Vulnerability Development: PEB heap exploitation question

[<6d79676d61696c6163636f756e74 () gmail com>]

Hello folks,

I am trying to modify an exploit to use the PEB method to exploit a heap overflow which currently overwrites the 
unhandled exception filter.

What I have tried doing is to make 2 writes - the first, overwriting the FastPEBLockRoutine pointer to a writable 
address inside the PEB, then what I have been told is that I need to overwrite the freelist head for the allocated size 
with the same address so that the next allocation would be made from there and the shellcode would be placed at that 
location (thus this requires the application to stay live after the first overwrite).

I am having trouble figuring out where the heap base address is and what size the vulnerable application is allocating 
- thus I don't know the address of the freelist which I need to overwrite.

I am also having trouble making the program not crash after overwriting the PEB - thus I don't even reach the point of 
overwriting the freelist. I don't know why this is happening because the PEB is writable and indeed was overwritten 
with my address. It seems to be crashing somewhere inside RtlAllocateHeap when it is accessing a weired random address 
(not data which I sent).

Is there a method of exploitation which is SP independant and does not require multiple successful writes?

What is the best way to debug the service and find the allocation size and base heap address?

You help is greatly appreciated!