Security Xploded
 
  |    Home    |    Projects    |    Research    |    Articles     |    Security Tools    |    Download    |    Blog    |    About    |
 
Search
Latest Stuff
 
FirePassword for new Firefox version
FireMaster with New Features
Hacker Reversing Challenge 2007 Solution
Make your application Vista UAC compliant
Watch your shares from intruders  
Top Tools
 
NetShareMonitor: Monitor shares from intruders
FireMaster: Recover Firefox master password
FirePassword : Dump Firefox sign-on secrets
RemoteDLL: Remove DLL from process
ProcHeapViewer: Enumerate process heaps
Top Articles
 
Using Rainbow crack to recover Windows password
Rapair Windows registry using BackTrack
Unpack UPX using OllyDbg
Writing PESpin plugin for ImpREC
Decrypting Firefox sign-on secrets
 
 
 
 
 
 
 
 
 
Process Heap Viewer
Efficient Way to Enumerate Process Heaps on Windows
 
 
About Process Heap Viewer
This is the tool to enumerate process heaps on windows. It uses much better technique than slower Windows heap API functions which makes it faster and efficient. You can enumerate the heaps from normal Windows processes as well as system services. Its very useful tool for anyone involved in analyzing process heaps. Vulnerability researchers can use it as a side tool for discovering heap related vulnerabilities.
 
 
Making of Process Heap Viewer
Some days back I was doing password strength related research on Yahoo Messenger. It used to store the password on the heap and I wrote an sample tool using normal heap functions to locate and retrieve the password. The password was basically located on one of the heap block which was near the end of 60,000th block. So I had to traverse all the 60,000 heap blocks using Heap32Next function and it took more than 10 minutes..! I tried running the program on multiple machines but it took almost same amount of time. I was getting irritated as I had to wait for so long every time I run my program.

To find a way around this timing problem, I tried looking on the internet for answers but found nothing. Then I finally resort to finding the truth myself and started reverse engineering the Windows heap functions. Finally after few hours of work, I found the reason behind the delay and wrote my own implementation which took little more than few seconds.

For the complete story and internal implementation details read the article here.
 
 
Process Heap Viewer in Action
 
 Screen 1:  Viewing the heaps of Explorer.exe
ProcHeapViewer Screen 1
 
 Screen 2:  Displaying the data from one of the heap blocks.
ProcHeapViewer Screen 2
 
 
Using the Process Heap Viewer

This is standalone tool and does not require any installation.

  • Launch ProcHeapViewer by clicking on the binary file. It automatically loads all running processes including services.
  • Select any process from the list. Then all the heap nodes for that process will be displayed.
  • Now you can click on any of the heap nodes to display all the heap blocks within it.
  • Next click on one of the heap block to view its content. You can store this data by clicking on the ‘save’ button. To get back to the main screen, simply click on ‘close’ button.
 
Download ProcHeapViewer
 
     Process Heap Viewer 1.0 Windows
 
 
References
1. Faster method to enumerate process heaps on Windows.
 
 
See Also
    ProcessNetMonitor: Monitor network activity of process.
    RemoteDLL: DLL injection based tool to remove DLL from process.
    NetShareMonitor: Watch your shares from intruders. 
 
 
 
 
 
 

Total Hit Count: Hit Count
"security through obscurity is just an illusion"
                                   -anonymous 
For any queries and suggestions, please drop a mail to tnagareshwar at gmail.com
 
 
www.SecurityXploded.com © 2008, All rights reserved by Nagareshwar Talekar.                        Built for Firefox