-
Notifications
You must be signed in to change notification settings - Fork 90
/
PageHeap.cmd
211 lines (205 loc) · 8.74 KB
/
PageHeap.cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
@ECHO OFF
IF NOT "%~2" == "ON" IF NOT "%~2" == "OFF" GOTO :DO_NOT_REQUIRE_ADMIN
REM Setting the value requires administrator priviledges.
FSUTIL dirty query %systemdrive% >nul
IF ERRORLEVEL 1 (
ECHO Please run as an administrator with elevated privileges.
EXIT /B 1
)
:DO_NOT_REQUIRE_ADMIN
IF "%~1" == "" (
CALL :SHOW_USAGE
) ELSE IF "%~1" == "-?" (
CALL :SHOW_USAGE
) ELSE IF "%~1" == "-h" (
CALL :SHOW_USAGE
) ELSE IF "%~1" == "/?" (
CALL :SHOW_USAGE
) ELSE IF "%~1" == "/h" (
CALL :SHOW_USAGE
) ELSE IF "%~1" == "aoo-writer" (
CALL :SET_OR_SHOW_PAGE_HEAP "swriter.exe" "%~2"
) ELSE IF "%~1" == "acrobat" (
CALL :SET_OR_SHOW_PAGE_HEAP "AcroRd32.exe" "%~2"
) ELSE IF "%~1" == "acrobatdc" (
CALL :SET_OR_SHOW_PAGE_HEAP "AdobeARM.exe" "%~2"
CALL :SET_OR_SHOW_PAGE_HEAP "AcroRd32.exe" "%~2"
) ELSE IF "%~1" == "chrome" (
IF "%~2" == "ON" (
SET CHROME_ALLOCATOR=winheap
"%WinDir%\System32\reg.exe" ADD "HKCU\Environment" /v "CHROME_ALLOCATOR" /t REG_SZ /d "winheap" /f
IF ERRORLEVEL 1 (
ECHO - Cannot set CHROME_ALLOCATOR enironment variable in the registry.
)
) ELSE (
SET CHROME_ALLOCATOR=
"%WinDir%\System32\reg.exe" QUERY "HKCU\Environment" /v "CHROME_ALLOCATOR" >nul 2>&1
IF NOT ERRORLEVEL 1 (
"%WinDir%\System32\reg.exe" DELETE "HKCU\Environment" /v "CHROME_ALLOCATOR" /f >nul
IF ERRORLEVEL 1 (
ECHO - Cannot remove CHROME_ALLOCATOR enironment variable from the registry.
)
)
)
ECHO Note: switching page heap on or off for Chrome requires the CHROME_ALLOCATOR
ECHO environment variable to be set to "winheap" or be unset respectively. This
ECHO change has been applied through the registry and in the current process'
ECHO environment, but you may want to log off and on again to make sure this is
ECHO applied to all processes.
CALL :SET_OR_SHOW_PAGE_HEAP "chrome.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "software_reporter_tool.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
) ELSE IF "%~1" == "edge" (
CALL :SET_OR_SHOW_PAGE_HEAP "ApplicationFrameHost.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "browser_broker.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "MicrosoftEdge.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "MicrosoftEdgeCP.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "RuntimeBroker.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
) ELSE IF "%~1" == "firefox" (
CALL :SET_OR_SHOW_PAGE_HEAP "firefox.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "helper.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "updater.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "plugin-container.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "pingsender.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
REM Firefox uses regsvr32.exe to register AccessibleHandler.dll
CALL :SET_OR_SHOW_PAGE_HEAP "regsvr32.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
IF "%~1" == "ON" (
ECHO NOTE: Firefox has its own heap manager, so heap corruption detection is not as
ECHO good as it could be.
