Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Libc Heap

Misingi ya Heap

Heap ni mahali ambapo programu itaweza kuhifadhi data wakati inahitaji data kwa kuita kazi kama vile malloc, calloc... Zaidi ya hayo, wakati kumbukumbu hii haifai tena, inapatikana kwa kuita kazi free.

Kama inavyoonyeshwa, iko baada ya ambapo binary inapakiwa kwenye kumbukumbu (angalia sehemu ya [heap]):

Ugawaji wa Msitari wa Msingi

Wakati data fulani inahitajika kuhifadhiwa kwenye heap, nafasi fulani ya heap inatengwa kwa hiyo. Nafasi hii itakuwa ya benki na tu data iliyohitajika + nafasi ya vichwa vya benki + kisawe cha ukubwa wa chini wa benki kitahifadhiwa kwa kipande. lengo ni kuweka kumbukumbu kiasi cha chini iwezekanavyo bila kufanya iwe ngumu kujua wapi kila kipande kipo. Kwa hili, habari ya kipande cha metadata hutumiwa kujua wapi kila kipande kilichotumiwa/cha bure kipo.

Kuna njia tofauti za kutenga nafasi hasa ikitegemea benki iliyotumiwa, lakini njia ya jumla ni kama ifuatavyo:

  • Programu inaanza kwa kuomba kiasi fulani cha kumbukumbu.

  • Ikiwa kwenye orodha ya vipande kuna mtu anayeweza kutosha kutosheleza ombi, itatumika

  • Hii inaweza hata maanisha sehemu ya kipande kilichopo kitatumika kwa ombi hili na sehemu iliyobaki itaongezwa kwenye orodha ya vipande

  • Ikiwa hakuna kipande kinachopatikana kwenye orodha lakini bado kuna nafasi katika kumbukumbu iliyotengwa, meneja wa heap anaunda kipande kipya

  • Ikiwa hakuna nafasi ya kutosha ya heap kutenga kipande kipya, meneja wa heap anauliza kernel kupanua kumbukumbu iliyotengwa kwa heap na kisha kutumia kumbukumbu hii kuzalisha kipande kipya

  • Ikiwa kila kitu kinafeli, malloc inarudisha null.

Tambua kwamba ikiwa kumbukumbu iliyohitajika inapita kizingiti, mmap itatumika kutambaza kumbukumbu iliyohitajika.

Uga

Katika maombi ya multithreaded, meneja wa heap lazima azuie hali za mbio ambazo zinaweza kusababisha ajali. Awali, hii ilifanywa kwa kutumia mutex ya ulimwengu kuhakikisha kuwa thread moja tu inaweza kufikia heap kwa wakati mmoja, lakini hii ilisababisha matatizo ya utendaji kutokana na kizuizi kilichosababishwa na mutex.

Kushughulikia hili, mpangilio wa heap wa ptmalloc2 uliingiza "arenas," ambapo kila uwanja unafanya kazi kama heap tofauti na muundo wake wa data na mutex, kuruhusu nyuzi nyingi kufanya shughuli za heap bila kuingiliana, ikiwa wanatumia uwanja tofauti.

Uwanja "kuu" wa msingi unashughulikia shughuli za heap kwa maombi ya nyuzi moja. Wakati nyuzi mpya zinaongezwa, meneja wa heap huwapa arenas za pili kupunguza mzozo. Kwanza inajaribu kuambatisha kila nyuzi mpya kwa uwanja usiotumiwa, ukiunda mpya ikihitajika, hadi kufikia kikomo cha mara 2 idadi ya viini vya CPU kwa mifumo ya 32-bit na mara 8 kwa mifumo ya 64-bit. Mara kikomo kinapofikiwa, nyuzi lazima washiriki arenas, ikisababisha mzozo wa uwezekano.

Tofauti na uwanja wa msingi, ambao unapanuka kwa kutumia wito wa mfumo wa brk, arenas za pili hujenga "subheaps" kwa kutumia mmap na mprotect kusimuliza tabia ya heap, kuruhusu mabadiliko katika kusimamia kumbukumbu kwa shughuli za multithreaded.

