Fuzzing and detecting heap corruption with Gflags, pageheap, windbg and Image File Execution Options

It's time again to do some good ol' down home fuzzing on Windows and can't forget to enable full page heap checking, else I could miss some important heap corruption issues. So to remind myself how to do this, let's see:

1. First off, use a release version of the target application, not a debug! And have windbg.exe and debugging tools installed to c:\debuggers

2. Then, use page heap checking to monitor the page heap for corruption. I could use BoundsChecker, Purify, or the other runtime memory tools out there, but this is free and comes with Windows OS. I'll use gflags.exe to enable full page heap checking in my process:

c:\debuggers\gflags –p /enable myapp.exe /full

3. This will set some registry key values which I should see now under:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\myapp.exe
GlobalFlag = REG_STRING 0x2000000
PageHeapFlags = REG_STRING 0x3


4. If the application is large and you only want to monitor one loaded dll or module, you can specify pageheap on that module alone with:

gflags –p /enable myapp.exe /full /dlls mydll.dll

5. If you want the target application to run under the debugger every time it launches, then set up the image file execution options again:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\myapp.exe
Debugger = REG_STRING c:\debuggers\windbg -g