All geek questions in one place

Find all C ++ type X objects on the heap using WinDbg

I am trying to find all type objects module!SomeClassin a heap. I thought such a command would work:

> s -v 0 L?0xfffffff module!SomeClass

but alas not. If I knew how to find the vtable address for this class, I could then search for memory for references to this vtable, but I was also unlucky to find it. How can i do this?

+3
source share
2 answers
0:000> x module!SomeClass*table*
0:000> !heap -srch 'address_of_vtable'
+10
source 
class Polygon {
protected:
    int width, height;
public:
    virtual int area()
    {
        return 0;
    }
};

class Rectangle : public Polygon {
public:
    int area()
    {
        return width * height;
    }
};

class Triangle : public Polygon {
public:
    int area()
    {
        return (width * height / 2);
    }
};


class RectangleTriangle : public Rectangle, Triangle //RectangleTriangle  <-- This class will have two Vtables for each base class
{
public:
    int area()
    {
        return (232);
    }
};

int main() {
    RectangleTriangle *rect = new RectangleTriangle();
    Triangle trgl;
    Polygon poly;
    return 0;
}

, vtables, , , , vtable, . vtable, . vtable .

0:000> x Win32Sample!RectangleTriangle*table*
00007ff7`81ed3288 Win32Sample!RectangleTriangle::`vftable' = <function> *[2] <-- one for each base class
00007ff7`81ed3278 Win32Sample!RectangleTriangle::`vftable' = <function> *[2] <-- one for each base class

0:000> !heap -srch 00007ff7`81ed3288  // <-- We are asking !heap "who owns a pointer to this vtable in the entire process heap"
    _HEAP @ 1e5ed710000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        000001e5ed716620 0006 0000  [00]   000001e5ed716630    00021 - (busy)
          Win32Sample!RectangleTriangle::`vftable'

0:000> !heap -srch 00007ff7`81ed3278 // <-- We are asking !heap "who owns a pointer to this vtable in the entire process heap"
    _HEAP @ 1e5ed710000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        000001e5ed716620 0006 0000  [00]   000001e5ed716630    00021 - (busy)
          Win32Sample!RectangleTriangle::`vftable'

UserPtr - , , , . UserPtr , , , , vtables 000001e5ed716630

0:000> dt Win32Sample!RectangleTriangle 000001e5ed716630
   +0x000 __VFN_table : 0x00007ff7`81ed3278 
   +0x008 width            : 0n0
   +0x00c height           : 0n0
   +0x010 __VFN_table : 0x00007ff7`81ed3288 
   +0x018 width            : 0n0
   +0x01c height           : 0n0

s vtable , !!!

0

Source: https://habr.com/ru/post/1751880/

More articles:


All Articles