Windbg---HEAP CORRUPTION
1.设置gflags
2.attach to xxx.exe
3.出现异常时,生成dump .dump /ma c:\xxx.dmp
4.分析dump
0:013> !analyze -v
FAULTING_IP:
ntdll!RtlpAllocateHeap+e83
00000000`77413fcf 4d8b4b08 mov r9,qword ptr [r11+8]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000077413fcf (ntdll!RtlpAllocateHeap+0x0000000000000e83)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
PROCESS_NAME: svchost.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
DHCPDLL!operator new+1f [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\new.cpp @ 59]
00000000`745c4faf 4885c0 test rax,rax
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
LAST_CONTROL_TRANSFER: from 0000000000000000 to 00000000774879d8
FAULTING_THREAD: ffffffffffffffff
DEFAULT_BUCKET_ID: STATUS_ACCESS_VIOLATION
PRIMARY_PROBLEM_CLASS: STATUS_ACCESS_VIOLATION
BUGCHECK_STR: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION
STACK_TEXT:
00000000`774879d8 ntdll!RtlpAnalyzeHeapFailure
00000000`7741fa23 ntdll!RtlpAllocateHeap
00000000`77413518 ntdll!RtlAllocateHeap
00000000`745c14c3 DHCPDLL!malloc
00000000`745c4faf DHCPDLL!operator new
00000000`745cd39f DHCPDLL!DhcpDllNewPktHook
000007fe`f51ed5e7 dhcpssvc!ProcessReceivedPacket
00000000`772b652d kernel32!BaseThreadInitThunk
00000000`773ec521 ntdll!RtlUserThreadStart
FAULTING_SOURCE_CODE:
No source found for 'f:\dd\vctools\crt_bld\self_64_amd64\crt\src\new.cpp'
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: DHCPDLL!operator new+1f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DHCPDLL
IMAGE_NAME: DHCPDLL.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5350b42c
STACK_COMMAND: !heap ; dds 774fb4b8 ; kb
FAILURE_BUCKET_ID: STATUS_ACCESS_VIOLATION_c0000005_DHCPDLL.dll!operator new
BUCKET_ID: X64_APPLICATION_FAULT_STATUS_ACCESS_VIOLATION_DHCPDLL!operator_new+1f
Followup: MachineOwner
---------
//列出当前进程的所有堆
0:013> !heap -p
No GlobalFlag bits active for this process
active heaps:
- 250000
HEAP_GROWABLE
- 10000
HEAP_CLASS_8
- 4b0000
HEAP_GROWABLE HEAP_CLASS_1
- 1310000
HEAP_GROWABLE HEAP_CLASS_1
- 4a0000
HEAP_GROWABLE HEAP_CLASS_1
- 1530000
HEAP_GROWABLE HEAP_CLASS_1
- 5de0000
HEAP_GROWABLE HEAP_CLASS_1
- 62e0000
HEAP_GROWABLE HEAP_CLASS_1
//查看堆5de0000的内存分配情况
0:013> !heap -p -h 5de0000
_HEAP @ 5de0000
No FrontEnd
_HEAP_SEGMENT @ 5de0000
CommittedRange @ 5de0a80
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
* 0000000005de0a80 0086 0000 [00] 0000000005de0a90 00850 - (busy)
0000000005de12e0 002d 0086 [00] 0000000005de12f0 002c8 - (busy)
0000000005de15b0 0011 002d [00] 0000000005de15c0 00100 - (busy)
0000000005de16c0 0002 0011 [00] 0000000005de16d0 00001 - (busy)
0000000005de16e0 0002 0002 [00] 0000000005de16f0 00001 - (busy)
0000000005de1700 0003 0002 [00] 0000000005de1710 00020 - (free)
0000000005de1730 0002 0003 [00] 0000000005de1740 00008 - (busy)
0000000005de1750 002d 0002 [00] 0000000005de1760 002c8 - (busy)
