Ý nghĩa của "Internal" trong đầu ra "! Heap -h" trong windbg là gì?

Question

Tôi đang theo dõi bài đăng xếp chồng này What do the different columns in the "!heap -flt -s xxxx" windbg command represent

Tôi đang cố gắng hiểu thông tin được in ra cho một trong những vùng sử dụng nhiều bộ nhớ.

Tôi có thể hiểu hầu hết các cột nhưng trên windbg của mình, tôi thấy cột bổ sung. Hầu hết các mục nhập của tôi được đánh dấu là Internal. Tôi tự hỏi điều đó có nghĩa. Tôi đã thực hiện !gflags +ust. Vì vậy, tôi có thể thấy ngăn xếp cuộc gọi để thực hiện việc cấp phát bộ nhớ. Tôi có thể làm điều đó trên hầu hết các mục nhập ngoại trừ các mục được đánh dấu là Internal.

Nội bộ có nghĩa là gì? Có liên quan gì đến việc triển khai LFH không? Nếu đây là việc thực hiện nội bộ của LFH, thì các mục Internal nội bộ này sẽ trở lại danh sách miễn phí như thế nào và khi nào? Nó đang giữ bộ nhớ của tôi mà không có lý do gì bây giờ.

Đây là đầu ra của !heap -h 0000000002330000 để bạn tham khảo.

Index Address Name  Debugging options enabled 
    8: 02330000 
    Segment at 0000000002330000 to 0000000002340000 (00010000 bytes committed) 
    Segment at 00000000032b0000 to 00000000033b0000 (00100000 bytes committed) 
    Segment at 00000000065a0000 to 00000000067a0000 (00200000 bytes committed) 
    Segment at 00000000067a0000 to 0000000006ba0000 (00400000 bytes committed) 
    Segment at 0000000006d80000 to 0000000007580000 (006f2000 bytes committed) 
    Flags:    08001002 
    ForceFlags:   00000000 
    Granularity:   16 bytes 
    Segment Reserve:  01000000 
    Segment Commit:  00002000 
    DeCommit Block Thres: 00000400 
    DeCommit Total Thres: 00001000 
    Total Free Size:  0000274d 
    Max. Allocation Size: 000007fffffdefff 
    Lock Variable at:  00000000023301f8 
    Next TagIndex:  0000 
    Maximum TagIndex:  0000 
    Tag Entries:   00000000 
    PsuedoTag Entries: 00000000 
    Virtual Alloc List: 02330118 
    Uncommitted ranges: 023300f8 
    FreeList[ 00 ] at 0000000002330158: 0000000007454600 . 00000000032e3de0 (24 blocks) 

