4

So I know that a memory address (eg: 12208e6c) is within a specific heap.Using windbg, is there a way to determine what the starting address for this heap is and which function was responsible for allocating it?

SivaDotRender
  • 1,581
  • 4
  • 21
  • 37

1 Answers1

8

!address <address> gives you information about the heap an address is contained in:

0:005> !address 03051234
Usage:                  Heap
Base Address:           03050000
End Address:            0307c000
Region Size:            0002c000
State:                  00001000    MEM_COMMIT
Protect:                00000004    PAGE_READWRITE
Type:                   00020000    MEM_PRIVATE
Allocation Base:        03050000
Allocation Protect:     00000004    PAGE_READWRITE
More info:              heap owning the address: !heap 0x3050000
More info:              heap segment
More info:              heap entry containing the address: !heap -x 0x3051234

The "Base Address" is what you called the "starting address".

To find out who allocated that heap, you have to enable a feature called "Create user mode stack trace database" and set a buffer size in GFlags.

GFlags settings

After doing so, you can find out the allocation call stack like this:

0:005> !gflag
Current NtGlobalFlag contents: 0x00001000
    ust - Create user mode stack trace database

0:005> !heap -p -a 00591234
    address 00591234 found in
    _HEAP @ 590000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00590f28 0103 0000  [00]   00590f40    00800 - (busy)
          msvcrt!_iob
        7782e159 ntdll!RtlAllocateHeap+0x00000274
        7629ade8 msvcrt!_calloc_impl+0x00000136
        7629ae43 msvcrt!_calloc_crt+0x00000016
        762a1e48 msvcrt!__initstdio+0x0000000d
        762a1fc8 msvcrt!_cinit+0x0000001e
        762a1a94 msvcrt!_core_crt_dll_init+0x000001b2
        7629a48c msvcrt!_CRTDLL_INIT+0x0000001b
        777e92e0 ntdll!__RtlUserThreadStart+0x00000021
        777f061b ntdll!RtlpAllocateHeap+0x0000083a
        777f6d84 ntdll!LdrpInitializeProcess+0x0000137e
        777f583e ntdll!RtlSetEnvironmentVariable+0x00000020
        777e9809 ntdll!LdrpUpdateLoadCount2+0x00000047
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • For some reason when I do `!address
    ` I get the following output. Why is this the case? `ProcessParametrs 00079758 in range 00079000 0007a000 Environment 047075b0 in range 04707000 04708000 121b0000 : 12208000 - 00001000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageIsVAD`
     – SivaDotRender Aug 29 '15 at 18:37
  • @SivaDotRender: is it a .NET application or using MSXML? – Thomas Weller Aug 29 '15 at 18:53
  • @SivaDotRender: it seems RegionUsageIsVAD only occurs in older versions of WinDbg. Which version do you use? See http://debugging.wellisolutions.de/windbg-versions/ – Thomas Weller Aug 29 '15 at 18:59
  • I am debugging WINWORD.EXE (MS word) so I believe it uses MSXML? And my current version of windbg is `6.11.0001.404 X86` – SivaDotRender Aug 29 '15 at 19:03
  • @SivaDotRender: Please upgrade your version of WinDbg to at least 6.2.9200. Even the Windows 10 version will still run on Windows 7 if you x-copy deploy it – Thomas Weller Aug 29 '15 at 19:06