hehe
[ 本帖最后由 silent_world 于 2012-1-18 13:56 编辑 ]
[ 本帖最后由 silent_world 于 2012-1-18 13:56 编辑 ]
程序代码:/*DEBUG*/
#include <stdio.h>
#include <stdlib.h>
typedef int machine_size;
struct win_heap_chunk {
struct win_heap_chunk* prev; //+0x0
struct win_heap_chunk* next; //+0x4
machine_size undef; //+0x8
machine_size undef1; //+0xC
machine_size heap_length; //+0x10
machine_size undef2; //+0x14
machine_size undef3; //+0x18
machine_size undef4; //+0x1C
void *memblock; //+0x20
};
#define DumpCascadePtr(addr, depth) \
do { \
machine_size va = addr; \
machine_size vn = depth; \
while (vn-- > 0) { \
printf("0x%X -> 0x%X\n", va, *(machine_size*)va); \
va = *(machine_size*)va; \
} \
} while (0)
void DumpWinHeapChunk(int *addr)
{
int i;
#define CHUNK_SIZE (sizeof(struct win_heap_chunk) / sizeof(machine_size))
for (i = 1; i < CHUNK_SIZE; i++) {
printf("chunk:0x%0X\n", *(addr - i));
}
}
void f(int ** q)
{
*q = (int *)malloc(1);
DumpCascadePtr((int)&q, 3);
DumpWinHeapChunk(*q);
*q = (int *)malloc(5);
DumpCascadePtr((int)&q, 3);
DumpWinHeapChunk(*q);
*(char*)(*q+1) = '5';/*breakpoint here*/
}
int main(int argc, char *argv[])
{
int * p;
f(&p);
printf("%c\n", *(p+1));
free(p);
return 0;
}这个是我以前调试代码随便想的分析,一个heap_chunk有这么多字节,当然inuse位什么的没分析,只是个大概