Subheaps

Subheaps hutumika kama akiba ya kumbukumbu kwa arenas za pili katika maombi ya multithreaded, kuruhusu kuongezeka na kusimamia maeneo yao ya heap tofauti na heap kuu. Hapa kuna jinsi subheaps zinavyotofautiana na heap ya awali na jinsi wanavyofanya kazi:

  1. Heap ya Awali vs. Subheaps:

  • Heap ya awali iko moja kwa moja baada ya binary ya programu kwenye kumbukumbu, na inapanuka kwa kutumia wito wa mfumo wa sbrk.

  • Subheaps, zinazotumiwa na arenas za pili, zinaundwa kupitia mmap, wito wa mfumo unaotambaza eneo maalum la kumbukumbu.

  1. Akiba ya Kumbukumbu na mmap:

  • Meneja wa heap anapounda subheap, inahifadhi kizuizi kikubwa cha kumbukumbu kupitia mmap. Akiba hii haitoi kumbukumbu mara moja; inatambua eneo ambalo michakato au alokesheni zingine hazipaswi kutumia.

  • Kwa chaguo-msingi, ukubwa uliohifadhiwa kwa subheap ni 1 MB kwa michakato ya 32-bit na 64 MB kwa michakato ya 64-bit.

  1. Upanuzi wa Hatua kwa Hatua na mprotect:

  • Eneo la kumbukumbu lililohifadhiwa awali linatambuliwa kama PROT_NONE, ikionyesha kuwa kernel haitaji kutenga kumbukumbu ya kimwili kwa nafasi hii bado.

  • Ili "kukuza" subheap, meneja wa heap hutumia mprotect kubadilisha ruhusa za ukurasa kutoka PROT_NONE hadi PROT_READ | PROT_WRITE, kuchochea kernel kutenga kumbukumbu ya kimwili kwa anwani zilizohifadhiwa hapo awali. Hatua hii kwa hatua inaruhusu subheap kupanuka kama inavyohitajika.

  • Mara subheap nzima inapomalizika, meneja wa heap huunda subheap mpya kuendelea na kutenga.

heap_info

Muundo huu unatenga habari muhimu ya heap. Zaidi ya hayo, kumbukumbu ya heap inaweza kutokuwa ya moja kwa moja baada ya alokesheni zaidi, muundo huu pia utahifadhi habari hiyo.

// From https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/malloc/arena.c#L837

typedef struct _heap_info
{
mstate ar_ptr; /* Arena for this heap. */
struct _heap_info *prev; /* Previous heap. */
size_t size;   /* Current size in bytes. */
size_t mprotect_size; /* Size in bytes that has been mprotected
PROT_READ|PROT_WRITE.  */
size_t pagesize; /* Page size used when allocating the arena.  */
/* Make sure the following data is properly aligned, particularly
that sizeof (heap_info) + 2 * SIZE_SZ is a multiple of
MALLOC_ALIGNMENT. */
char pad[-3 * SIZE_SZ & MALLOC_ALIGN_MASK];
} heap_info;

malloc_state

Kila rundo (eneo kuu au eneo la rundo la nyuzi nyingine) lina muundo wa malloc_state. Ni muhimu kuzingatia kwamba muundo wa malloc_state wa eneo kuu ni kigezo cha kawaida katika libc (hivyo kipo katika nafasi ya kumbukumbu ya libc). Katika kesi ya muundo wa malloc_state wa rundo la nyuzi, zinapatikana ndani ya "rundo" la nyuzi yenyewe.

Kuna mambo mazuri ya kuzingatia kutoka kwa muundo huu (angalia msimbo wa C hapo chini):

  • __libc_lock_define (, mutex); Ipo ili kuhakikisha kuwa muundo huu kutoka kwa rundo unafikiwa na nyuzi 1 kwa wakati

  • Alama:

#define NONCONTIGUOUS_BIT (2U)

#define contiguous(M) (((M)->flags & NONCONTIGUOUS_BIT) == 0) #define noncontiguous(M) (((M)->flags & NONCONTIGUOUS_BIT) != 0) #define set_noncontiguous(M) ((M)->flags |= NONCONTIGUOUS_BIT) #define set_contiguous(M) ((M)->flags &= ~NONCONTIGUOUS_BIT)

