Documentation des options de gflags.exe
Tous les flags de gflags
Gflags : Enable page heap Full/Standard
enable heap checking
La structure des blocs mémoire quand quand le page heap est activé
appverifier The Structure of a Page Heap Block
Corrupted Infix Pattern For Freed Block
Pour les systèmes 64 bits, cela semble ne pas bien marcher :
UST and 64 Bit Machines Procmon showed the OS was looking here: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Try setting the key under Wow6432Node as well. The point of the article was that it’s tricky and not always consistent which key will be consulted for a 32 bit app running on a 64 bit OS, so you should set both to be sure.
!gflags and !gflag kernel debugger commands to view the state of the NtGlobalFlag
Advanced Windows Debugging: Memory Corruption Part II—Heaps !heap -p -a Address dt _DPH_BLOCK_INFORMATION Adresse_mem-0x20 dds StackTrace
Liste des commande de Windbg
x [Options] Module!Symbol Examine symbols that match the specified pattern
x Module!* Affiche tous les symboles d’un module
Document des switch !heap !heap -srch [-b|-w|-d|-q] PATTERN searches for the given pattern.
Des trucs pour winddbg cdb.exe -c « !heap -h 0;q » -z prg.dmp > heap.log to get all heap allocations. if your objects have vtables, just use the dds command to seek some of the heap allocations.
http://blogs.msdn.com/slavao/archive/2005/01/30/363428.aspx : Sortir la pile de l’appel qui a provoqué l’exception
Reconstituer la pile d’appel après qu’elle ait été corrompue : the call stack information is stored in teb (thread environment block).
~
. 0 Id: a550.a5a8 Suspend: 1 Teb: 7ffdf000 Unfrozen
dds 7ffdf000
7ffdf000 0012ff88 00130000 00126000 00000000
7ffdf010 00001e00 00000000 7ffdf000 00000000
where 00130000 is the stack base address and 00126000 is stack limited
0:000> dd 00130000-250 00130000
Because our program’s address space is between 00400000 00419000, we just check address in call stack and between 00400000 00419000
ln 004112f2
(004112e0) stackIssue1!foo2+0x12 | (00411310) stackIssue1!foo1
Umdh.exe set _NT_SYMBOL_PATH. Turn on stack tracing using: ‘gflags -i
Two Minute Drill: UMDH.EXE
tlist
umdh –p:pid –f:before.txt
umdh –p:pid –f:before.txt
set NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
umdh [-d] before.txt after.txt > result.txt
Another alternative is to use LeakDiag
Windows Debuggers: Part 1: A WinDbg Tutorial
WinDbg cheat sheet
Windbg: Conditional Breakpoints with string pattern
Pour exécuter un fichier : bp driver!functionName « $$< C:\\debugCommands.txt"
Instruction conditionnelle : .if ( $spat( "${MyAlias}", "*str*" ) != 0 ) { g }
Debugger flow control: Using conditional breakpoints (part 3)
Plusieurs instructions : bp kernel32!CreateFileW « du poi(@esp+4);kv;gu;? @eax; g »
SetThreadContext peut désactiver les breakpoint hardware mais cela se corrige voir la méthode
How to use a symbol server with the Visual Studio .NET debugger Symbol server avec VS 2003
Commentaires