Heap entries for Segment00 in Heap 0000000002330000 
    0000000002330000: 00000 . 00a70 [101] - busy (a6f) 
    0000000002330a70: 00a70 . 00860 [101] - busy (85f) 
    00000000023312d0: 00860 . 038b0 [101] - busy (38af) 
    0000000002334b80: 038b0 . 00330 [100] 
    0000000002334eb0: 00330 . 00b60 [101] - busy (b34) 
    0000000002335a10: 00b60 . 00160 [101] - busy (134) 
    0000000002335b70: 00160 . 00090 [101] - busy (5c) 
    0000000002335c00: 00090 . 00090 [101] - busy (5c) 
    0000000002335c90: 00090 . 00040 [100] 
    0000000002335cd0: 00040 . 00090 [101] - busy (5c) 
    0000000002335d60: 00090 . 00020 [100] 
    0000000002335d80: 00020 . 00130 [101] - busy (104) 
    0000000002335eb0: 00130 . 00080 [101] - busy (53) 
    0000000002335f30: 00080 . 00090 [101] - busy (65) 
    0000000002335fc0: 00090 . 01060 [101] - busy (1034) 
    0000000002337020: 01060 . 01020 [101] - busy (ff0) Internal 
    0000000002338040: 01020 . 00420 [101] - busy (3f0) Internal 
    0000000002338460: 00420 . 00090 [101] - busy (64) 
    00000000023384f0: 00090 . 00260 [101] - busy (234) 
    0000000002338750: 00260 . 00090 [101] - busy (5c) 
    00000000023387e0: 00090 . 00080 [101] - busy (54) 
    0000000002338860: 00080 . 00080 [101] - busy (4c) 
    00000000023388e0: 00080 . 00030 [100] 
    0000000002338910: 00030 . 00090 [101] - busy (5c) 
    00000000023389a0: 00090 . 00090 [101] - busy (64) 
    0000000002338a30: 00090 . 00260 [101] - busy (234) 
    0000000002338c90: 00260 . 00060 [101] - busy (35) 
    0000000002338cf0: 00060 . 00160 [101] - busy (134) 
    0000000002338e50: 00160 . 00260 [101] - busy (234) 
    00000000023390b0: 00260 . 00160 [101] - busy (134) 
    0000000002339210: 00160 . 000c0 [101] - busy (94) 
    00000000023392d0: 000c0 . 00080 [101] - busy (4c) 
    0000000002339350: 00080 . 000c0 [101] - busy (84) 
    0000000002339410: 000c0 . 000c0 [101] - busy (84) 
    00000000023394d0: 000c0 . 000c0 [101] - busy (94) 
    0000000002339590: 000c0 . 000c0 [101] - busy (94) 
    0000000002339650: 000c0 . 000a0 [101] - busy (6c) 
    00000000023396f0: 000a0 . 000c0 [101] - busy (94) 
    00000000023397b0: 000c0 . 000a0 [101] - busy (6c) 
    0000000002339850: 000a0 . 000a0 [101] - busy (6c) 
    00000000023398f0: 000a0 . 02020 [101] - busy (1ff0) Internal 
    000000000233b910: 02020 . 000a0 [101] - busy (74) 
    000000000233b9b0: 000a0 . 00060 [101] - busy (35) 
    000000000233ba10: 00060 . 02020 [101] - busy (1ff0) Internal 
    000000000233da30: 02020 . 000a0 [101] - busy (6c) 
    000000000233dad0: 000a0 . 000c0 [101] - busy (94) 
    000000000233db90: 000c0 . 000a0 [101] - busy (6c) 
    000000000233dc30: 000a0 . 00060 [100] 
    000000000233dc90: 00060 . 001c0 [101] - busy (194) 
    000000000233de50: 001c0 . 00260 [101] - busy (234) 
    000000000233e0b0: 00260 . 000b0 [101] - busy (80) 
    000000000233e160: 000b0 . 00020 [100] 
    000000000233e180: 00020 . 000c0 [101] - busy (94) 
    000000000233e240: 000c0 . 000a0 [101] - busy (6c) 
    000000000233e2e0: 000a0 . 000a0 [101] - busy (74) 
    000000000233e380: 000a0 . 001c0 [101] - busy (194) 
    000000000233e540: 001c0 . 00020 [100] 
    000000000233e560: 00020 . 000c0 [101] - busy (84) 
    000000000233e620: 000c0 . 000c0 [101] - busy (84) 
    000000000233e6e0: 000c0 . 000c0 [101] - busy (94) 
    000000000233e7a0: 000c0 . 000c0 [101] - busy (94) 
    000000000233e860: 000c0 . 00260 [101] - busy (234) 
    000000000233eac0: 00260 . 000b0 [101] - busy (82) 
    000000000233eb70: 000b0 . 00350 [100] 
    000000000233eec0: 00350 . 00330 [101] - busy (2fc) 
    000000000233f1f0: 00330 . 00440 [101] - busy (40c) 
    000000000233f630: 00440 . 00420 [101] - busy (3f0) Internal 
    000000000233fa50: 00420 . 00460 [100] 
    000000000233feb0: 00460 . 000b0 [101] - busy (80) 
    000000000233ff60: 000b0 . 00060 [100] 
    000000000233ffc0: 00060 . 00040 [111] - busy (3d) 
    0000000002340000:  00000000  - uncommitted bytes. 
Heap entries for Segment01 in Heap 0000000002330000 
    00000000032b0000: 00000 . 00070 [101] - busy (6f) 
    00000000032b0070: 00070 . 0c470 [101] - busy (c440) Internal 
    00000000032bc4e0: 0c470 . 00280 [101] - busy (254) 
    00000000032bc760: 00280 . 000a0 [101] - busy (70) 
    00000000032bc800: 000a0 . 00080 [101] - busy (4c) 
    00000000032bc880: 00080 . 00080 [101] - busy (58) 
    00000000032bc900: 00080 . 00070 [101] - busy (48) 
    00000000032bc970: 00070 . 00080 [101] - busy (4b) 
    00000000032bc9f0: 00080 . 00070 [101] - busy (42) 
    00000000032bca60: 00070 . 00080 [101] - busy (4d) 
    00000000032bcae0: 00080 . 000a0 [101] - busy (72) 
    00000000032bcb80: 000a0 . 00080 [101] - busy (51) 
    00000000032bcc00: 00080 . 000b0 [101] - busy (7c) 
    00000000032bccb0: 000b0 . 00070 [101] - busy (46) 
    00000000032bcd20: 00070 . 00080 [101] - busy (4c) 
    00000000032bcda0: 00080 . 00080 [101] - busy (4f) 
    00000000032bce20: 00080 . 00080 [101] - busy (52) 
    00000000032bcea0: 00080 . 00090 [101] - busy (5d) 
    00000000032bcf30: 00090 . 00080 [101] - busy (4b) 
    00000000032bcfb0: 00080 . 00070 [101] - busy (43) 
    00000000032bd020: 00070 . 00080 [101] - busy (4a) 
    00000000032bd0a0: 00080 . 00080 [101] - busy (49) 
    00000000032bd120: 00080 . 00070 [101] - busy (48) 
    00000000032bd190: 00070 . 00070 [101] - busy (44) 
    00000000032bd200: 00070 . 000a0 [101] - busy (69) 
    00000000032bd2a0: 000a0 . 00070 [101] - busy (46) 
    00000000032bd310: 00070 . 00070 [101] - busy (3c) 
    00000000032bd380: 00070 . 000c0 [101] - busy (8c) 
    00000000032bd440: 000c0 . 00070 [101] - busy (3c) 
    00000000032bd4b0: 00070 . 00090 [101] - busy (5c) 
    00000000032bd540: 00090 . 00090 [101] - busy (5c) 
    00000000032bd5d0: 00090 . 00090 [101] - busy (5c) 
    00000000032bd660: 00090 . 000a0 [101] - busy (5c) 
    00000000032bd700: 000a0 . 00070 [101] - busy (44) 
    00000000032bd770: 00070 . 00090 [101] - busy (5c) 
    00000000032bd800: 00090 . 00070 [101] - busy (3c) 
    00000000032bd870: 00070 . 00050 [100] 
    00000000032bd8c0: 00050 . 00260 [101] - busy (234) 
    00000000032bdb20: 00260 . 00070 [101] - busy (3c) 
    00000000032bdb90: 00070 . 00090 [101] - busy (5c) 
    00000000032bdc20: 00090 . 00070 [101] - busy (3c) 
    00000000032bdc90: 00070 . 00070 [101] - busy (3c) 
    00000000032bdd00: 00070 . 00090 [101] - busy (5c) 
    00000000032bdd90: 00090 . 00070 [101] - busy (3c) 
    00000000032bde00: 00070 . 00070 [101] - busy (3c) 
    00000000032bde70: 00070 . 00090 [101] - busy (5c) 
    00000000032bdf00: 00090 . 00070 [101] - busy (3c) 
    00000000032bdf70: 00070 . 00cc0 [100] 
    00000000032bec30: 00cc0 . 00330 [101] - busy (2fc) 
    00000000032bef60: 00330 . 00440 [101] - busy (40a) 
    00000000032bf3a0: 00440 . 00220 [100] 
    00000000032bf5c0: 00220 . 00330 [101] - busy (2fc) 
    00000000032bf8f0: 00330 . 04020 [101] - busy (3ff0) Internal 
    00000000032c3910: 04020 . 02020 [101] - busy (1ff0) Internal 
    00000000032c5930: 02020 . 00210 [100] 
    00000000032c5b40: 00210 . 01020 [101] - busy (ff0) Internal 
    00000000032c6b60: 01020 . 01020 [101] - busy (ff0) Internal 
    00000000032c7b80: 01020 . 00440 [101] - busy (40c) 
    00000000032c7fc0: 00440 . 00440 [101] - busy (40a) 
    00000000032c8400: 00440 . 00430 [101] - busy (3f0) Internal 
    00000000032c8830: 00430 . 02020 [101] - busy (1ff0) Internal 
    00000000032ca850: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000032cc870: 02020 . 01020 [101] - busy (ff0) Internal 
    00000000032cd890: 01020 . 00420 [101] - busy (3f0) Internal 
    00000000032cdcb0: 00420 . 00420 [101] - busy (3f0) Internal 
    00000000032ce0d0: 00420 . 00420 [101] - busy (3f0) Internal 
    00000000032ce4f0: 00420 . 003a0 [100] 
    00000000032ce890: 003a0 . 02020 [101] - busy (1ff0) Internal 
    00000000032d08b0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000032d28d0: 02020 . 01020 [101] - busy (ff0) Internal 
    00000000032d38f0: 01020 . 00420 [101] - busy (3f0) Internal 
    00000000032d3d10: 00420 . 00420 [101] - busy (3f0) Internal 
    00000000032d4130: 00420 . 003a0 [100] 
    00000000032d44d0: 003a0 . 00420 [101] - busy (3f0) Internal 
    00000000032d48f0: 00420 . 01020 [101] - busy (ff0) Internal 
    00000000032d5910: 01020 . 04020 [101] - busy (3ff0) Internal 
