根据堆内的内存地址查找分配堆的函数

时间:2015-08-29 18:17:11

标签: windbg

所以我知道一个内存地址(例如:12208e6c)在一个特定的堆中。使用windbg,有没有办法确定这个堆的起始地址是什么,哪个函数负责分配它?

1 个答案:

答案 0 :(得分:5)

!address <address>为您提供有关地址包含在的堆的信息:

0:005> !address 03051234
Usage:                  Heap
Base Address:           03050000
End Address:            0307c000
Region Size:            0002c000
State:                  00001000    MEM_COMMIT
Protect:                00000004    PAGE_READWRITE
Type:                   00020000    MEM_PRIVATE
Allocation Base:        03050000
Allocation Protect:     00000004    PAGE_READWRITE
More info:              heap owning the address: !heap 0x3050000
More info:              heap segment
More info:              heap entry containing the address: !heap -x 0x3051234

“基地址”就是您所说的“起始地址”。

要找出分配该堆的人员,您必须启用名为“创建用户模式堆栈跟踪数据库”的功能并在GFlags中设置缓冲区大小。

GFlags settings

执行此操作后,您可以找到这样的分配调用堆栈:

0:005> !gflag
Current NtGlobalFlag contents: 0x00001000
    ust - Create user mode stack trace database

0:005> !heap -p -a 00591234
    address 00591234 found in
    _HEAP @ 590000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00590f28 0103 0000  [00]   00590f40    00800 - (busy)
          msvcrt!_iob
        7782e159 ntdll!RtlAllocateHeap+0x00000274
        7629ade8 msvcrt!_calloc_impl+0x00000136
        7629ae43 msvcrt!_calloc_crt+0x00000016
        762a1e48 msvcrt!__initstdio+0x0000000d
        762a1fc8 msvcrt!_cinit+0x0000001e
        762a1a94 msvcrt!_core_crt_dll_init+0x000001b2
        7629a48c msvcrt!_CRTDLL_INIT+0x0000001b
        777e92e0 ntdll!__RtlUserThreadStart+0x00000021
        777f061b ntdll!RtlpAllocateHeap+0x0000083a
        777f6d84 ntdll!LdrpInitializeProcess+0x0000137e
        777f583e ntdll!RtlSetEnvironmentVariable+0x00000020
        777e9809 ntdll!LdrpUpdateLoadCount2+0x00000047