Search code examples
heap-memorywindbg

Understanding the output of WinDbg command !heap -x -v

At the end of the output of the command !heap -x -v 0x1784e350, after information about the heap block owning the pointer i'm investigating about, there is a "Search VM for address range" that is listing pairs of addresses, which I am wondering about.

What information can I grab from it ? What does it mean ?

0:039> !heap -x -v 1784e350
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
1784e310  1784e318  02670000  17845ed0       248      -            0  LFH;free

Search VM for address range 1784e310 - 1784e557 : 0195d1dc (1784e354), 0195d1fc (1784e354), 0195d214 (1784e354), 086ce100 (1784e388), 086ce130 (1784e388), 086ce134 (1784e3b0), 086ce168 (1784e384), 086
ce16c (1784e388), 086ce1dc (1784e354), 086ce398 (1784e388), 086ce3a8 (1784e384), 086ce3ac (1784e388), 086ce408 (1784e354), 086ce41c (1784e318), 1195f498 (1784e350), 15b016dc (1784e318), 15b016e8 (1784
e318), 1783ca94 (1784e354), 17847b8c (1784e38e), 1788982c (1784e4a0), 17889858 (1784e354), 17d5e294 (1784e354), 17d5e2d8 (1784e354), 17d5e2dc (1784e354), 17d5e2ec (1784e354), 17d5e35c (1784e354), 17d5
e374 (1784e354), 17d5e38c (1784e354), 17d5e3a8 (1784e354), 17d5e3b0 (1784e354), 17d5e4c0 (1784e354), 17d5e508 (1784e354), 17d5e518 (1784e354), 17d5e52c (1784e350), 17d5e588 (1784e354), 17d5e59c (1784e
350), 17d5e5c8 (1784e354), 17d5e5cc (1784e318), 1a2cf610 (1784e350), 1a2cf7c0 (1784e350), 1a2cfa10 (1784e350), 1c9e87a8 (1784e350), 1c9e87e4 (1784e350), 1e4d6e0c (1784e350), 2685f0f8 (1784e350), 2685f
134 (1784e350), 26961294 (1784e318), 269612a0 (1784e318), 272eb7d8 (1784e318), 272ef6c0 (1784e318), 27434248 (1784e318), 27449dd0 (1784e318), 29aa6f7c (1784e350), 29aa814c (1784e350), 29aa8a0c (1784e3
50), 29ca87e0 (1784e318), 29cab438 (1784e318), 2a83a0f0 (1784e318), 2aafc128 (1784e350), 2aafc164 (1784e350), 2d055b10 (1784e318), 2d05d570 (1784e318), 2e79c5e4 (1784e350), 2f0a4f58 (1784e318), 2fe8d1
94 (1784e350), 32eae408 (1784e318), 32eb00e8 (1784e318), 35fc42e0 (1784e318),
Solution

  • Calling the command dd 0195d1dc L1 (the first address in the list) gave me the answer:

    0:039> dd 0195d1dc L1
0195d1dc  1784e354

    "Search VM for address range" lists all the addresses that contain a value which is in the range of the heap block investigated.

    As a consequence, it lists all possible addresses which are maybe pointing inside the heap block which contains the address being investigated.

    This can be incredibly useful.