    00000000032d9930: 04020 . 01020 [101] - busy (ff0) Internal 
    00000000032da950: 01020 . 04020 [101] - busy (3ff0) Internal 
    00000000032de970: 04020 . 01020 [101] - busy (ff0) Internal 
    00000000032df990: 01020 . 04020 [101] - busy (3ff0) Internal 
    00000000032e39b0: 04020 . 00420 [101] - busy (3f0) Internal 
    00000000032e3dd0: 00420 . 00020 [100] 
    00000000032e3df0: 00020 . 04020 [101] - busy (3ff0) Internal 
    00000000032e7e10: 04020 . 02020 [101] - busy (1ff0) Internal 
    00000000032e9e30: 02020 . 01020 [101] - busy (ff0) Internal 
    00000000032eae50: 01020 . 02020 [101] - busy (1ff0) Internal 
    00000000032ece70: 02020 . 01020 [101] - busy (ff0) Internal 
    00000000032ede90: 01020 . 000f0 [100] 
    00000000032edf80: 000f0 . 01020 [101] - busy (ff0) Internal 
    00000000032eefa0: 01020 . 01020 [101] - busy (ff0) Internal 
    00000000032effc0: 01020 . 02020 [101] - busy (1ff0) Internal 
    00000000032f1fe0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000032f4000: 02020 . 00420 [101] - busy (3f0) Internal 
    00000000032f4420: 00420 . 00160 [100] 
    00000000032f4580: 00160 . 02020 [101] - busy (1ff0) Internal 
    00000000032f65a0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000032f85c0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000032fa5e0: 02020 . 08020 [101] - busy (7ff0) Internal 
    0000000003302600: 08020 . 02020 [101] - busy (1ff0) Internal 
    0000000003304620: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003305640: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003307660: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003309680: 02020 . 08020 [101] - busy (7ff0) Internal 
    00000000033116a0: 08020 . 02020 [101] - busy (1ff0) Internal 
    00000000033136c0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033156e0: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003316700: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003318720: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000331a740: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000331c760: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000331e780: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033207a0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033227c0: 02020 . 01020 [101] - busy (ff0) Internal 
    00000000033237e0: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003325800: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003327820: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003329840: 02020 . 01020 [101] - busy (ff0) Internal 
    000000000332a860: 01020 . 02020 [101] - busy (1ff0) Internal 
    000000000332c880: 02020 . 01020 [101] - busy (ff0) Internal 
    000000000332d8a0: 01020 . 02020 [101] - busy (1ff0) Internal 
    000000000332f8c0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033318e0: 02020 . 08020 [101] - busy (7ff0) Internal 
    0000000003339900: 08020 . 01020 [101] - busy (ff0) Internal 
    000000000333a920: 01020 . 02020 [101] - busy (1ff0) Internal 
    000000000333c940: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000333e960: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003340980: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033429a0: 02020 . 01020 [101] - busy (ff0) Internal 
    00000000033439c0: 01020 . 02020 [101] - busy (1ff0) Internal 
    00000000033459e0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003347a00: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003348a20: 01020 . 02020 [101] - busy (1ff0) Internal 
    000000000334aa40: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000334ca60: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000334ea80: 02020 . 01020 [101] - busy (ff0) Internal 
    000000000334faa0: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003351ac0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003353ae0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003355b00: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003356b20: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003358b40: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000335ab60: 02020 . 02000 [100] 
    000000000335cb60: 02000 . 02020 [101] - busy (1ff0) Internal 
    000000000335eb80: 02020 . 04020 [101] - busy (3ff0) Internal 
    0000000003362ba0: 04020 . 02020 [101] - busy (1ff0) Internal 
    0000000003364bc0: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003365be0: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003367c00: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003368c20: 01020 . 04020 [101] - busy (3ff0) Internal 
    000000000336cc40: 04020 . 02020 [101] - busy (1ff0) Internal 
    000000000336ec60: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003370c80: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003371ca0: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003373cc0: 02020 . 01020 [101] - busy (ff0) Internal 
    0000000003374ce0: 01020 . 02020 [101] - busy (1ff0) Internal 
    0000000003376d00: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003378d20: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000337ad40: 02020 . 04020 [101] - busy (3ff0) Internal 
    000000000337ed60: 04020 . 02020 [101] - busy (1ff0) Internal 
    0000000003380d80: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003382da0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003384dc0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003386de0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003388e00: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000338ae20: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000338ce40: 02020 . 02020 [101] - busy (1ff0) Internal 
    000000000338ee60: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003390e80: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003392ea0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003394ec0: 02020 . 02020 [101] - busy (1ff0) Internal 
    0000000003396ee0: 02020 . 08020 [101] - busy (7ff0) Internal 
    000000000339ef00: 08020 . 02020 [101] - busy (1ff0) Internal 
    00000000033a0f20: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033a2f40: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000033a4f60: 02020 . 08020 [101] - busy (7ff0) Internal 
    00000000033acf80: 08020 . 02020 [101] - busy (1ff0) Internal 
    00000000033aefa0: 02020 . 00420 [101] - busy (3f0) Internal 
    00000000033af3c0: 00420 . 00420 [101] - busy (3f0) Internal 
    00000000033af7e0: 00420 . 00420 [101] - busy (3f0) Internal 
    00000000033afc00: 00420 . 003c0 [100] 
    00000000033affc0: 003c0 . 00040 [111] - busy (3d) 
    00000000033b0000:  00000000  - uncommitted bytes. 
Heap entries for Segment02 in Heap 0000000002330000 
    00000000065a0000: 00000 . 00070 [101] - busy (6f) 
    00000000065a0070: 00070 . 04020 [101] - busy (3ff0) Internal 
    00000000065a4090: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065a80b0: 04020 . 02020 [101] - busy (1ff0) Internal 
    00000000065aa0d0: 02020 . 02020 [101] - busy (1ff0) Internal 
    00000000065ac0f0: 02020 . 08020 [101] - busy (7ff0) Internal 
    00000000065b4110: 08020 . 02020 [101] - busy (1ff0) Internal 
    00000000065b6130: 02020 . 04020 [101] - busy (3ff0) Internal 
    00000000065ba150: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065be170: 04020 . 08020 [101] - busy (7ff0) Internal 
    00000000065c6190: 08020 . 04020 [101] - busy (3ff0) Internal 
    00000000065ca1b0: 04020 . 02020 [101] - busy (1ff0) Internal 
    00000000065cc1d0: 02020 . 04020 [101] - busy (3ff0) Internal 
    00000000065d01f0: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065d4210: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065d8230: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065dc250: 04020 . 02020 [101] - busy (1ff0) Internal 
    00000000065de270: 02020 . 08020 [101] - busy (7ff0) Internal 
    00000000065e6290: 08020 . 04020 [101] - busy (3ff0) Internal 
    00000000065ea2b0: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065ee2d0: 04020 . 08020 [101] - busy (7ff0) Internal 
    00000000065f62f0: 08020 . 04020 [101] - busy (3ff0) Internal 
    00000000065fa310: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000065fe330: 04020 . 08020 [101] - busy (7ff0) Internal 
