• Windows has two kinds of dynamic memory (Heap) management mechanism.

  1. NT heap : The existing Windows Heap allocation mechanism

  2. Segment Heap

     : The newest Windows Heap allocation mechanism that has been added since Windows 10.
     However, this mechanism has not yet been commercialized because many programs have been optimized for the NT heap.

1. NT Heap, LFH

• To decrease Heap Fragmentation and improve performance, this mechanism manages the heap using the Back-End Heap and Front-End Heap.

---

• Back-End Heap
  • The process that Windows OS allocates heap memory directly
  • This process is slow because the OS accesses the memory directly when allocates the heap memory.

---

• Front-End Heap (LFH, Low Fragmentation Heap)
  • LFH : The basics Front-End Heap Manager of Windows OS after the arrival of Windows Vista.
  • Thanks to Front-End Heap, we can decrease Heap Fragmentation and improve the performance.
  • Operation Process of LFH

    1. When Windows(Back-End heap) allocates the same size heap several time,

    2. LFH prepares several heap chunks of the required size.

       1. Prepare a Heap Chunk of the same size by dividing the continuous Heap area into the same size.
       2. UserBlock structure manages the same size Heap Chunks divided from 1.

    3. After that, when heaps of the same size are allocated again, LFH gets and allocates the Heap Chunk managed by the UserBlock structure.

       ⇒ From this,

       1. the performance is improved because allocation is done by Front-End Heap, not Back-End Heap
       2. and Heap Fragmentation is decreased because Heap Chunks of the same size are positioned in succession

2. UserBlock

• UserBlock structure consists of one UserBlock Header and lots of Heap Chunks.

• UserBlock Header

  • UserBlock Header has the below values.
    • Signature
      : Constant that indicates "This is LFH UserBlock".
      Value 0xF0E0D0C0 is stored here.
    • BusyBitmap.Data
      : Point to the BitmapData in the UserBlock Header.
      We can access the arbitrary address by using this value.
    • BitmapData
      : The informantion of allocated Heap Chunks among Heap memory managed by the curent UserBlock.

• Heap Chunk

  • Each Heap Chunk has Heap Chunk Header (0x8 byte) and Heap Chunk Header has Chunk Number.
    
  • Chunk Number is the index of each Heap Chunk starting with the Heap Chunk closest to the UserBlock Header as 0. [Fig 1] The structure of UserBlock structure. I only showed part of the UserBlock Header.

REFERENCE

1. Windows 10 Nt Heap Exploitation
2. NT heap in CTF
3. Windows 7 NT Heap Internal