{"id":9244,"date":"2012-05-25T16:59:50","date_gmt":"2012-05-25T14:59:50","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9244"},"modified":"2012-05-25T16:59:50","modified_gmt":"2012-05-25T14:59:50","slug":"hitb2012ams-day-2-ghost-in-the-allocator","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/","title":{"rendered":"HITB2012AMS Day 2 - Ghost in the Allocator"},"content":{"rendered":"<h3>Ghost in the Allocator - Abusing the Windows 7 \/ 8 Low Fragmentation Heap<\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_160340_957.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg\" alt=\"Rps20120525 160340 957\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>After introducing himself,\u00a0<a href=\"https:\/\/twitter.com\/net__ninja\">Steven Seeley<\/a>, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda:<\/p>\n<ul>\n<li>Why target the heap manager<\/li>\n<li>Heap terms<\/li>\n<li>Some Windows 7 theory<\/li>\n<li>WIndows 7 exploitation<\/li>\n<li>Changes introduced in Windows 8 Heap<\/li>\n<li>Windows 8 possible exploitation technique<\/li>\n<\/ul>\n<div>Steven explains that he wanted to do a talk on the heap manager because it's often used in mature apps, and knowledge is not widespread (yet). People like Halvar, Ben, Nico, Brett, Chris (and many others) made it cool \ud83d\ude42<\/div>\n<div><\/div>\n<div>There's a couple of heap exploits available (CVE 2012-0003, 2010-3972, 2008-0356, 2005-1009). What they all have in common is that they are quite complex. \u00a0 It's a challenge to write heap exploits. \u00a0You'll have to deal with safe unlinking, base randomization, removal of static pointers, and many more protection systems part of the heap manager today.<\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_161123_764.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_161123_764.jpg\" alt=\"Rps20120525 161123 764\" width=\"600\" height=\"450\" border=\"0\" \/><\/div>\n<div><\/div>\n<div>The Windows 7 front end allocator (Low Fragmentation Heap) utilizes bins that contains all chunks of a specific size. \u00a0A \"NextOffset\" is used to determine the next chunk to be allocated. \u00a0Each _heap_subsegment_ has its own mgmt structure for that particular bin size. \u00a0There's an 8 byte structure for the heap chunk (4 bytes are encoded). \u00a0It gets activated on 18 consecutive allocations for a particular bin size.<\/div>\n<div>The back end allocator is different:<\/div>\n<div><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_161225.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_161225.jpg\" alt=\"Rps20120525 161225\" width=\"600\" height=\"450\" border=\"0\" \/><\/div>\n<div><\/div>\n<div>Steven explains that the LFH heap data structure looks like a heap within a heap, and contains of a chain of arrays and structures, segments, subsegments, and so on.<\/div>\n<h4>Windows 7 Heap exploits<\/h4>\n<p>Ben Hawkes came up with a good idea to trigger an arbitrary free. \u00a0Chris Valasek came up with the idea that you can cause an arbitrary allocation on top of an object of structure. \u00a0 Steve added a technique to cause consecutive static allocations. \u00a0 Before going into the details, he explains that the Windows 7 Heap is still deterministic to a certain extent. \u00a0 You still need a variety of primitives to help with exploitation (soft\/hard leak of a controlled size), arbitrary writes, the ability to trigger a free of a particular size (to create a hole in the heap), to ability to trigger the heap cache, and so on.<\/p>\n<p>To write an exploit, you'll have to reverse parts of the application to understand how allocations &amp; frees occur and how you can potentially trigger your own allocations\/frees. \u00a0It requires the detection of object creation and what triggers the creation of these objects. \u00a0 Doing all of that work, Steven says, is by far the hardest work of the exploit writing process.<\/p>\n<p>Steven continues by explaining how the technique discovered by Ben Hawkes works<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_162308_956.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_162308_956.jpg\" alt=\"Rps20120525 162308 956\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>The next exploiting technique demonstrated is the FreeEntryOffset (Chris Valasek).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_162803_500.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_162803_500.jpg\" alt=\"Rps20120525 162803 500\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_162859_509.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_162859_509.jpg\" alt=\"Rps20120525 162859 509\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>Finally, he shares details about a technique he discovered himself, while playing with a double free condition, and trying to get the heap manager to return the same address for consecutive allocations. \u00a0The advantage of his technique is that you don't need to set up a hole in the heap or perform large seeding operations. \u00a0It's used when you can only allocate objects after a chunk has been overflown. \u00a0You still need to have the ability to trigger arbitrary allocations of an object\/struct and multiple chunks, and you need to find a virtual function call that will gets called later on (to gain control over EIP).<\/p>\n<h4>Changes in Windows 8<\/h4>\n<p>A first big change is that the UserBlocks datastructure changed, and a bunch of objects were added (including GuardPagePresent etc). \u00a0LFH still gets triggered on 0x12 consecutive allocations (or 0x11if allocated and freed). \u00a0The techniques discovered by Chris and Ben no longer work. \u00a0He continues by explaining some routines related with the busyBitmap and the bitmap index, and highlights some important routines related with allocations and frees. \u00a0(All details can be found in his slides, don't worry\u2026 )<\/p>\n<h4>Possible exploitation under Windows 8<\/h4>\n<p>Steven was playing with the concept of 3 null dword writes targeting the UserBlocks header to form an arbitrary allocation, when Chris Valasek mentioned that you potentially can overwrite the entire UserBlocks header. \u00a0 If an application allows to trigger 17 or 18 allocations, you can probably do more allocations. \u00a0This might help making things more predictable again. We have to avoid to damage certain parts (_lfh_block_zone), but you can overwrite starting from certain UserBlocks.