    0000000006606350: 08020 . 04020 [101] - busy (3ff0) Internal 
    000000000660a370: 04020 . 04020 [101] - busy (3ff0) Internal 
    000000000660e390: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000066123b0: 04020 . 10020 [101] - busy (fff0) Internal 
    00000000066223d0: 10020 . 04020 [101] - busy (3ff0) Internal 
    00000000066263f0: 04020 . 04020 [101] - busy (3ff0) Internal 
    000000000662a410: 04020 . 04020 [101] - busy (3ff0) Internal 
    000000000662e430: 04020 . 04020 [101] - busy (3ff0) Internal 
    0000000006632450: 04020 . 10020 [101] - busy (fff0) Internal 
    0000000006642470: 10020 . 04020 [101] - busy (3ff0) Internal 
    0000000006646490: 04020 . 04020 [101] - busy (3ff0) Internal 
    000000000664a4b0: 04020 . 04020 [101] - busy (3ff0) Internal 
    000000000664e4d0: 04020 . 04020 [101] - busy (3ff0) Internal 
    00000000066524f0: 04020 . 08020 [101] - busy (7ff0) Internal 
    000000000665a510: 08020 . 08020 [101] - busy (7ff0) Internal 
    0000000006662530: 08020 . 04020 [101] - busy (3ff0) Internal 
    0000000006666550: 04020 . 04020 [101] - busy (3ff0) Internal 
    000000000666a570: 04020 . 10020 [101] - busy (fff0) Internal 
    000000000667a590: 10020 . 04020 [101] - busy (3ff0) Internal 
    000000000667e5b0: 04020 . 08020 [101] - busy (7ff0) Internal 
    00000000066865d0: 08020 . 08020 [101] - busy (7ff0) Internal 
    000000000668e5f0: 08020 . 10020 [101] - busy (fff0) Internal 
    000000000669e610: 10020 . 04020 [101] - busy (3ff0) Internal 
    00000000066a2630: 04020 . 10020 [101] - busy (fff0) Internal 
    00000000066b2650: 10020 . 08020 [101] - busy (7ff0) Internal 
    00000000066ba670: 08020 . 02020 [101] - busy (1ff0) Internal 
    00000000066bc690: 02020 . 08020 [101] - busy (7ff0) Internal 
    00000000066c46b0: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000066cc6d0: 08020 . 10020 [101] - busy (fff0) Internal 
    00000000066dc6f0: 10020 . 08020 [101] - busy (7ff0) Internal 
    00000000066e4710: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000066ec730: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000066f4750: 08020 . 10020 [101] - busy (fff0) Internal 
    0000000006704770: 10020 . 08020 [101] - busy (7ff0) Internal 
    000000000670c790: 08020 . 10020 [101] - busy (fff0) Internal 
    000000000671c7b0: 10020 . 08020 [101] - busy (7ff0) Internal 
    00000000067247d0: 08020 . 08020 [101] - busy (7ff0) Internal 
    000000000672c7f0: 08020 . 20020 [101] - busy (1fff0) Internal 
    000000000674c810: 20020 . 08020 [101] - busy (7ff0) Internal 
    0000000006754830: 08020 . 08020 [101] - busy (7ff0) Internal 
    000000000675c850: 08020 . 08020 [101] - busy (7ff0) Internal 
    0000000006764870: 08020 . 08020 [101] - busy (7ff0) Internal 
    000000000676c890: 08020 . 20020 [101] - busy (1fff0) Internal 
    000000000678c8b0: 20020 . 08020 [101] - busy (7ff0) Internal 
    00000000067948d0: 08020 . 08020 [101] - busy (7ff0) Internal 
    000000000679c8f0: 08020 . 02020 [101] - busy (1ff0) Internal 
    000000000679e910: 02020 . 016b0 [100] 
    000000000679ffc0: 016b0 . 00040 [111] - busy (3d) 
    00000000067a0000:  00000000  - uncommitted bytes. 
Heap entries for Segment03 in Heap 0000000002330000 
    00000000067a0000: 00000 . 00070 [101] - busy (6f) 
    00000000067a0070: 00070 . 08020 [101] - busy (7ff0) Internal 
    00000000067a8090: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000067b00b0: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000067b80d0: 08020 . 20020 [101] - busy (1fff0) Internal 
    00000000067d80f0: 20020 . 08020 [101] - busy (7ff0) Internal 
    00000000067e0110: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000067e8130: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000067f0150: 08020 . 08020 [101] - busy (7ff0) Internal 
    00000000067f8170: 08020 . 10020 [101] - busy (fff0) Internal 
    0000000006808190: 10020 . 10020 [101] - busy (fff0) Internal 
    00000000068181b0: 10020 . 20020 [101] - busy (1fff0) Internal 
    00000000068381d0: 20020 . 10020 [101] - busy (fff0) Internal 
    00000000068481f0: 10020 . 08020 [101] - busy (7ff0) Internal 
    0000000006850210: 08020 . 20020 [101] - busy (1fff0) Internal 
    0000000006870230: 20020 . 10020 [101] - busy (fff0) Internal 
    0000000006880250: 10020 . 08020 [101] - busy (7ff0) Internal 
    0000000006888270: 08020 . 10020 [101] - busy (fff0) Internal 
    0000000006898290: 10020 . 20020 [101] - busy (1fff0) Internal 
    00000000068b82b0: 20020 . 10020 [101] - busy (fff0) Internal 
    00000000068c82d0: 10020 . 10020 [101] - busy (fff0) Internal 
    00000000068d82f0: 10020 . 20020 [101] - busy (1fff0) Internal 
    00000000068f8310: 20020 . 10020 [101] - busy (fff0) Internal 
    0000000006908330: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006918350: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006928370: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006938390: 10020 . 20020 [101] - busy (1fff0) Internal 
    00000000069583b0: 20020 . 10020 [101] - busy (fff0) Internal 
    00000000069683d0: 10020 . 10020 [101] - busy (fff0) Internal 
    00000000069783f0: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006988410: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006998430: 10020 . 10020 [101] - busy (fff0) Internal 
    00000000069a8450: 10020 . 40020 [101] - busy (3fff0) Internal 
    00000000069e8470: 40020 . 10020 [101] - busy (fff0) Internal 
    00000000069f8490: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006a084b0: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006a184d0: 10020 . 04020 [101] - busy (3ff0) Internal 
    0000000006a1c4f0: 04020 . 10020 [101] - busy (fff0) Internal 
    0000000006a2c510: 10020 . 40020 [101] - busy (3fff0) Internal 
    0000000006a6c530: 40020 . 10020 [101] - busy (fff0) Internal 
    0000000006a7c550: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006a8c570: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006a9c590: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006aac5b0: 10020 . 40020 [101] - busy (3fff0) Internal 
    0000000006aec5d0: 40020 . 10020 [101] - busy (fff0) Internal 
    0000000006afc5f0: 10020 . 10020 [101] - busy (fff0) Internal 
    0000000006b0c610: 10020 . 20020 [101] - busy (1fff0) Internal 
    0000000006b2c630: 20020 . 40020 [101] - busy (3fff0) Internal 
    0000000006b6c650: 40020 . 10020 [101] - busy (fff0) Internal 
    0000000006b7c670: 10020 . 20020 [101] - busy (1fff0) Internal 
    0000000006b9c690: 20020 . 03930 [100] 
    0000000006b9ffc0: 03930 . 00040 [111] - busy (3d) 
    0000000006ba0000:  00000000  - uncommitted bytes. 
Heap entries for Segment04 in Heap 0000000002330000 
    0000000006d80000: 00000 . 00070 [101] - busy (6f) 
    0000000006d80070: 00070 . 10020 [101] - busy (fff0) Internal 
    0000000006d90090: 10020 . 40020 [101] - busy (3fff0) Internal 
    0000000006dd00b0: 40020 . 20020 [101] - busy (1fff0) Internal 
    0000000006df00d0: 20020 . 20020 [101] - busy (1fff0) Internal 
    0000000006e100f0: 20020 . 20020 [101] - busy (1fff0) Internal 
    0000000006e30110: 20020 . 40020 [101] - busy (3fff0) Internal 
    0000000006e70130: 40020 . 20020 [101] - busy (1fff0) Internal 
    0000000006e90150: 20020 . 40020 [101] - busy (3fff0) Internal 
    0000000006ed0170: 40020 . 20020 [101] - busy (1fff0) Internal 
    0000000006ef0190: 20020 . 20020 [101] - busy (1fff0) Internal 
    0000000006f101b0: 20020 . 20020 [101] - busy (1fff0) Internal 
    0000000006f301d0: 20020 . 40020 [101] - busy (3fff0) Internal 
    0000000006f701f0: 40020 . 04020 [101] - busy (3ff0) Internal 
    0000000006f74210: 04020 . 20020 [101] - busy (1fff0) Internal 
    0000000006f94230: 20020 . 20020 [101] - busy (1fff0) Internal 
    0000000006fb4250: 20020 . 40020 [101] - busy (3fff0) Internal 
    0000000006ff4270: 40020 . 04020 [101] - busy (3ff0) Internal 
    0000000006ff8290: 04020 . 20020 [101] - busy (1fff0) Internal 
    00000000070182b0: 20020 . 20020 [101] - busy (1fff0) Internal 
    00000000070382d0: 20020 . 04020 [101] - busy (3ff0) Internal 
    000000000703c2f0: 04020 . 08020 [101] - busy (7ff0) Internal 
    0000000007044310: 08020 . 40020 [101] - busy (3fff0) Internal 
    0000000007084330: 40020 . 20020 [101] - busy (1fff0) Internal 