)
) ELSE IF "%~1" == "flash" (
FOR %%I IN ("%SystemRoot%\SysWOW64\Macromed\Flash\FlashPlayerPlugin_*.exe", "%SystemRoot%\System32\Macromed\Flash\FlashPlayerPlugin_*.exe") DO (
CALL :SET_OR_SHOW_PAGE_HEAP ""%%~nxI.exe" %1
IF ERRORLEVEL 1 EXIT /B 1
)
) ELSE IF "%~1" == "foxit" (
CALL :SET_OR_SHOW_PAGE_HEAP "FoxitReader.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
CALL :SET_OR_SHOW_PAGE_HEAP "FoxitReader_Lib_Full.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
) ELSE IF "%~1" == "java" (
CALL :SET_OR_SHOW_PAGE_HEAP "java.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
) ELSE IF "%~1" == "msie" (
CALL :SET_OR_SHOW_PAGE_HEAP "iexplore.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
REM I saw iexplore.exe spawn rundll32.exe once, so I'm adding it:
CALL :SET_OR_SHOW_PAGE_HEAP "rundll32.exe" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
) ELSE (
CALL :SET_OR_SHOW_PAGE_HEAP "%~1" "%~2"
IF ERRORLEVEL 1 EXIT /B 1
)
EXIT /B 0
:SHOW_USAGE
ECHO Usage:
ECHO %~nx0 ^<binary file name^> [ON^|OFF]
ECHO Or:
ECHO %~nx0 ^<known application^> [ON^|OFF]
ECHO Where known application is one of:
ECHO aoo-writer Apache OpenOffice Writer
ECHO acrobat Adobe Acrobat Reader
ECHO acrobatdc Adobe Acrobat Reader DC
ECHO chrome Google Chrome
ECHO edge Microsoft Edge
ECHO firefox Mozilla Firefox
ECHO flash Adobe Flash
ECHO foxit Foxit Reader
ECHO msie Microsoft Internet Explorer
EXIT /B 0
:SET_OR_SHOW_PAGE_HEAP
REM 00000001 soe - Stop On Exception
REM 00000002 sls - Show Loader Snaps
REM 00000004 dic - Debug Initial Command \ These seem to go together in gflags.exe
REM 00000008 shg - Stop on Hung GUI /
REM 00000010 *htc - Enable heap tail checking
REM 00000020 *hfc - Enable heap free checking
REM 00000040 *hpc - Enable heap parameter checking
REM 00000080 hvc - Enable heap validation on call
REM 00000100 vrf - Enable application verifier
REM 00000800 *htg - Enable heap tagging
REM 00001000 *ust - Create user mode stack trace database
REM 00008000 *htd - Enable heap tagging by DLL
REM 00010000 dse - Disable stack extensions
REM 00100000 *scb - Enable system critical breaks
REM 00200000 dhc - Disable Heap Coalesce on Free
REM 00800000 eel - Enable exception logging
REM 02000000 *hpa - Enable page heap
REM 10000000 cse - Early critical section event creation
REM 20000000 sue - Stop on Unhandled Exception
REM 80000000 dpd - Disable protected DLL verification
REM ----------
REM 02109870
REM The following flags were considered but not enabled:
REM 00000080 Enable heap validation on call ## disabled because of overhead
REM 00000800 Enable heap tagging ## disabled because tags are not used.
REM 00000100 Enable application verifier ## disabled because of idunno
REM 00200000 Disable heap coalesce on free ## superfluous: page heap is enabled
REM 00400000 Enable close exception ## I don't think this is useful
IF "%~2" == "OFF" (
ECHO * Disabling page heap for binary %~1...
"%WinDir%\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" /t REG_SZ /d "0x00000000" /f >nul
IF ERRORLEVEL 1 GOTO :ERROR
) ELSE IF "%~2" == "ON" (
ECHO * Enabling page heap for binary %~1...
"%WinDir%\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" /t REG_SZ /d "0x02109870" /f >nul
IF ERRORLEVEL 1 GOTO :ERROR
) ELSE IF "%~2" == "" (
ECHO * Querying current page heap flags for binary %~1...
"%WinDir%\System32\reg.exe" QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" >nul 2>nul
IF ERRORLEVEL 1 (
ECHO - Page heap is OFF.
) ELSE (
REM For some obscure reason I cannot put quotes around the reg.exe path because it causes an error:
REM "The system cannot find the path specified."
FOR /F "usebackq tokens=3" %%I IN (`%WinDir%\System32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" ^| "%WinDir%\System32\find.exe" "GlobalFlag"`) DO (
IF "%%~I" == "0x02109870" (
ECHO + Page heap is ON ^(0x02109870^).
) ELSE IF "%%~I" == "0x00000000" (
ECHO - Page heap is OFF.
) ELSE (
ECHO * Page heap flags are %%~I.
)
)
)
) ELSE IF "%~2" == "?" (
CALL :SHOW_PAGE_HEAP "%~1"
) ELSE (
CALL :SHOW_USAGE
EXIT /B 1
)
EXIT /B 0
:SHOW_PAGE_HEAP
"%WinDir%\System32\reg.exe" QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" 2>nul >nul
IF ERRORLEVEL 1 (
ECHO - Page heap is disabled for binary %~1.
EXIT /B 0
)
"%WinDir%\System32\reg.exe" QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" | "%WinDir%\System32\find.exe" "0x02109870" > nul
IF %ERRORLEVEL% == 0 (
ECHO + Page heap is enabled for binary %~1.
EXIT /B 0
)
"%WinDir%\System32\reg.exe" QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" | "%WinDir%\System32\find.exe" "0x00000000" > nul
IF %ERRORLEVEL% == 0 (
ECHO - Page heap is disabled for binary %~1.
EXIT /B 0
)
ECHO * Custom page heap settings are enabled for binary %~1:
"%WinDir%\System32\reg.exe" QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /v "GlobalFlag" | "%WinDir%\System32\find.exe" "GlobalFlag"
EXIT /B 1
:ERROR
ECHO - Error code %ERRORLEVEL%.
EXIT /B %ERRORLEVEL%