All geek questions in one place

! heap -p -a VS! heap -x

For many years I have used the -p -a heap for various tasks. Now I am starting to debug Win8 using WinDbg 6.2.9200 found in the latest version of Win8 sdk.

Here I discovered that! heap -p -a does not always work, and what a conclusion from! address "advertise" use! heap -x (see below).

After reading a bunch - ?, I can not understand the difference! Who knows the difference?

What command do you use to view heap block details?

0:008> !address 335168f8 <cut cut> Usage: Heap Base Address: 32b43000 End Address: 33540000 Region Size: 009fd000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base: 32570000 Allocation Protect: 00000004 PAGE_READWRITE More info: heap owning the address: !heap 0xa80000 More info: heap segment More info: heap entry containing the address: !heap -x 0x335168f8 0:008> !heap -x 0x335168f8 Entry User Heap Segment Size PrevSize Unused Flags ----------------------------------------------------------------------------- 335168f0 335168f8 00a80000 32570000 30 30 1c busy extra fill 0:008> !heap -p -a 0x335168f8 0:008> .echo "nothing !!" nothing !!
+6
source share
1 answer

Windbg uses a different heap information lookup mechanism depending on which flag you use.

The -p flag tells you that you turned on the Page gflags.exe through gflags.exe or the like. When Heap of Pages is turned on, Windows maintains a separate set of structures ( _DPH_HEAP_ROOT and co) for tracking distributions. If PageHeap is not enabled, there will be no such structures, so you will not get an exit. I also expect -p -a to just look back from the address to try and find _DPH_HEAP_BLOCK , which describes the distribution.

The -x flag tells Windbg to work with the _HEAP / _HEAP_ENTRY structures that Windows uses to track distributions. This set of structures describes all active distributions that have passed through standard distributors (for example, malloc , new , LocalAlloc, HeapAlloc`, etc.).

There are some great articles on the internal components of Windows heap allocators. I really like the article Chris Valasek ( @nudehaberdasher ) did a few years ago on the Low Fragmentation Heap heap that was implemented on Windows 7 (and the principles still apply in Win8).

+3
source

Source: https://habr.com/ru/post/953560/

More articles:


All Articles