EDIT 10/26/2012

tôi cuối cùng đã phát hiện ra nơi mà gây ra rò rỉ, bằng cách kiểm tra các nội dung bộ nhớ bên trong lối vào đống nội. Nó chứa một số cấp phát bộ nhớ gây ra bởi cùng một operator new. Tôi không biết tại sao tất cả chúng được kết hợp thành một mục nhập duy nhất nhưng bằng cách xem xét nội dung, tôi đã tìm ra mã gây ra sự rò rỉ. Có lẽ, đó là một tính năng CRT để kết hợp tất cả các dữ liệu tương tự vào một mục nhập heap? Hay tôi hiểu sai ý nghĩa của mục nhập heap hoàn toàn?

Answer 1

TL; DR: Heap khối đánh dấu là "nội bộ" có một lá cờ đặc biệt trong _HEAP_ENTRY.Flags

[sửa] sửa đổi câu trả lời trước của tôi với một câu trả lời thích hợp.

---

Đây là ý định của tôi về câu hỏi của bạn.

Theo trợ giúp của windbg, mã lệnh "! Heap" nằm ở exts.dll (tức là \ winxp \ exts.dll).

Đặt DLL này lên IDA và tải xuống các ký hiệu cho nó. Chỉ có một sự xuất hiện của "nội bộ" trong DLL, bên trong hàm DumpHeapEntry():

.text:0192463D     movzx eax, byte_1963152 
.text:01924644     test eax, eax 
.text:01924646     jz  short loc_1924656 
.text:01924648     push offset aInternal ; " Internal " 
.text:0192464D     call _ExtensionApis.lpOutputRoutine ; some sort of printf routine 

Kết quả của "nội bộ" do đó bị quy định bởi giá trị của byte_1963152: nếu byte_1963152 không phải là 0, sau đó "nội bộ " được in. Chỉ một lần xuất hiện của các giá trị ghi với bất cứ điều gì khác hơn 0 sẽ xảy ra (trong ReadHeapEntry() được gọi khi bắt đầu DumpHeapEntry()):

.text:0191F025     movzx eax, [ebp+var_B] 
.text:0191F029     and  eax, 8 
.text:0191F02C     jz  short loc_191F035 
.text:0191F02E     mov  byte_1963152, 1 

Điều này được chuyển tới:

if((UINT)var_B & 8) 
    byte_1963152 = 1; 

var_B là đặt ở đây:

text:0191EFF7     mov  eax, [ebp+var_18] 
.text:0191EFFA     mov  edx, [ebp+var_14] 
.text:0191EFFD     mov  cl, 10h   ; shift right by 0x10 bits 
.text:0191EFFF     call __aullshr 
.text:0191F004     mov  [ebp+var_B], al 

__aullshr là viết tắt của "Số học Unsigned Long Long Shift Right". Trong đoạn mã trên, eax là phần 32-bit thấp của một ký hiệu 64-bit dài, trong khi edx là phần 32 bit cao. Lưu ý rằng var_B là số lượng 8 bit (thanh ghi 'al' được sử dụng).

Do đó:

// where var_14_18 is a combination (64-bit) of var_14 and var_18 
var_B = (char)(var_14_18 >> 0x10); 

var_14 và var_18 được thiết lập ở đây:

.text:0191EF01     push 0 
.text:0191EF03     push offset aAgregatecode ; "AgregateCode" 
.text:0191EF08     push 0 
.text:0191EF0A     push 0 
.text:0191EF0C     call _GetShortField@16 ; GetShortField(x,x,x,x) 
.text:0191EF11     mov  [ebp+var_18], eax ; high part 
.text:0191EF14     mov  [ebp+var_14], edx ; low part 
; cut 
.text:0191EF28     mov  ecx, [ebp+var_18] 
.text:0191EF2B     and  ecx, _EncodeFlagMask ; from HEAP.EncodeFlagMask 
.text:0191EF31     jz  short loc_191EF75 
.text:0191EF33     mov  edx, [ebp+var_18] 
.text:0191EF36     xor  edx, _CrtHeapCode ; from HEAP.Encoding.Code1 
.text:0191EF3C     mov  eax, [ebp+var_14] 
.text:0191EF3F     xor  eax, dword_1963194 ; from HEAP.Encoding.Code2 
.text:0191EF45     mov  [ebp+var_18], edx 
.text:0191EF48     mov  [ebp+var_14], eax  

Vì vậy, WinDBG sử dụng GetShortField() chức năng trên "AgregateCode" và đặt cả hai biến nói trên (đó là cũng là một giá trị dài dài chưa ký duy nhất). Lưu ý rằng nó cũng sử dụng HEAP.Encoding.Code1 và HEAP.Encoding.Code2 để XOR cả giá trị (HEAP là heap hiện tại mà từ đó mục nhập heap là một phần).

"AgregateCode" là một lĩnh vực của cả hai cấu trúc HEAP_ENTRY và HEAP_FREE_ENTRY (từ Win 8.1 x86):

0:000> dt _heap_entry -r2 
ntdll!_HEAP_ENTRY 
    +0x000 Size    : Uint2B 
    +0x002 Flags   : UChar 
    +0x003 SmallTagIndex : UChar 
    +0x000 SubSegmentCode : Uint4B 
    +0x004 PreviousSize  : Uint2B 
    +0x006 SegmentOffset : UChar 
    +0x006 LFHFlags   : UChar 
    +0x007 UnusedBytes  : UChar 
    +0x000 FunctionIndex : Uint2B 
    +0x002 ContextValue  : Uint2B 
    +0x000 InterceptorValue : Uint4B 
    +0x004 UnusedBytesLength : Uint2B 
    +0x006 EntryOffset  : UChar 
    +0x007 ExtendedBlockSignature : UChar 
    +0x000 Code1   : Uint4B 
    +0x004 Code2   : Uint2B 
    +0x006 Code3   : UChar 
    +0x007 Code4   : UChar 
    +0x004 Code234   : Uint4B 
    +0x000 AgregateCode  : Uint8B 

này dịch sang C, cung cấp cho: pseudo

  typedef struct _HEAP_ENTRY      // 20 elements, 0x8 bytes (sizeof) 
      {                     
       union          // 6 elements, 0x8 bytes (sizeof) 
       {                    
        struct         // 3 elements, 0x8 bytes (sizeof) 
        {                   
/*0x000*/    UINT16  Size;              
/*0x002*/    UINT8  Flags;              
/*0x003*/    UINT8  SmallTagIndex;            
/*0x004*/    UINT8  _PADDING0_[0x4];           
        };                   
        struct         // 4 elements, 0x8 bytes (sizeof) 
        {                   
/*0x000*/    ULONG32  SubSegmentCode;            
/*0x004*/    UINT16  PreviousSize;            
         union        // 2 elements, 0x1 bytes (sizeof) 
         {                  
/*0x006*/     UINT8  SegmentOffset;           
/*0x006*/     UINT8  LFHFlags;            
         };                  
/*0x007*/    UINT8  UnusedBytes;            
        };                   
        struct         // 2 elements, 0x8 bytes (sizeof) 
        {                   
/*0x000*/    UINT16  FunctionIndex;            
/*0x002*/    UINT16  ContextValue;            
/*0x004*/    UINT8  _PADDING1_[0x4];           
        };                   
        struct         // 4 elements, 0x8 bytes (sizeof) 
        {                   
/*0x000*/    ULONG32  InterceptorValue;           
/*0x004*/    UINT16  UnusedBytesLength;           
/*0x006*/    UINT8  EntryOffset;            
/*0x007*/    UINT8  ExtendedBlockSignature;          
        };                   
        struct         // 2 elements, 0x8 bytes (sizeof) 
        {                   
/*0x000*/    ULONG32  Code1;              
         union        // 2 elements, 0x4 bytes (sizeof) 
         {                  
          struct       // 3 elements, 0x4 bytes (sizeof) 
          {                 
/*0x004*/      UINT16  Code2;            
/*0x006*/      UINT8  Code3;            
/*0x007*/      UINT8  Code4;            
          };                 
/*0x004*/     ULONG32  Code234;            
         };                  
        };                   
/*0x000*/   UINT64  AgregateCode;             
       };                    
      }HEAP_ENTRY, *PHEAP_ENTRY; 

Do đó, chúng tôi đã sau -code (trừ một số kiểm tra khác):

high_part, low_part = GetShortField(0,0,"AgregateCode", 0); 
high_part ^= HEAP.Encoding.Code1; 
low_part ^= HEAP.Encoding.Code2; 
AgregateCode = Make64BitFromTwo32Bit(high_part, low_part);  
char var_B = (char)(AgregateCode >> 0x10); 
if(var_B & 8) 
    printf("Internal"); 

Cho rằng "AgregateCode" là ... tốt, một tổng Code1 để Mã 4:

    struct         // 2 elements, 0x8 bytes (sizeof) 
        {                   
/*0x000*/    ULONG32  Code1;              
         union        // 2 elements, 0x4 bytes (sizeof) 
         {                  
          struct       // 3 elements, 0x4 bytes (sizeof) 
          {                 
/*0x004*/      UINT16  Code2;            
/*0x006*/      UINT8  Code3;            
/*0x007*/      UINT8  Code4;            
          };                 
/*0x004*/     ULONG32  Code234;            
         };                  
        };                   
/*0x000*/   UINT64  AgregateCode; 

Nếu bạn chuyển 0x10 và AND 8 lĩnh vực AgregateCode bạn kết thúc cuối cùng kiểm tra các bit thứ 11 (bắt đầu đếm từ 0) của Code1.

