Feature Request: Comprehensive HeapWalk Implementation for Windows Memory Analysis

[avizack18]

Overview

Request to implement a comprehensive HeapWalk functionality in Volatility 3 that supports both traditional Windows heap structures and the newer Windows 10 Segment Heap architecture.

References

1. HeapList implementation with simple _HEAP_SEGMENT & _HEAP_ENTRY support:
   https://raw.githubusercontent.com/abeDCP/HeapList/refs/heads/main/heaplist.py

2. Windows 10 Segment Heap internals whitepaper:
   https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf

Current Situation

Currently, basic heap analysis can be performed using implementations similar to the HeapList script (Reference 1), which handles:

• _HEAP_SEGMENT
• _HEAP_ENTRY

However, this doesn't address the complex Windows 10 Segment Heap structures introduced since Windows 10 and detailed in the Windows 10 Segment Heap Internals whitepaper (Reference 2).

Requested Features

1. Traditional Heap Support

• Maintain support for pre-Windows 10 heap structures similar to Reference 1
• Implement walking of _HEAP_SEGMENT and _HEAP_ENTRY
• Parse heap flags and heap entry flags

2. Windows 10 Segment Heap Support

Implement support for all four components of the Windows 10 Segment Heap as detailed in Reference 2:

a) The Backend Allocator

• Parse _SEGMENT_HEAP structure
• Handle backend allocation pages
• Support size bracketing and metadata

b) The Variable Size (VS) Allocation Component

• Implement page range descriptor parsing
• Handle subsegment structures
• Support VS context handling

c) The Low Fragmentation Heap (LFH)

• Parse LFH structures within Segment Heap
• Handle bucket allocation
• Support affinity slots

d) The Large Blocks Allocation Component

• Implement large block handling
• Parse large block metadata
• Support spanning pages

Use Cases

1. Memory forensics of Windows 10+ systems
2. Malware analysis in modern Windows environments
3. Advanced memory leak investigations
4. Heap-based exploit analysis

Benefits

• Complete coverage of Windows heap implementations
• Enhanced memory forensics capabilities
• Improved malware detection and analysis
• Better support for Windows 10 and newer systems

[atcuno]

Hello @avizack18,

Thank you for taking the time to write a detailed ticket.

I am curious what the practical benefits of parsing the allocator so deeply are in terms of supporting malware analysis and incident response versus just dumping out entire heap regions.

Generally with malware/IR, you want to target the regions to then have high-precision/context strings search, such as knowing you are searching the heap of a browser process of interest. I am not familiar with cases of needing to know specific allocations or allocation details when analyzing malware or user behaviour though - I only know the detailed structure examination when crafting or reversing exploits, which I feel a debugger is much better suited for.

I think its worth our time to add a plugin that automatically extracts entire heaps, but I am not sure about the detailed granular parsing work for the newer Win10+ allocators.

[avizack18]

Hi atcuno,

Thanks for your feedback. We agree that a balance between granularity and performance is important.

We're considering implementing:

Full Heap Dump Plugin: For quick extraction and later analysis.
Granular Parsing Mode: For in-depth investigation of specific allocations.
This approach would provide flexibility for various use cases, including malware analysis, incident response, and memory leak investigations.