The Isolated Heap
While working on some IE 11 related UAF vulnerabilities, I noticed that there were significant changes in the new IDB.
The initialization function of MSHTML now has some additional code:
push 0 ; dwMaximumSize
push 0 ; dwInitialSize
push 0 ; flOptions
call ds:__imp__HeapCreate@12 ; HeapCreate(x,x,x)
mov _g_hIsolatedHeap, eax
test eax, eax
jnz short loc_63C94EC5
xor esi, esi
jmp loc_6358112F
A new heap is created and stored in a globally accessible way in _g_hIsolatedHeap.
A low fragmentation heap is then created with the new heap:
mov ecx, eax
call HeapSetInformation_LowFragmentation_Downlevel
jmp loc_63A246BA
Object Allocation
Allocations are currently done from two functions:
- __MemIsolatedAlloc
- __MemIsolatedAllocClear
_MemIsolatedAllocClear
This simple wrapper around HeapAlloc will allocate a heap block with the memory zero'd out:
LPVOID _MemIsolatedAllocClear(SIZE_T dwBytes)
{
//HEAP_ZERO_MEMORY
return HeapAlloc(g_hIsolatedHeap, 0x8, dwBytes);
}
_MemIsolatedAlloc
LPVOID _MemIsolatedAlloc(SIZE_T dwBytes)
{
//
return HeapAlloc(g_hIsolatedHeap, 0, dwBytes);
}
Object Freeing
Everytime an object that was created in this heap is freed, it is now first memset to zero and then freed. Here is an example of an object of size 0x34 being freed:
push 34h ; Size
push 0 ; Val
push esi ; Dst
call _memset
...
push esi ; lpMem
push 0 ; dwFlags
push _g_hIsolatedHeap ; hHeap
call _HeapFree@12 ; HeapFree(x,x,x)
Appendix
Based on a cursory look, here are a few objects allocated on the Isolated Heap:
| Object | Size |
|---|---|
| CBodyElement | 40h |
| CHeadElement | 34h |
| CSelectElement | 0E4h |
| COptionElement | 4Ch |
| CNoShowElement | 38h |
| CObjectElement | 170h |
| CParamElement | 3Ch |
| CPluginSite | 198h |
| CMapElement | 3Ch |
| CAreaElement | 64h |
| CMetaElement | 34h |
| CParaElement | 34h |
| CDivElement | 34h |
| CDocumentType | 34h |
| CTitleElement | 40h |
| CHeaderElement | 38h |
| CStyleElement | 5Ch |
| CCommentElement | 44h |
| CLinkElement | 68h |
| CImgElement | 5Ch |
| CLabelElement | 48h |
| COListElement | 38h |
| CHtmlElement | 34h |
| CBRElement | 34h |
| CScriptElement | 0C4h |
| CFormElement | 70h |
| CFontElement | 34h |
| CAnchorElement | 64h |
| CInput | 0C0h |
| CSpanElement | 34h |
| CPhraseElement | 34h |
| CLIElement | 3Ch |
| CProgressElement | 5Ch |
| CSemanticElement | 34h |
| CBaseElement | 3Ch |
| CBlockElement | 34h |
| CTable | 58h |
| CTableSection | 4Ch |
| CTableCell | 48h |
| CTableRow | 54h |
| CUListElement | 38h |
| CHRElement | 3Ch |
| CButton | 58h |
| CDListElement | 38h |
| CDTElement | 34h |
| CDDElement | 34h |
| CIFrameElement | 68h |
| CHTMLCanvasElement | 0ACh |
| CGenericElement | 50h |
| CTextArea | 74h |
| CSVGFilterElement | 50h |
| CSVGDefsElement | 4Ch |
| CSVGFEColorMatrixElement | 50h |
| CSVGSVGElement | 70h |
| CTitleElement | 40h |
| CUnknownElement | 3Ch |
| CAudioElement | 0F8h |
| CLegendElement | 3Ch |
| CFieldSetElement | 40h |
| CTableCaption | 4Ch |
| CTableCol | 3Ch |
| CVideoElement | 190h |
| CSVGGElement | 4Ch |
| CSVGPathElement | 70h |
| CSVGScriptElement | 0D8h |
| CSVGPolygonElement | 70h |
| CSVGRectElement | 50h |
| CSVGEllipseElement | 50h |
| CSVGPolylineElement | 70h |
| CSVGTextElement | 4Ch |
| CIsIndexElement | 34h |
| CNextIdElement | 34h |
| CMarquee | 74h |
| CWndSelectElement | 118h |
| CWndOptionElement | 40h |
| CTextElement | 34h |
| CFrameElement | 5Ch |
| CSVGElement | 4Ch |
| CSVGTitleElement | 54h |
| CSVGAElement | 60h |
| CSVGCircleElement | 50h |
| CSVGClipPathElement | 98h |
| CSVGDescElement | 4Ch |
| CSVGFEBlendElement | 50h |
| CSVGFEComponentTransferElement | 50h |
| CSVGFECompositeElement | 50h |
| CSVGFEConvolveMatrixElement | 50h |
| CSVGFEDiffuseLightingElement | 50h |
| CSVGFEDisplacementMapElement | 50h |
| CSVGFEDistantLightElement | 4Ch |
| CSVGFEFloodElement | 50h |
| CSVGFEFuncAElement | 4Ch |
| CSVGFEFuncBElement | 4Ch |
| CSVGFEFuncGElement | 4Ch |
| CSVGFEFuncRElement | 4Ch |
| CSVGFEGaussianBlurElement | 50h |
| CSVGFEImageElement | 70h |
| CSVGFEMergeElement | 4Ch |
| CSVGFEMergeNodeElement | 4Ch |
| CSVGFEMorphologyElement | 50h |
| CSVGFEOffsetElement | 58h |
| CSVGFEPointLightElement | 4Ch |
| CSVGFESpecularLightingElement | 50h |
| CSVGFESpotLightElement | 4Ch |
| CSVGFETileElement | 50h |
| CSVGFETurbulenceElement | 70h |
| CSVGImageElement | 50h |
| CSVGLineElement | 74h |
| CSVGLinearGradientElement | 0E8h |
| CSVGMarkerElement | 4Ch |
| CSVGMaskElement | 0C0h |
| CSVGMetadataElement | 4Ch |
| CSVGPatternElement | 0B0h |
| CSVGRadialGradientElement | 0FCh |
| CSVGStopElement | 4Ch |
| CSVGStyleElement | 74h |
| CSVGSwitchElement | 54h |
| CSVGSymbolElement | 4Ch |
| CSVGTextPathElement | 60h |
| CSVGTSpanElement | 4Ch |
| CSVGUseElement | 60h |
| CSVGViewElement | 4Ch |
| CMSHTMLWebViewElement | 58h |
| CSourceElement | 34h |
| CTrackElement | 44h |
| CProcessingInstruction | 70h |
| CBaseFontElement | 34h |
| CBGsound | 40h |
| CDataListElement | 3Ch |
| CFrameSetSite | 78h |
| CFrameSetSite | 3Ch |
There are more objects that are created on the Isolated Heap, but not listed here