2

When we start an application under a debugger like Visual Studio 2013 or WinDbg, Windows will use the debug heap for it. However, it seems possible to turn that behavior off, as it's done in Visual Studio 2015 or WinDbg when started with the -hd command line switch.

Now there's ProcDump and it behaves like a debugger; in fact it can be installed as the AE postmortem debugger with the -i switch.

How can I find out whether running an application with ProcDump's -x switch will use the debug heap or not? There does not seem to be a command line option to change the behavior and I'm not sure whether it will respect the _NO_DEBUG_HEAP environment variable.

I thought that a debugger will use IDebugClient5::CreateProcess2() or IDebugClient5::CreateProcessAndAttach2() to start a process. It would pass _DEBUG_CREATE_PROCESS_OPTIONS in which CreateFlags can have the DEBUG_CREATE_PROCESS_NO_DEBUG_HEAP flag set.

So I used WinDbg and launched ProcDump under WinDbg. I then waited for the Debugger Engine module to be loaded (sxe ld dbgeng) so that I could set a breakpoint and watch it - but that module was never loaded.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222

1 Answers1

2
cdb -c "!gflag;q" procdump.exe -x procdump.exe | grep -i -A 5 ntglob
Current NtGlobalFlag contents: 0x00000070
    htc - Enable heap tail checking
    hfc - Enable heap free checking
    hpc - Enable heap parameter checking
quit:

without debugheap

cdb -hd -c "!gflag;q" procdump.exe -x procdump.exe | grep -i -A 5 ntglob
Current NtGlobalFlag contents: 0x00000000
quit:

if debugheap ntdll!RtlDebugAllocateHeap is used else not

script contents

cat testdbgheap.txt
bp ntdll!RtlDebugAllocateHeap "kb4;q"
g

with dbgheap

cdb -c "$$>a< testdbgheap.txt" -o -g procdump.exe -x foo.dmp "c:\Windows\System32\NETSTAT.EXE" -a
Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
CommandLine: procdump.exe -x foo.dmp "c:\Windows\System32\NETSTAT.EXE" -a
ProcDump v7.1 - Writes process dump files
0:000> cdb: Reading initial command '$$>a< testdbgheap.txt'
ChildEBP RetAddr  Args to Child
0022f788 76eda376 00320000 40000062 0000000c ntdll!RtlDebugAllocateHeap
0022f86c 76ea5ae0 0000000c 00000000 00000000 ntdll!RtlpAllocateHeap+0xc4
0022f8f0 0096f5f1 00320000 40000060 0000000c ntdll!RtlAllocateHeap+0x23a
WARNING: Stack unwind information not available. Following frames may be wrong.
0022f910 0096fca0 0000000c 00000000 00000000 procdump+0xf5f1
quit:

without debug heap 

cdb -hd -c "$$>a< testdbgheap.txt" -o -g procdump.exe -x foo.dmp "c:\Windows\System32\NETSTAT.EXE" -a
Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
CommandLine: procdump.exe -x foo.dmp "c:\Windows\System32\NETSTAT.EXE" -a
ProcDump v7.1 - Writes process dump files
0:000> cdb: Reading initial command '$$>a< testdbgheap.txt'
[23:12:29] Dump 1 initiated: foo.dmp\NETSTAT.EXE_161108_231229.dmp
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    192.168.43.171:49464   stackoverflow:https    ESTABLISHED
[23:12:29] Dump count not reached.
0:000> q
quit:

procdump does not use dbgeng functions it uses win32apis CreateProcessW (CreateFlags 0x7)

you can run depends or dumpbin /imports to ascertain modules

dumpbin /imports procdump.exe | grep -i process
                    4 EnumProcessModules
                   C6 DebugActiveProcessStop
                   A8 CreateProcessW
                  1C0 GetCurrentProcess
                  380 OpenProcess
                  1DF GetExitCodeProcess
                  4C0 TerminateProcess
                  396 Process32FirstW
                  398 Process32NextW
                   C5 DebugActiveProcess
                  119 ExitProcess
                  24C GetProcessId
                  1C1 GetCurrentProcessId
                  3C3 ReadProcessMemory
                  304 IsProcessorFeaturePresent
                  24A GetProcessHeap
                  1A4 GetWindowThreadProcessId
                  212 OpenProcessToken

stack on break

cdb -c "bp kernel32!CreateProcessW \"ddu /c 1 @esp lc;q\";g" procdump.exe -x . netstat -a
| grep -i quit -B 11
0178e340  00000000
0178e344  012acc30 ""netstat"  -a"
0178e348  00000000
0178e34c  00000000
0178e350  00000000
0178e354  00000007 CreateSuspended | debug process | debug only this
0178e358  00000000
0178e35c  00000000
0178e360  0178e3a0 "D" = 0x44 = sizeof(startupinfo)
0178e364  0178e390 ""
0178e368  00000000
quit:

UPDATE check child process with windbg on procdump over procdump

cdb -hd -g -o -c "!handle 0 f Process;.tlist;q" procdump -x . calc

Microsoft (R) Windows Debugger Version 10.0.10586.567 X86

CommandLine: procdump -x . calc

ProcDump v7.1 - Writes process dump files

0:000> cdb: Reading initial command '!handle 0 f Process;.tlist;q'

Handle e8
  Type          Process
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Object Specific Information
    Process Id  2836
    Parent Process  2900
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1 handles of type Process
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 0n2860 cdb.exe
 0n2900 procdump.exe
 0n2836 calc.exe
blabb
  • 8,674
  • 1
  • 18
  • 27
  • 1
    Those are the flags that cdb uses, not the flags that ProcDump uses - or did I miss something? But I might create a dump using ProcDump and then check the flags in the dump if the debug heap is just the same as those flags – Thomas Weller Nov 08 '16 at 17:07
  • 1
    Running `!gflag` on the dumpfile created by `procdump -x . procdump` returns `Current NtGlobalFlag contents: 0x00000000` – Lieven Keersmaekers Nov 09 '16 at 10:35
  • @ThomasWeller -hd is applied to debugee so the first procdump has no debugheap and normally children inherit parents charecteristics but if you are want it confirmed just ask windbg to break on .child process and check that and you will notice it doesnt use debug heap – blabb Nov 09 '16 at 16:01