
Getting Back Determinism in the Low Fragmentation Heap (2014) - luu
https://blog.lse.epita.fr/articles/74-getting-back-determinism-in-the-lfh.html
======
saagarjha
> It will basically fill the RtlpLowFragHeapRandomData array with 0x100 random
> values.
    
    
      add esi, 8
      cmp esi, 100h
    

Won't it actually only fill it with 0x100/8=32 random values?

    
    
      call _RtlpHeapGenerateRandomValue64@0
      and eax, edi
      and edx, edi
      mov _RtlpLowFragHeapRandomData[esi], eax
      mov dword_6A2F83C4[esi], edx ; I assume this is RtlpLowFragHeapRandomData + 1?
    

Also, as an aside: why the extra and instead of storing the return value from
RtlpHeapGenerateRandomValue64 directly? Also, why the mov edi, edi at the
beginning? I assume it's a 2-byte patchable NOP, but is marking security-
critical heap functions RWX a normal thing to do?

