Hi,

Can anybody tell me about what is being checked here at the addresses:
(image attached)

And also had a question about the addresses of Lookaside buffer and freelist and virtual allocation list:

I got the addresses as:

Lookaside list: 0x688
FreeList : 0x178

are these addresses correct?

Thanks

Sorry for the brief reply.

arg0 RtlAllocateHeap (HeapHandle) = PEB.ProcessHeap = pointer to HEAP structure

> dt nt!_HEAP
to get those field names

Here's some further info on mucking with PEB.ProcessHeap

http://www.woodmann.com/forum/showthread.php?t=9278

@kayaker:

Thanks a lot, exactly the thing i was looking, assembly makes sense now

Here's one of the best resources giving heap details i have found so far:

http://advancedwindowsdebugging.com/ch06.pdf