I am currently studying the Portable Executable file format and I've learned about the 9 common sections such as .code, .data, .rdata, .debug, and etc... However, one piece of information which seems to be obscure and absent from the papers I've read is the location (address space) of the program's "heap" in memory in regards to these section, and how it is assigned as well. Is it part of one of these data sections? I've heard rumors that it appears after the .bss section but these are just rumors. Is there even a set heap size (for each specific exe of course) when the Windows loader loads the PE and if so what is it based off of?
Asked
Active
Viewed 308 times
1 Answers
1
There are a couple of fields in IMAGE_OPTIONAL_HEADER that controls the initial size of the default process heap (GetProcessHeap) but the heap itself is not part of the PE layout.
A program can create additional heaps with HeapCreate. The heap can also operate in different modes (serialized or not) and there is also a low-fragmentation heap implementation.
You can use VMMap to see where the heaps are in virtual memory but you should not rely on this information. ASLR will move them if you reboot your computer.
