SecurityXploded by Nagareshwar Talekar

HOME\|TOOLS\|ARTICLES\|RESEARCH\|DOWNLOAD\|BLOG\|ABOUT

Submit Feedback

Submit any suggestions and feedbacks.

Book of the Month

Book of the month

The best practical book for any security professional to understand as well as master the art of vulnerability exploitation. book of the month list.

Latest Stuff

FirePasswordViewer : GUI version of FirePassword

SpyDLLRemover with advanced spyware scanner

Enhanced VistaUACMaker

Remove malicious BHO's using BHORemover

AdvancedWinServiceManager showing hidden services

Top Tools

AdvancedWinServiceManager

NetShareMonitor

Top Articles

Using Rainbow crack to recover Windows password

Repair Windows registry using BackTrack

Unpack UPX packed binary file using OllyDbg

Writing PESpin plugin for ImpREC

Decrypting Firefox sign-on secrets

Associations

EvilFingers.com

ProcessHeapViewer

Scan process heaps faster than ever

Download ProcHeapViewer

About ProcessHeapViewer

This is the tool to enumerate process heaps on windows. It uses much better technique than slower Windows heap API functions which makes it faster and efficient. You can enumerate the heaps from normal Windows processes as well as system services. Its very useful tool for anyone involved in analyzing process heaps. Vulnerability researchers can use it as a side tool for discovering heap related vulnerabilities.

Making of ProcessHeapViewer

Some days back I was doing password strength related research on Yahoo Messenger. It used to store the password on the heap and I wrote an sample tool using normal heap functions to locate and retrieve the password. The password was basically located on one of the heap block which was near the end of 60,000th block. So I had to traverse all the 60,000 heap blocks using Heap32Next function and it took more than 10 minutes..! I tried running the program on multiple machines but it took almost same amount of time. I was getting irritated as I had to wait for so long every time I run my program.

To find a way around this timing problem, I tried looking on the internet for answers but found nothing. Then I finally resort to finding the truth myself and started reverse engineering the Windows heap functions. Finally after few hours of work, I found the reason behind the delay and wrote my own implementation which took little more than few seconds.

For the complete story behind the creation of ProcHeapViewer, read the detailed article here.

ProcessHeapViewer in Action

Screen 1: Viewing the heaps of Explorer.exe

Process Heap Viewer1

Screen 2: Searching for the strings within the heap block.

Process Heap Viewer 2

Using the ProcessHeapViewer

This is standalone tool and does not require any installation.

Launch ProcHeapViewer by clicking on the binary file. It automatically loads all running processes including services.
Select any process from the list. Then all the heap nodes for that process will be displayed.
Now you can click on any of the heap nodes to display all the heap blocks within it.
Next click on one of the heap block to view its content. You can store this data by clicking on the 'save' button. To get back to the main screen, simply click on 'close' button.
You can use 'Find' button to search for strings within the selected heap block. Select the 'Unicode' check box for searching Unicode strings.

History

Version 2.2: 9th Jan 2009

Support for viewing the heap blocks and heap data by scrolling through the keyboard. This makes it easy and faster to quickly view the heap data by just using the up/down keys.

Version 2.1: 5th Oct 2008

Improved the user interface with new look & feel including the banner and about dialog. Integrated the new search feature which makes it easy to find the ASCII as well as Unicode strings within heap blocks.

Version 1.0: 17th June 2007

First public release of the ProcHeapViewer.

Download ProcHeapViewer

ProcHeapViewer Version 2.2

References

Article explaining the brain behind the ProcHeapViewer tool.

See Also

ProcessNetMonitor: Monitor network activity of process.

RemoteDLL: DLL injection based tool to remove DLL from process.

NetShareMonitor: Watch your shares from intruders.

BHORemover: Remove Browser Helper Objects from the system.

WinServiceManager: Tool to manager Windows services.

Sponsored Information

650-621 helps you categorize the value of the Cisco Lifecycle Services for Advanced Wireless. 70-630 is related to networking infrastructure services, incorporating TCP/IP and clustering. 642-432 test judges a candidate's ability of understanding related to the implementation and support of data and voice assimilation solutions at the network-access level. 70-282 involves the devising, developing, and organizing a network elucidation for a small and medium-sized business. E20-001 can easily be prepared with the help of online exam guides.

"when the going gets r3v3rsed, the r3v3rsing gets going"

Home - Tools - Articles - Research - Download - Blog - About

www.SecurityXploded.com © 2009, All rights reserved by Nagareshwar Talekar.

Firefox 3