Process Memory Basics for Reverse Engineers Module 2 - Heap Memory (Patreon)

This is the second part in our short three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at the heap and how to investigate heap memory with x64dbg.

Further Reading

• X64dbg (hopefully you already have this installed)
• X64dbg command line reference 
• HeapAlloc 
• RtlAllocateHeap 
• GetProcessHeap 
• GetProcessHeaps 
• PEB Documentation

Using CreateToolhelp32Snapshot To Walk The Heap

Though the heap may appear to be a random mix of allocations when observed with a debugger all allocations are actually tracked internally by the heap manager and can be examined using the CreateToolhelp32Snapshot function.

The full process is documented with code on MSDN here: Traversing the Heap List. Warning! Using the CreateToolhelp32Snapshot APIs while debugging can cause some very strange results... there are some internal mechanics with how these APIs are implemented that may interfere with your debugger and your target. This is particularly relevant when dealing with targets that employ heavy anti-debug features, and when using anti-anti-debug tools.

Hands-On Example

Attached to this post is the compiled example we analyzed in the tutorial. You are encouraged to analyze the binary with x64dbg. See if you can watch the heap allocations by placing a breakpoint on RtlAllocateHeap. Notice how there are many more allocations than the ones we wrote in our program.