* `mchunkptr bins[NBINS * 2 - 2];` ina **viashiria** kwa **nyuzi ya kwanza na ya mwisho** ya bins ndogo, kubwa na zisizopangwa (hiyo -2 ni kwa sababu index 0 haikutumiwa)
* Hivyo, **nyuzi ya kwanza** ya bins hizi itakuwa na **kiashiria cha nyuma kwa muundo huu** na **nyuzi ya mwisho** ya bins hizi itakuwa na **kiashiria cha mbele** kwa muundo huu. Hii kimsingi inamaanisha kwamba ikiwa unaweza **kuvuja** anwani hizi katika eneo kuu utakuwa na kiashiria kwa muundo katika **libc**.
* Miundo `struct malloc_state *next;` na `struct malloc_state *next_free;` ni orodha zilizounganishwa za maeneo
* Nyuzi ya `juu` ni "nyuzi" ya mwisho, ambayo kimsingi ni **eneo lote lililobaki la rundo**. Mara nyuzi ya juu inapokuwa "tupu", rundo limetumiwa kabisa na inahitaji kuomba nafasi zaidi.
* Nyuzi ya `kukumbusha ya mwisho` inatokana na hali ambapo nyuzi ya saizi kamili haipatikani na kwa hivyo nyuzi kubwa zaidi inagawanywa, sehemu iliyobaki ya kiashiria inawekwa hapa.
```c
// From https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/malloc/malloc.c#L1812

struct malloc_state
{
/* Serialize access.  */
__libc_lock_define (, mutex);

/* Flags (formerly in max_fast).  */
int flags;

/* Set if the fastbin chunks contain recently inserted free blocks.  */
/* Note this is a bool but not all targets support atomics on booleans.  */
int have_fastchunks;

/* Fastbins */
mfastbinptr fastbinsY[NFASTBINS];

/* Base of the topmost chunk -- not otherwise kept in a bin */
mchunkptr top;

/* The remainder from the most recent split of a small request */
mchunkptr last_remainder;

/* Normal bins packed as described above */
mchunkptr bins[NBINS * 2 - 2];

/* Bitmap of bins */
unsigned int binmap[BINMAPSIZE];

/* Linked list */
struct malloc_state *next;

/* Linked list for free arenas.  Access to this field is serialized
by free_list_lock in arena.c.  */
struct malloc_state *next_free;

/* Number of threads attached to this arena.  0 if the arena is on
the free list.  Access to this field is serialized by
free_list_lock in arena.c.  */
INTERNAL_SIZE_T attached_threads;

/* Memory allocated from the system in this arena.  */
INTERNAL_SIZE_T system_mem;
INTERNAL_SIZE_T max_system_mem;
};

malloc_chunk

Muundo huu unawakilisha kipande maalum cha kumbukumbu. Maeneo mbalimbali yana maana tofauti kwa vipande vilivyotengwa na visivyotengwa.

// https://github.com/bminor/glibc/blob/master/malloc/malloc.c
struct malloc_chunk {
INTERNAL_SIZE_T      mchunk_prev_size;  /* Size of previous chunk, if it is free. */
INTERNAL_SIZE_T      mchunk_size;       /* Size in bytes, including overhead. */
struct malloc_chunk* fd;                /* double links -- used only if this chunk is free. */
struct malloc_chunk* bk;
/* Only used for large blocks: pointer to next larger size.  */
struct malloc_chunk* fd_nextsize; /* double links -- used only if this chunk is free. */
struct malloc_chunk* bk_nextsize;
};

typedef struct malloc_chunk* mchunkptr;

Kama ilivyotajwa hapo awali, vipande hivi pia vina baadhi ya metadata, vinaonyeshwa vizuri katika picha hii:

https://azeria-labs.com/wp-content/uploads/2019/03/chunk-allocated-CS.png

Metadata kawaida ni 0x08B ikionyesha ukubwa wa kipande cha sasa kwa kutumia biti za mwisho 3 kueleza:

  • A: Ikiwa ni 1 inatoka kwenye subheap, ikiwa ni 0 iko kwenye uwanja mkuu

  • M: Ikiwa ni 1, kipande hiki ni sehemu ya nafasi iliyotengwa na mmap na sio sehemu ya kitalu

  • P: Ikiwa ni 1, kipande kilichotangulia kina matumizi

Kisha, nafasi kwa data ya mtumiaji, na mwishowe 0x08B kuonyesha ukubwa wa kipande kilichotangulia wakati kipande kinapatikana (au kuhifadhi data ya mtumiaji wakati inatengwa).

Zaidi ya hayo, wakati inapatikana, data ya mtumiaji hutumiwa pia kuhifadhi baadhi ya data:

  • fd: Kiashiria kwa kipande kinachofuata

  • bk: Kiashiria kwa kipande kilichotangulia

  • fd_nextsize: Kiashiria kwa kipande cha kwanza kwenye orodha ni ndogo kuliko yenyewe

  • bk_nextsize: Kiashiria kwa kipande cha kwanza kwenye orodha ni kubwa kuliko yenyewe

https://azeria-labs.com/wp-content/uploads/2019/03/chunk-allocated-CS.png

Tambua jinsi kufanya orodha hii kwa njia hii kunazuia haja ya kuwa na safu ambapo kila kipande kinaandikishwa.

Vionjo vya Kipande

Wakati malloc inapotumiwa, kiashiria kwa yaliyomo yanayoweza kuandikwa hurudishwa (moja kwa moja baada ya vichwa), hata hivyo, wakati wa kusimamia vipande, inahitajika kiashiria kwa mwanzo wa vichwa (metadata). Kwa mabadiliko haya, kazi hizi hutumiwa:

// https://github.com/bminor/glibc/blob/master/malloc/malloc.c

/* Convert a chunk address to a user mem pointer without correcting the tag.  */
#define chunk2mem(p) ((void*)((char*)(p) + CHUNK_HDR_SZ))

/* Convert a user mem pointer to a chunk address and extract the right tag.  */
#define mem2chunk(mem) ((mchunkptr)tag_at (((char*)(mem) - CHUNK_HDR_SZ)))

/* The smallest possible chunk */
#define MIN_CHUNK_SIZE        (offsetof(struct malloc_chunk, fd_nextsize))

/* The smallest size we can malloc is an aligned minimal chunk */

#define MINSIZE  \
(unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK))

Ulinganifu & ukubwa wa chini

Kiashiria kwa kipande na 0x0f lazima iwe 0.

// From https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/sysdeps/generic/malloc-size.h#L61
#define MALLOC_ALIGN_MASK (MALLOC_ALIGNMENT - 1)

// https://github.com/bminor/glibc/blob/a07e000e82cb71238259e674529c37c12dc7d423/sysdeps/i386/malloc-alignment.h
#define MALLOC_ALIGNMENT 16


// https://github.com/bminor/glibc/blob/master/malloc/malloc.c
/* Check if m has acceptable alignment */
#define aligned_OK(m)  (((unsigned long)(m) & MALLOC_ALIGN_MASK) == 0)

#define misaligned_chunk(p) \
((uintptr_t)(MALLOC_ALIGNMENT == CHUNK_HDR_SZ ? (p) : chunk2mem (p)) \
& MALLOC_ALIGN_MASK)


/* pad request bytes into a usable size -- internal version */
/* Note: This must be a macro that evaluates to a compile time constant
if passed a literal constant.  */
#define request2size(req)                                         \
(((req) + SIZE_SZ + MALLOC_ALIGN_MASK < MINSIZE)  ?             \
MINSIZE :                                                      \
((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)

/* Check if REQ overflows when padded and aligned and if the resulting
value is less than PTRDIFF_T.  Returns the requested size or
MINSIZE in case the value is less than MINSIZE, or 0 if any of the
previous checks fail.  */
static inline size_t
checked_request2size (size_t req) __nonnull (1)
{
if (__glibc_unlikely (req > PTRDIFF_MAX))
return 0;

/* When using tagged memory, we cannot share the end of the user
block with the header for the next chunk, so ensure that we
allocate blocks that are rounded up to the granule size.  Take
care not to overflow from close to MAX_SIZE_T to a small
number.  Ideally, this would be part of request2size(), but that
must be a macro that produces a compile time constant if passed
a constant literal.  */
if (__glibc_unlikely (mtag_enabled))
{
/* Ensure this is not evaluated if !mtag_enabled, see gcc PR 99551.  */
asm ("");

req = (req + (__MTAG_GRANULE_SIZE - 1)) &
~(size_t)(__MTAG_GRANULE_SIZE - 1);
}

return request2size (req);
}

Pata data ya Chunk na badilisha metadata

Hizi kazi hufanya kazi kwa kupokea kidude cha kidole na ni muhimu kwa ajili ya kuangalia/kuseti metadata:

  • Angalia bendera za chunk

// From https://github.com/bminor/glibc/blob/master/malloc/malloc.c


/* size field is or'ed with PREV_INUSE when previous adjacent chunk in use */
#define PREV_INUSE 0x1

/* extract inuse bit of previous chunk */
#define prev_inuse(p)       ((p)->mchunk_size & PREV_INUSE)


/* size field is or'ed with IS_MMAPPED if the chunk was obtained with mmap() */
#define IS_MMAPPED 0x2

/* check for mmap()'ed chunk */
#define chunk_is_mmapped(p) ((p)->mchunk_size & IS_MMAPPED)


/* size field is or'ed with NON_MAIN_ARENA if the chunk was obtained
from a non-main arena.  This is only set immediately before handing
the chunk to the user, if necessary.  */
#define NON_MAIN_ARENA 0x4

/* Check for chunk from main arena.  */
#define chunk_main_arena(p) (((p)->mchunk_size & NON_MAIN_ARENA) == 0)

/* Mark a chunk as not being on the main arena.  */
#define set_non_main_arena(p) ((p)->mchunk_size |= NON_MAIN_ARENA)

  • Ukubwa na pointa kwa vipande vingine

/*
Bits to mask off when extracting size

Note: IS_MMAPPED is intentionally not masked off from size field in
macros for which mmapped chunks should never be seen. This should
cause helpful core dumps to occur if it is tried by accident by
people extending or adapting this malloc.
*/
#define SIZE_BITS (PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA)

/* Get size, ignoring use bits */
#define chunksize(p) (chunksize_nomask (p) & ~(SIZE_BITS))