Như cấu trúc là một liên minh lớn, bạn cuối cùng kết thúc thử nghiệm: _HEAP_ENTRY.Flags

Nó sẽ xảy ra rằng một lá cờ đống có giá trị đã 8, tên của nó là: HEAP_ENTRY_VIRTUAL_ALLOC

http://doxygen.reactos.org/da/ddb/heap_8h_source.html#l00044

https://os-design.googlecode.com/svn/trunk/ntos/inc/heap.h

Dường như cờ này được sử dụng để quản lý phân bổ lớn, mặc dù các khối này được hệ thống sử dụng nội bộ và không có sẵn trực tiếp cho người dùng cuối.

Thông thường các khối nội bộ như vậy có thành viên Flags được đặt thành 9: HEAP_ENTRY_VIRTUAL_ALLOC | HEAP_ENTRY_BUSY

[sửa] Ví dụ:

Nói rằng tôi có một đống tại 0x005b0000:

0:004> !heap -h 
Index Address Name  Debugging options enabled 
    1: 005b0000 

đống này (_HEAP) có một HEAP_ENTRY đánh dấu là "nội bộ" tại 0x005b8d00:

0:004> !heap -h 005b0000 
Index Address Name  Debugging options enabled 
    1: 005b0000 
    Segment at 005b0000 to 006b0000 (0009d000 bytes committed) 
    Flags:    00000002 
    ForceFlags:   00000000 
    Granularity:   8 bytes 
    Segment Reserve:  00100000 
    Segment Commit:  00002000 
    DeCommit Block Thres: 00000800 
    DeCommit Total Thres: 00002000 
    Total Free Size:  00001ae8 
    Max. Allocation Size: 7ffdefff 
    Lock Variable at:  005b0138 
    Next TagIndex:  0000 
    Maximum TagIndex:  0000 
    Tag Entries:   00000000 
    PsuedoTag Entries: 00000000 
    Virtual Alloc List: 005b00a0 
    Uncommitted ranges: 005b0090 
    FreeList[ 00 ] at 005b00c4: 0063fbc0 . 00633060 (7 blocks) 

    Heap entries for Segment00 in Heap 005b0000 
     005b0000: 00000 . 00588 [101] - busy (587) 
     //[cut] 
     005b8d00: 03d20 . 378b0 [101] - busy (378a8) Internal 

Chế độ xem chi tiết cấu trúc HEAP (chú ý cấu trúc "Mã hóa" (_HEAP_ENTRY) tại offset 0x50 giúp giải mã mục nhập heap được mã hóa bằng XOR):

