Skip to content

Instantly share code, notes, and snippets.

@kohnakagawa

kohnakagawa/HeapLayoutChecker.cpp

Last active September 1, 2021 14:05
Show Gist options
  • Save kohnakagawa/a6e5e336149e5fb42e46ff05b29f0a9b to your computer and use it in GitHub Desktop.
Save kohnakagawa/a6e5e336149e5fb42e46ff05b29f0a9b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HeapLayoutChecker.cpp
#include <iostream>
#include <Windows.h>
#include <vector>
#include <algorithm>
class OffsetTracker
{
std::vector<int> offsets;
public:
void Register(int i)
{
offsets.push_back(i);
}
void Summerize()
{
std::sort(offsets.begin(), offsets.end());
auto head = *offsets.begin();
int cnt = 0;
for (auto offset : offsets)
{
if (head != offset)
{
std::cout << "offset: " << offset << " cnt: " << cnt << std::endl;
head = offset;
cnt = 0;
}
cnt++;
}
std::cout << "offset: " << *(offsets.end() - 1) << " cnt: " << cnt << std::endl;
}
};
class SomeObject
{
int i;
int j;
public:
SomeObject()
{
i = j = 0;
}
};
#define OBJECT_COUNT 1297
void SprayTest() {
OffsetTracker offsetTracker;
LPVOID* objects = new LPVOID[OBJECT_COUNT];
for (int i = 0; i < OBJECT_COUNT; i++) {
SomeObject* obj = new SomeObject();
objects[i] = obj;
if (i > 0) {
int offset = (int)objects[i] - (int)objects[i - 1];
offsetTracker.Register(offset);
printf("Object at 0x%08x. Offset to previous = 0x%08x\n", (int)obj, offset);
}
else {
printf("Object at 0x%08x\n", (int)obj);
}
}
offsetTracker.Summerize();
}
int main()
{
SprayTest();
}
@kohnakagawa
Copy link
Author

Result of Windows 11 on ARM 22000.168

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment