Remix.run Logo
db48x a day ago

It’s not to keep malware from walking the heap, it’s just a simple protection against simple buffer overflow attacks. If a process running on your computer has a fixed–sized buffer allocated on the heap and I send too much data to fit in the buffer then part of what I send will overwrite whatever comes after that buffer in memory. Well, that means that it will overwrite the heap header objects that windows uses for memory management too. That can be an important step in exploiting the overflow bug.

But Windows picks a random number for each heap and XORs the heap header with it. This means that every time you run the program the headers have to be XORd with a different random number before Windows can understand them. I have no way of predicting what that number is, so the malicious data that I send won’t be XORd with the right number to fool Windows.