0:004> dt _heap 005b0000 -r1 
ntdll!_HEAP 
    +0x000 Entry   : _HEAP_ENTRY 
     +0x000 Size    : 0xbe38 
     +0x002 Flags   : 0xf5 '' 
     +0x003 SmallTagIndex : 0xff '' 
     +0x000 SubSegmentCode : 0xfff5be38 
     +0x004 PreviousSize  : 0xcf53 
     +0x006 SegmentOffset : 0 '' 
     +0x006 LFHFlags   : 0 '' 
     +0x007 UnusedBytes  : 0x1 '' 
     +0x000 FunctionIndex : 0xbe38 
     +0x002 ContextValue  : 0xfff5 
     +0x000 InterceptorValue : 0xfff5be38 
     +0x004 UnusedBytesLength : 0xcf53 
     +0x006 EntryOffset  : 0 '' 
     +0x007 ExtendedBlockSignature : 0x1 '' 
     +0x000 Code1   : 0xfff5be38 
     +0x004 Code2   : 0xcf53 
     +0x006 Code3   : 0 '' 
     +0x007 Code4   : 0x1 '' 
     +0x000 AgregateCode  : 0x100cf53`fff5be38 
    +0x008 SegmentSignature : 0xffeeffee 
    +0x00c SegmentFlags  : 0 
    +0x010 SegmentListEntry : _LIST_ENTRY [ 0x5b00a8 - 0x5b00a8 ] 
     +0x000 Flink   : 0x005b00a8 _LIST_ENTRY [ 0x5b0010 - 0x5b0010 ] 
     +0x004 Blink   : 0x005b00a8 _LIST_ENTRY [ 0x5b0010 - 0x5b0010 ] 
    +0x018 Heap    : 0x005b0000 _HEAP 
     +0x000 Entry   : _HEAP_ENTRY 
     +0x008 SegmentSignature : 0xffeeffee 
     +0x00c SegmentFlags  : 0 
     +0x010 SegmentListEntry : _LIST_ENTRY [ 0x5b00a8 - 0x5b00a8 ] 
     +0x018 Heap    : 0x005b0000 _HEAP 
     +0x01c BaseAddress  : 0x005b0000 
     +0x020 NumberOfPages : 0x100 
     +0x024 FirstEntry  : 0x005b0588 _HEAP_ENTRY 
     +0x028 LastValidEntry : 0x006b0000 _HEAP_ENTRY 
     +0x02c NumberOfUnCommittedPages : 0x63 
     +0x030 NumberOfUnCommittedRanges : 1 
     +0x034 SegmentAllocatorBackTraceIndex : 0 
     +0x036 Reserved   : 0 
     +0x038 UCRSegmentList : _LIST_ENTRY [ 0x64cff0 - 0x64cff0 ] 
     +0x040 Flags   : 2 
     +0x044 ForceFlags  : 0 
     +0x048 CompatibilityFlags : 0 
     +0x04c EncodeFlagMask : 0x100000 
     +0x050 Encoding   : _HEAP_ENTRY 
     +0x058 PointerKey  : 0x75c3a7b 
     +0x05c Interceptor  : 0 
     +0x060 VirtualMemoryThreshold : 0xfe00 
     +0x064 Signature  : 0xeeffeeff 
     +0x068 SegmentReserve : 0x100000 
     +0x06c SegmentCommit : 0x2000 
     +0x070 DeCommitFreeBlockThreshold : 0x800 
     +0x074 DeCommitTotalFreeThreshold : 0x2000 
     +0x078 TotalFreeSize : 0x1ae8 
     +0x07c MaximumAllocationSize : 0x7ffdefff 
     +0x080 ProcessHeapsListIndex : 1 
     +0x082 HeaderValidateLength : 0x138 
     +0x084 HeaderValidateCopy : (null) 
     +0x088 NextAvailableTagIndex : 0 
     +0x08a MaximumTagIndex : 0 
     +0x08c TagEntries  : (null) 
     +0x090 UCRList   : _LIST_ENTRY [ 0x64cfe8 - 0x64cfe8 ] 
     +0x098 AlignRound  : 0xf 
     +0x09c AlignMask  : 0xfffffff8 
     +0x0a0 VirtualAllocdBlocks : _LIST_ENTRY [ 0x5b00a0 - 0x5b00a0 ] 
     +0x0a8 SegmentList  : _LIST_ENTRY [ 0x5b0010 - 0x5b0010 ] 
     +0x0b0 AllocatorBackTraceIndex : 0 
     +0x0b4 NonDedicatedListLength : 0 
     +0x0b8 BlocksIndex  : 0x005b0150 
     +0x0bc UCRIndex   : 0x005b0590 
     +0x0c0 PseudoTagEntries : (null) 
     +0x0c4 FreeLists  : _LIST_ENTRY [ 0x633060 - 0x63fbc0 ] 
     +0x0cc LockVariable  : 0x005b0138 _HEAP_LOCK 
     +0x0d0 CommitRoutine : 0x075c3a7b  long +75c3a7b 
     +0x0d4 FrontEndHeap  : 0x005b8d08 
     +0x0d8 FrontHeapLockCount : 0 
     +0x0da FrontEndHeapType : 0x2 '' 
     +0x0dc Counters   : _HEAP_COUNTERS 
     +0x130 TuningParameters : _HEAP_TUNING_PARAMETERS 
    +0x01c BaseAddress  : 0x005b0000 
    +0x020 NumberOfPages : 0x100 
    +0x024 FirstEntry  : 0x005b0588 _HEAP_ENTRY 
     +0x000 Size    : 0xbec1 
     +0x002 Flags   : 0xf5 '' 
     +0x003 SmallTagIndex : 0x6 '' 
     +0x000 SubSegmentCode : 0x06f5bec1 
     +0x004 PreviousSize  : 0xcfe2 
     +0x006 SegmentOffset : 0 '' 
     +0x006 LFHFlags   : 0 '' 
     +0x007 UnusedBytes  : 0x1 '' 
     +0x000 FunctionIndex : 0xbec1 
     +0x002 ContextValue  : 0x6f5 
     +0x000 InterceptorValue : 0x6f5bec1 
     +0x004 UnusedBytesLength : 0xcfe2 
     +0x006 EntryOffset  : 0 '' 
     +0x007 ExtendedBlockSignature : 0x1 '' 
     +0x000 Code1   : 0x6f5bec1 
     +0x004 Code2   : 0xcfe2 
     +0x006 Code3   : 0 '' 
     +0x007 Code4   : 0x1 '' 
     +0x000 AgregateCode  : 0x100cfe2`06f5bec1 
    +0x028 LastValidEntry : 0x006b0000 _HEAP_ENTRY 
     +0x000 Size    : 0xeff8 
     +0x002 Flags   : 0xe7 '' 
     +0x003 SmallTagIndex : 0xff '' 
     +0x000 SubSegmentCode : 0xffe7eff8 
     +0x004 PreviousSize  : 0xd3df 
     +0x006 SegmentOffset : 0xc7 '' 
     +0x006 LFHFlags   : 0xc7 '' 
     +0x007 UnusedBytes  : 0xff '' 
     +0x000 FunctionIndex : 0xeff8 
     +0x002 ContextValue  : 0xffe7 
     +0x000 InterceptorValue : 0xffe7eff8 
     +0x004 UnusedBytesLength : 0xd3df 
     +0x006 EntryOffset  : 0xc7 '' 
     +0x007 ExtendedBlockSignature : 0xff '' 
     +0x000 Code1   : 0xffe7eff8 
     +0x004 Code2   : 0xd3df 
     +0x006 Code3   : 0xc7 '' 
     +0x007 Code4   : 0xff '' 
     +0x000 AgregateCode  : 0xffc7d3df`ffe7eff8 
    +0x02c NumberOfUnCommittedPages : 0x63 
    +0x030 NumberOfUnCommittedRanges : 1 
    +0x034 SegmentAllocatorBackTraceIndex : 0 
    +0x036 Reserved   : 0 
    +0x038 UCRSegmentList : _LIST_ENTRY [ 0x64cff0 - 0x64cff0 ] 
     +0x000 Flink   : 0x0064cff0 _LIST_ENTRY [ 0x5b0038 - 0x5b0038 ] 
     +0x004 Blink   : 0x0064cff0 _LIST_ENTRY [ 0x5b0038 - 0x5b0038 ] 
    +0x040 Flags   : 2 
    +0x044 ForceFlags  : 0 
    +0x048 CompatibilityFlags : 0 
    +0x04c EncodeFlagMask : 0x100000 
    +0x050 Encoding   : _HEAP_ENTRY 
     +0x000 Size    : 0xbe89 
     +0x002 Flags   : 0xf4 '' 
     +0x003 SmallTagIndex : 0x4f 'O' 
     +0x000 SubSegmentCode : 0x4ff4be89 
     +0x004 PreviousSize  : 0xcf53 
     +0x006 SegmentOffset : 0 '' 
     +0x006 LFHFlags   : 0 '' 
     +0x007 UnusedBytes  : 0 '' 
     +0x000 FunctionIndex : 0xbe89 
     +0x002 ContextValue  : 0x4ff4 
     +0x000 InterceptorValue : 0x4ff4be89 
     +0x004 UnusedBytesLength : 0xcf53 
     +0x006 EntryOffset  : 0 '' 
     +0x007 ExtendedBlockSignature : 0 '' 
     +0x000 Code1   : 0x4ff4be89 
     +0x004 Code2   : 0xcf53 
     +0x006 Code3   : 0 '' 
     +0x007 Code4   : 0 '' 
     +0x000 AgregateCode  : 0xcf53`4ff4be89 
    +0x058 PointerKey  : 0x75c3a7b 
    +0x05c Interceptor  : 0 
    +0x060 VirtualMemoryThreshold : 0xfe00 
    +0x064 Signature  : 0xeeffeeff 
    +0x068 SegmentReserve : 0x100000 
    +0x06c SegmentCommit : 0x2000 
    +0x070 DeCommitFreeBlockThreshold : 0x800 
    +0x074 DeCommitTotalFreeThreshold : 0x2000 
    +0x078 TotalFreeSize : 0x1ae8 
    +0x07c MaximumAllocationSize : 0x7ffdefff 
    +0x080 ProcessHeapsListIndex : 1 
    +0x082 HeaderValidateLength : 0x138 
    +0x084 HeaderValidateCopy : (null) 
    +0x088 NextAvailableTagIndex : 0 
    +0x08a MaximumTagIndex : 0 
    +0x08c TagEntries  : (null) 
    +0x090 UCRList   : _LIST_ENTRY [ 0x64cfe8 - 0x64cfe8 ] 
     +0x000 Flink   : 0x0064cfe8 _LIST_ENTRY [ 0x5b0090 - 0x5b0090 ] 
     +0x004 Blink   : 0x0064cfe8 _LIST_ENTRY [ 0x5b0090 - 0x5b0090 ] 
    +0x098 AlignRound  : 0xf 
    +0x09c AlignMask  : 0xfffffff8 
    +0x0a0 VirtualAllocdBlocks : _LIST_ENTRY [ 0x5b00a0 - 0x5b00a0 ] 
     +0x000 Flink   : 0x005b00a0 _LIST_ENTRY [ 0x5b00a0 - 0x5b00a0 ] 
     +0x004 Blink   : 0x005b00a0 _LIST_ENTRY [ 0x5b00a0 - 0x5b00a0 ] 
    +0x0a8 SegmentList  : _LIST_ENTRY [ 0x5b0010 - 0x5b0010 ] 
     +0x000 Flink   : 0x005b0010 _LIST_ENTRY [ 0x5b00a8 - 0x5b00a8 ] 
     +0x004 Blink   : 0x005b0010 _LIST_ENTRY [ 0x5b00a8 - 0x5b00a8 ] 
    +0x0b0 AllocatorBackTraceIndex : 0 
    +0x0b4 NonDedicatedListLength : 0 
    +0x0b8 BlocksIndex  : 0x005b0150 
    +0x0bc UCRIndex   : 0x005b0590 
    +0x0c0 PseudoTagEntries : (null) 
    +0x0c4 FreeLists  : _LIST_ENTRY [ 0x633060 - 0x63fbc0 ] 
     +0x000 Flink   : 0x00633060 _LIST_ENTRY [ 0x632fc8 - 0x5b00c4 ] 
     +0x004 Blink   : 0x0063fbc0 _LIST_ENTRY [ 0x5b00c4 - 0x633390 ] 
    +0x0cc LockVariable  : 0x005b0138 _HEAP_LOCK 
     +0x000 Lock    : <unnamed-tag> 
    +0x0d0 CommitRoutine : 0x075c3a7b  long +75c3a7b 
    +0x0d4 FrontEndHeap  : 0x005b8d08 
    +0x0d8 FrontHeapLockCount : 0 
    +0x0da FrontEndHeapType : 0x2 '' 
    +0x0dc Counters   : _HEAP_COUNTERS 
     +0x000 TotalMemoryReserved : 0x100000 
     +0x004 TotalMemoryCommitted : 0x9d000 
     +0x008 TotalMemoryLargeUCR : 0 
     +0x00c TotalSizeInVirtualBlocks : 0 
     +0x010 TotalSegments : 1 
     +0x014 TotalUCRs  : 1 
     +0x018 CommittOps  : 0x19 
     +0x01c DeCommitOps  : 0 
     +0x020 LockAcquires  : 0xd37 
     +0x024 LockCollisions : 0 
     +0x028 CommitRate  : 0x24 
     +0x02c DecommittRate : 0xb 
     +0x030 CommitFailures : 0 
     +0x034 InBlockCommitFailures : 0 
     +0x038 CompactHeapCalls : 0 
     +0x03c CompactedUCRs : 0 
     +0x040 AllocAndFreeOps : 0 
     +0x044 InBlockDeccommits : 0 
     +0x048 InBlockDeccomitSize : 0 
     +0x04c HighWatermarkSize : 0x9cde0 
     +0x050 LastPolledSize : 0x8f9c8 
    +0x130 TuningParameters : _HEAP_TUNING_PARAMETERS 
     +0x000 CommittThresholdShift : 4 
     +0x004 MaxPreCommittThreshold : 0xfe000 

