所以我知道一个内存地址(例如:12208e6c)在一个特定的堆中。使用windbg,有没有办法确定这个堆的起始地址是什么,哪个函数负责分配它?
答案 0 :(得分:5)
!address <address>
为您提供有关地址包含在的堆的信息:
0:005> !address 03051234
Usage: Heap
Base Address: 03050000
End Address: 0307c000
Region Size: 0002c000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 03050000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x3050000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x3051234
“基地址”就是您所说的“起始地址”。
要找出分配该堆的人员,您必须启用名为“创建用户模式堆栈跟踪数据库”的功能并在GFlags中设置缓冲区大小。
执行此操作后,您可以找到这样的分配调用堆栈:
0:005> !gflag
Current NtGlobalFlag contents: 0x00001000
ust - Create user mode stack trace database
0:005> !heap -p -a 00591234
address 00591234 found in
_HEAP @ 590000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
00590f28 0103 0000 [00] 00590f40 00800 - (busy)
msvcrt!_iob
7782e159 ntdll!RtlAllocateHeap+0x00000274
7629ade8 msvcrt!_calloc_impl+0x00000136
7629ae43 msvcrt!_calloc_crt+0x00000016
762a1e48 msvcrt!__initstdio+0x0000000d
762a1fc8 msvcrt!_cinit+0x0000001e
762a1a94 msvcrt!_core_crt_dll_init+0x000001b2
7629a48c msvcrt!_CRTDLL_INIT+0x0000001b
777e92e0 ntdll!__RtlUserThreadStart+0x00000021
777f061b ntdll!RtlpAllocateHeap+0x0000083a
777f6d84 ntdll!LdrpInitializeProcess+0x0000137e
777f583e ntdll!RtlSetEnvironmentVariable+0x00000020
777e9809 ntdll!LdrpUpdateLoadCount2+0x00000047