<\/p>\n<p>Chunks may not be deterministic, but subSegments and UserBlocks are. \u00a0Only after the 2nd UserBlocks, we can overwrite the UserBlocks header. Then you need to be able to trigger arbitrary allocations. To do that, you could target UserBlocks.FirstAllocationOffset, \u00a0UserBlocks.BlockStride, UserBlocks.BusyBitmap (overwriting the BusyBitmap.Buffer ptr &amp; set it to any ptr that points to a NULL\/low value (static &amp; writable).) \u00a0To reliably reach the UserBlocks header, you need to know the offset\/distance, which makes it difficult to achieve at this point (but maybe not impossible). \u00a0An advantage, if you can pull this off, is that you may not need an info leak.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_165215_161.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_165215_161.jpg\" alt=\"Rps20120525 165215 161\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_165639_415.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_165639_415.jpg\" alt=\"Rps20120525 165639 415\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Great work Steven, keep things coming !<\/p>\n<p>&nbsp;<\/p>\n<h3>Finally,<\/h3>\n<p>this was the last talk I attended at Hack In The Box Amsterdam 2012. \u00a0I would like to take the opportunity to thank the HITB Crew for having me, everyone I met for being so kind, and YOU, for visiting www.corelan.be and reading this page.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ghost in the Allocator - Abusing the Windows 7 \/ 8 Low Fragmentation Heap After introducing himself,\u00a0Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda: Why target the heap manager Heap terms Some Windows 7 theory WIndows 7 exploitation Changes introduced in Windows 8 Heap Windows &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"HITB2012AMS Day 2 - Ghost in the Allocator\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2250],"tags":[3732,3121,2775,2157,316],"class_list":["post-9244","post","type-post","status-publish","format-standard","hentry","category-cons-seminars","tag-heap-exploitation","tag-lfh","tag-hitb","tag-peb","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HITB2012AMS Day 2 - Ghost in the Allocator - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HITB2012AMS Day 2 - Ghost in the Allocator - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Ghost in the Allocator - Abusing the Windows 7 \/ 8 Low Fragmentation Heap After introducing himself,\u00a0Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda: Why target the heap manager Heap terms Some Windows 7 theory WIndows 7 exploitation Changes introduced in Windows 8 Heap Windows &hellip; Continue reading &quot;HITB2012AMS Day 2 - Ghost in the Allocator&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2012-05-25T14:59:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"HITB2012AMS Day 2 - Ghost in the Allocator\",\"datePublished\":\"2012-05-25T14:59:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/\"},\"wordCount\":879,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_160340_957.jpg\",\"keywords\":[\"heap exploitation\",\"lfh\",\"hitb\",\"peb\",\"windows\"],\"articleSection\":[\"Cons and Seminars\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/\",\"name\":\"HITB2012AMS Day 2 - Ghost in the Allocator - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_160340_957.jpg\",\"datePublished\":\"2012-05-25T14:59:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_160340_957.jpg\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_160340_957.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-ghost-in-the-allocator\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HITB2012AMS Day 2 &#8211; Ghost in the Allocator\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HITB2012AMS Day 2 - Ghost in the Allocator - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/","og_locale":"en_US","og_type":"article","og_title":"HITB2012AMS Day 2 - Ghost in the Allocator - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Ghost in the Allocator - Abusing the Windows 7 \/ 8 Low Fragmentation Heap After introducing himself,\u00a0Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda: Why target the heap manager Heap terms Some Windows 7 theory WIndows 7 exploitation Changes introduced in Windows 8 Heap Windows &hellip; Continue reading \"HITB2012AMS Day 2 - Ghost in the Allocator\"","og_url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2012-05-25T14:59:50+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"HITB2012AMS Day 2 - Ghost in the Allocator","datePublished":"2012-05-25T14:59:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/"},"wordCount":879,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg","keywords":["heap exploitation","lfh","hitb","peb","windows"],"articleSection":["Cons and Seminars"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/","url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/","name":"HITB2012AMS Day 2 - Ghost in the Allocator - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg","datePublished":"2012-05-25T14:59:50+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_160340_957.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-ghost-in-the-allocator\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"HITB2012AMS Day 2 &#8211; Ghost in the Allocator"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":4378,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=9244"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9244\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=9244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=9244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=9244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}