Chế độ xem chi tiết của _HEAP_ENTRY (được đánh dấu là nội bộ). Đây là một cấu trúc mã hóa, có thể được giải mã bởi XORing nó với _HEAP.Encoding thành viên:

0:004> dt _heap_entry 005b8d00 
ntdll!_HEAP_ENTRY 
    +0x000 Size    : 0xd19f 
    +0x002 Flags   : 0xfd '' 
    +0x003 SmallTagIndex : 0x3f '?' 
    +0x000 SubSegmentCode : 0x3ffdd19f 
    +0x004 PreviousSize  : 0xc8f7 
    +0x006 SegmentOffset : 0 '' 
    +0x006 LFHFlags   : 0 '' 
    +0x007 UnusedBytes  : 0x8 '' 
    +0x000 FunctionIndex : 0xd19f 
    +0x002 ContextValue  : 0x3ffd 
    +0x000 InterceptorValue : 0x3ffdd19f 
    +0x004 UnusedBytesLength : 0xc8f7 
    +0x006 EntryOffset  : 0 '' 
    +0x007 ExtendedBlockSignature : 0x8 '' 
    +0x000 Code1   : 0x3ffdd19f 
    +0x004 Code2   : 0xc8f7 
    +0x006 Code3   : 0 '' 
    +0x007 Code4   : 0x8 '' 
    +0x000 AgregateCode  : 0x800c8f7`3ffdd19f   

Bây giờ mã nhận xét:

1) Fetch tổng hợp dạng HEAP_ENTRY
2) Giải mã (XOR) HEAP_ENTRY với HEAP.Encoding viên
kết quả 3) Shift để có được _HEAP_ENTRY.Flags
4) và kết quả với HEAP_ENTRY_VIRTUAL_ALLOC (8) để xem nếu nó là một khối nội

CPU Disasm 
Address  Command         Comments 
730AEF01 PUSH 0         ; /Arg4 = 0 
730AEF03 PUSH ??_C@_0N@BCMFEPJJ@AgregateCode?$AA@ ; |Arg3 = ASCII "AgregateCode" 
730AEF08 PUSH 0         ; |Arg2 = 0 
730AEF0A PUSH 0         ; |Arg1 = 0 
730AEF0C CALL GetShortField      ; \exts.GetShortField 
730AEF11 MOV DWORD PTR SS:[LOCAL.6],EAX   ; low part = 0x3FFDD19F (_HEAP_ENTRY.Code1) 
730AEF14 MOV DWORD PTR SS:[LOCAL.5],EDX   ; high part = 0x0800C8F7 
730AEF17 MOV EDX,DWORD PTR SS:[LOCAL.6] 
730AEF1A MOV DWORD PTR DS:[730F3158],EDX 
730AEF20 MOV EAX,DWORD PTR SS:[LOCAL.5] 
730AEF23 MOV DWORD PTR DS:[730F315C],EAX 
730AEF28 MOV ECX,DWORD PTR SS:[LOCAL.6]   ; 0x3FFDD19F 
730AEF2B AND ECX,DWORD PTR DS:[EncodeFlagMask] ; ecx = 0x3FFDD19F^0x00100000 = 0x00100000 
730AEF31 JE SHORT 730AEF75 
730AEF33 MOV EDX,DWORD PTR SS:[LOCAL.6]   ; edx = 0x3FFDD19F 
730AEF36 XOR EDX,DWORD PTR DS:[CrtHeapCode]  ; edx = 0x3FFDD19F^0x4FF4BE89 = 0x70096F16 
730AEF3C MOV EAX,DWORD PTR SS:[LOCAL.5]   ; eax = 0x0800C8F7 
730AEF3F XOR EAX,DWORD PTR DS:[730F3194]   ; eax = 0x0800C8F7^0xCF53 = 0x080007A4 
730AEF45 MOV DWORD PTR SS:[LOCAL.6],EDX   ; edx = 0x70096F16 
730AEF48 MOV DWORD PTR SS:[LOCAL.5],EAX   ; eax = 0x080007A4 
;[...]  
730AEFEE MOVZX EAX,WORD PTR SS:[LOCAL.6] 
730AEFF2 MOV DWORD PTR DS:[CrtHeapEntry],EAX  ; entry = 0x6f16 
730AEFF7 MOV EAX,DWORD PTR SS:[LOCAL.6]   ; low part = 0x70096F16 
730AEFFA MOV EDX,DWORD PTR SS:[LOCAL.5]   ; high part = 0x080007A4 
730AEFFD MOV CL,10 
730AEFFF CALL _aullshr 
730AF004 MOV BYTE PTR SS:[LOCAL.3+1],AL   ; 0x00000800:07A47009 -> al = 9 
730AF007 MOVZX ECX,BYTE PTR SS:[LOCAL.3+1] 
730AF00B AND ECX,FFFFFFE6 
730AF00E OR ECX,DWORD PTR DS:[730F3148] 
730AF014 MOV DWORD PTR DS:[730F3148],ECX 
730AF01A MOV EDX,DWORD PTR DS:[730F3148] 
730AF020 AND EDX,00000001 
730AF023 JE SHORT 730AF035 
730AF025 MOVZX EAX,BYTE PTR SS:[LOCAL.3+1]  ; eax = 9 
730AF029 AND EAX,00000008       ; 9 & 8 = 1 
730AF02C JE SHORT 730AF035 
730AF02E MOV BYTE PTR DS:[730F3152],1    ; set "Internal" flag 

Hy vọng điều đó sẽ hữu ích!