/* Like chunksize, but do not mask SIZE_BITS.  */
#define chunksize_nomask(p)         ((p)->mchunk_size)

/* Ptr to next physical malloc_chunk. */
#define next_chunk(p) ((mchunkptr) (((char *) (p)) + chunksize (p)))

/* Size of the chunk below P.  Only valid if !prev_inuse (P).  */
#define prev_size(p) ((p)->mchunk_prev_size)

/* Set the size of the chunk below P.  Only valid if !prev_inuse (P).  */
#define set_prev_size(p, sz) ((p)->mchunk_prev_size = (sz))

/* Ptr to previous physical malloc_chunk.  Only valid if !prev_inuse (P).  */
#define prev_chunk(p) ((mchunkptr) (((char *) (p)) - prev_size (p)))

/* Treat space at ptr + offset as a chunk */
#define chunk_at_offset(p, s)  ((mchunkptr) (((char *) (p)) + (s)))

  • Kuingiza Bit

/* extract p's inuse bit */
#define inuse(p)							      \
((((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size) & PREV_INUSE)

/* set/clear chunk as being inuse without otherwise disturbing */
#define set_inuse(p)							      \
((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size |= PREV_INUSE

#define clear_inuse(p)							      \
((mchunkptr) (((char *) (p)) + chunksize (p)))->mchunk_size &= ~(PREV_INUSE)


/* check/set/clear inuse bits in known places */
#define inuse_bit_at_offset(p, s)					      \
(((mchunkptr) (((char *) (p)) + (s)))->mchunk_size & PREV_INUSE)

#define set_inuse_bit_at_offset(p, s)					      \
(((mchunkptr) (((char *) (p)) + (s)))->mchunk_size |= PREV_INUSE)

#define clear_inuse_bit_at_offset(p, s)					      \
(((mchunkptr) (((char *) (p)) + (s)))->mchunk_size &= ~(PREV_INUSE))

  • Weka kichwa na mguu (wakati idadi ya vipande inatumika)

/* Set size at head, without disturbing its use bit */
#define set_head_size(p, s)  ((p)->mchunk_size = (((p)->mchunk_size & SIZE_BITS) | (s)))

/* Set size/use field */
#define set_head(p, s)       ((p)->mchunk_size = (s))

/* Set size at footer (only when chunk is not in use) */
#define set_foot(p, s)       (((mchunkptr) ((char *) (p) + (s)))->mchunk_prev_size = (s))

  • Pata ukubwa wa data halisi inayoweza kutumika ndani ya kipande

#pragma GCC poison mchunk_size
#pragma GCC poison mchunk_prev_size

/* This is the size of the real usable data in the chunk.  Not valid for
dumped heap chunks.  */
#define memsize(p)                                                    \
(__MTAG_GRANULE_SIZE > SIZE_SZ && __glibc_unlikely (mtag_enabled) ? \
chunksize (p) - CHUNK_HDR_SZ :                                    \
chunksize (p) - CHUNK_HDR_SZ + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))

/* If memory tagging is enabled the layout changes to accommodate the granule
size, this is wasteful for small allocations so not done by default.
Both the chunk header and user data has to be granule aligned.  */
_Static_assert (__MTAG_GRANULE_SIZE <= CHUNK_HDR_SZ,
"memory tagging is not supported with large granule.");

static __always_inline void *
tag_new_usable (void *ptr)
{
if (__glibc_unlikely (mtag_enabled) && ptr)
{
mchunkptr cp = mem2chunk(ptr);
ptr = __libc_mtag_tag_region (__libc_mtag_new_tag (ptr), memsize (cp));
}
return ptr;
}

Mifano

Mfano wa Haraka wa Heap

Mfano wa haraka wa heap kutoka https://guyinatuxedo.github.io/25-heap/index.html lakini kwa arm64:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void main(void)
{
char *ptr;
ptr = malloc(0x10);
strcpy(ptr, "panda");
}

Wekeza kizuizi mwishoni mwa kazi kuu na tujue mahali data ilihifadhiwa:

Inawezekana kuona kuwa string panda ilihifadhiwa kwa 0xaaaaaaac12a0 (ambayo ilikuwa anwani iliyotolewa kama jibu na malloc ndani ya x0). Kwa kuangalia 0x10 bytes kabla yake, inawezekana kuona kuwa 0x0 inawakilisha kwamba kitengo kilichotangulia hakijatumika (urefu 0) na kwamba urefu wa kitengo hiki ni 0x21.

Nafasi za ziada zilizohifadhiwa (0x21-0x10=0x11) zinatokana na vichwa vilivyozidishwa (0x10) na 0x1 haimaanishi kwamba ilihifadhiwa 0x21B lakini biti za mwisho 3 za urefu wa kichwa cha sasa zina maana maalum. Kwa kuwa urefu daima ni kielelezo cha 16-baiti (kwenye mashine za 64bits), biti hizi hazitatumika kamwe na nambari ya urefu.

0x1:     Previous in Use     - Specifies that the chunk before it in memory is in use
0x2:     Is MMAPPED          - Specifies that the chunk was obtained with mmap()
0x4:     Non Main Arena      - Specifies that the chunk was obtained from outside of the main arena

Mfano wa Multithreading

Threadi nyingi

