF;
    pHeapBase->Flags = esi;
    pHeapBase->Interceptor = 0;
    memset(&pHeapBase->Counters, 0, sizeof(pHeapBase->Counters));
    /*
    // 初始化 Encoding 成员
    RtlpCreateHeapEncoding(pHeapBase);
    */
    pHeapBase->Counters.HeapPollInterval = 1;
    if (pHeapBase->Flags & 0x8000000 != 0) {
        int result = 0;
        /*
        // 记录调试日志
        result = RtlpGetHeapInterceptorIndex(&RtlpStackTraceDatabaseLogPrefix);
        */
        pHeapBase->Interceptor &= (result & 0xFFFF);
    }
    pHeapBase->ForceFlags = Flags & 0x6001007D;
    pHeapBase->HeaderValidateLength = edi - (DWORD)pHeapBase;
    pHeapBase->HeaderValidateCopy = NULL;
    pHeapBase->FreeLists.Blink = &pHeapBase->FreeLists;
    pHeapBase->FreeLists.Flink = &pHeapBase->FreeLists;
    pHeapBase->VirtualAllocdBlocks.Blink = &pHeapBase->VirtualAllocdBlocks;
    pHeapBase->VirtualAllocdBlocks.Flink = &pHeapBase->VirtualAllocdBlocks;
    pHeapBase->SegmentList.Blink = &pHeapBase->SegmentList;
    pHeapBase->SegmentList.Flink = &pHeapBase->SegmentList;
    pHeapBase->UCRList.Blink = &pHeapBase->UCRList;
    pHeapBase->UCRList.Flink = &pHeapBase->UCRList;
    if (var_D0 == 0 && Flags & 1 == 0) {
        var_D0 = edi;
        int Ret = 0;
        /*
        // 线程同步
        Ret = RtlInitializeCriticalSectionEx(var_D0,0,0x10000000);
        */
        if (Ret < 0) {
            return NULL;
        }
        edi += 0x18;
        ecx = var_D0;
    }
    pHeapBase->LockVariable = (_HEAP_LOCK * )var_D0;
    pHeapBase->CompatibilityFlags |= 0x80000000;
    int Ret = 0;
    /*
    // 初始化堆段
    Ret = RtlpInitializeHeapSegment((DWORD)pHeapBase,(DWORD)pHeapBase,RandValue + 0x238,pHeapBase->LockVariable,var_E4,var_CC,var_C0,var_CC - NtGlobalFlag + var_BC);
    */
    if (Ret == 0) {
        return NULL;
    }
    esi = 0x80;
    if (pHeapBase->___u0.Segment.Entry.___u0.__s5.InterceptorValue != 0) {
        memset((void*)edi, 0, 0x80);
    }
    char* p = (char*)edi;
    *(DWORD*)(p + 4) = 0x80;
    *(DWORD*)(p + 0x1C) = (DWORD)(p+0x24);
    *(DWORD*)(p + 0x18) = (DWORD)&pHeapBase->FreeLists;
    *(DWORD*)(p + 0x20) = (DWORD)(p + 0x34);
    /*
    // 初始化堆块
    RtlpPopulateListIndex(pHeapBase,edi);
    */
    pHeapBase->ProcessHeapsListIndex = 0;
    pHeapBase->SegmentReserve = stParameters.SegmentReserve;
    pHeapBase->SegmentCommit = stParameters.SegmentCommit;
    pHeapBase->DeCommitFreeBlockThreshold = stParameters.DeCommitFreeBlockThreshold >> 3;
    pHeapBase->DeCommitTotalFreeThreshold = stParameters.DeCommitTotalFreeThreshold >> 3;
    pHeapBase->MaximumAllocationSize = stParameters.MaximumAllocationSize;
    pHeapBase->VirtualMemoryThreshold = (stParameters.VirtualMemoryThreshold + 7) >> 3;
    *(DWORD*)pHeapBase->CommitRoutine = (DWORD)stParameters.CommitRoutine ^ _RtlHeapKey;
    pHeapBase->TuningParameters.CommittThresholdShift = 4;
    pHeapBase->TuningParameters.MaxPreCommittThreshold = 0xFE000;
    if (RtlpDisableHeapLookaside & 1 != 0) {
        pHeapBase->CompatibilityFlags = 1;
    }
    if (Flags & 0x10000 == 0) {

		
								
				
				登录后可查看完整内容
			
			
				
	

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！

		#其他内容
	
收藏・7
免费・3
支持
最新回复 (3)
TeddyBe4r 雪币： 6173 活跃值： (2722) 能力值： ( LV12，RANK：240 ) 在线值：发帖 12 回帖 21 粉丝 88 关注私信	TeddyBe4r 4 2 楼博哥yes!!! 2025-3-1 18:59 0
BitWarden 雪币： 414 活跃值： (430) 能力值： ( LV3，RANK：20 ) 在线值：发帖 2 回帖 7 粉丝 4 关注私信	BitWarden 3 楼博哥牛逼 2025-3-2 20:30 0
mb_xrcdmrqz 雪币： 0 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	mb_xrcdmrqz 4 楼 BitWarden 博哥牛逼博哥是谁 2025-7-8 19:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复
xichang13
发帖
回帖
RANK
关注
私信
他的文章
[原创]so文件upx壳的脱壳 1704
[分享]Win10的RtlCreateHeap分析 7579
关于我们
联系我们
企业服务
看雪公众号
最新回复 (3)
TeddyBe4r 雪币： 6173 活跃值： (2722) 能力值： ( LV12，RANK：240 ) 在线值：发帖 12 回帖 21 粉丝 88 关注私信	TeddyBe4r 4 2 楼博哥yes!!! 2025-3-1 18:59 0
BitWarden 雪币： 414 活跃值： (430) 能力值： ( LV3，RANK：20 ) 在线值：发帖 2 回帖 7 粉丝 4 关注私信	BitWarden 3 楼博哥牛逼 2025-3-2 20:30 0
mb_xrcdmrqz 雪币： 0 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	mb_xrcdmrqz 4 楼 BitWarden 博哥牛逼博哥是谁 2025-7-8 19:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复