```c #include #include #include #include #include

void* threadFuncMalloc(void* arg) { printf("Hello from thread 1\n"); char* addr = (char*) malloc(1000); printf("After malloc and before free in thread 1\n"); free(addr); printf("After free in thread 1\n"); }

void* threadFuncNoMalloc(void* arg) { printf("Hello from thread 2\n"); }

int main() { pthread_t t1; void* s; int ret; char* addr;

printf("Before creating thread 1\n"); getchar(); ret = pthread_create(&t1, NULL, threadFuncMalloc, NULL); getchar();

printf("Before creating thread 2\n"); ret = pthread_create(&t1, NULL, threadFuncNoMalloc, NULL);

printf("Before exit\n"); getchar();

return 0; }

</details>

Kwa kudebug mfano uliopita niwezekana kuona jinsi mwanzoni kuna arena moja tu:

<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>

Kisha, baada ya kuita thread ya kwanza, ile inayoitisha malloc, arena mpya inaundwa:

<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>

na ndani yake vipande vingine vinaweza kupatikana:

<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>

## Bins & Ugawaji/Fungu la Kumbukumbu

Angalia ni bins gani na jinsi zinavyoandaliwa na jinsi kumbukumbu inavyotengwa na kuachiliwa katika:

<div data-gb-custom-block data-tag="content-ref" data-url='bins-and-memory-allocations.md'>

[bins-and-memory-allocations.md](bins-and-memory-allocations.md)

</div>

## Ukaguzi wa Usalama wa Kazi za Heap

Kazi zinazohusika na heap zitafanya ukaguzi fulani kabla ya kutekeleza vitendo vyake kujaribu kuhakikisha kuwa heap haikuharibiwa:

<div data-gb-custom-block data-tag="content-ref" data-url='heap-memory-functions/heap-functions-security-checks.md'>

[heap-functions-security-checks.md](heap-memory-functions/heap-functions-security-checks.md)

</div>

## Marejeo

* [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
* [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
PreviousFormat Strings TemplateNextBins & Memory Allocations

Last updated