0000000005de1a20 000d 002d [00] 0000000005de1a30 000c0 - (free)
0000000005de1af0 00b1 000d [00] 0000000005de1b00 00b00 - (busy)
0000000005de2600 0023 00b1 [00] 0000000005de2610 00220 - (busy)
0000000005de2830 0006 0023 [00] 0000000005de2840 0004e - (busy)
0000000005de2890 0012 0006 [00] 0000000005de28a0 00110 - (busy)
0000000005de29b0 0003 0012 [00] 0000000005de29c0 0001f - (busy)
0000000005de29e0 0005 0003 [00] 0000000005de29f0 00042 - (busy)
0000000005de2a30 0004 0005 [00] 0000000005de2a40 00031 - (busy)
0000000005de2a70 0005 0004 [00] 0000000005de2a80 0003c - (busy)
0000000005de2ac0 0004 0005 [00] 0000000005de2ad0 00031 - (busy)
0000000005de2b00 0003 0004 [00] 0000000005de2b10 0001d - (busy)
0000000005de2b30 0003 0003 [00] 0000000005de2b40 00024 - (busy)
0000000005de2b60 0002 0003 [00] 0000000005de2b70 00014 - (busy)
0000000005de2b80 0005 0002 [00] 0000000005de2b90 00045 - (busy)
0000000005de2bd0 0002 0005 [00] 0000000005de2be0 00017 - (busy)
0000000005de2bf0 0002 0002 [00] 0000000005de2c00 0000e - (busy)
0000000005de2c10 0008 0002 [00] 0000000005de2c20 00069 - (busy)
0000000005de2c90 0005 0008 [00] 0000000005de2ca0 0003e - (busy)
0000000005de2ce0 0003 0005 [00] 0000000005de2cf0 0001d - (busy)
0000000005de2d10 0005 0003 [00] 0000000005de2d20 00048 - (busy)
0000000005de2d60 0002 0005 [00] 0000000005de2d70 00012 - (busy)
0000000005de2d80 0002 0002 [00] 0000000005de2d90 00018 - (busy)
0000000005de2da0 0003 0002 [00] 0000000005de2db0 0001b - (busy)
0000000005de2dd0 0003 0003 [00] 0000000005de2de0 0001e - (busy)
0000000005de2e00 0004 0003 [00] 0000000005de2e10 00029 - (busy)
0000000005de2e40 0003 0004 [00] 0000000005de2e50 0001e - (busy)
0000000005de2e70 0005 0003 [00] 0000000005de2e80 00041 - (busy)
0000000005de2ec0 0002 0005 [00] 0000000005de2ed0 00017 - (busy)
0000000005de2ee0 0002 0002 [00] 0000000005de2ef0 0000f - (busy)
0000000005de2f00 0002 0002 [00] 0000000005de2f10 00016 - (busy)
0000000005de2f20 0004 0002 [00] 0000000005de2f30 00035 - (busy)
0000000005de2f60 0004 0004 [00] 0000000005de2f70 00034 - (busy)
0000000005de2fa0 0002 0004 [00] 0000000005de2fb0 00012 - (busy)
0000000005de2fc0 0003 0002 [00] 0000000005de2fd0 0001a - (busy)
0000000005de2ff0 0004 0003 [00] 0000000005de3000 00036 - (busy)
0000000005de3030 0002 0004 [00] 0000000005de3040 00012 - (busy)
0000000005de3050 0002 0002 [00] 0000000005de3060 00018 - (busy)
0000000005de3070 0005 0002 [00] 0000000005de3080 00046 - (busy)
0000000005de30c0 0101 0005 [00] 0000000005de30d0 01000 - (busy)
DHCPDLL!_iob
0000000005de40d0 002d 0101 [00] 0000000005de40e0 002c8 - (busy)
0000000005de43a0 002d 002d [00] 0000000005de43b0 002c8 - (busy)
0000000005de4670 002d 002d [00] 0000000005de4680 002c8 - (busy)
0000000005de4940 002d 002d [00] 0000000005de4950 002c8 - (busy)
0000000005de4c10 002d 002d [00] 0000000005de4c20 002c8 - (busy)
0000000005de4ee0 002d 002d [00] 0000000005de4ef0 002c8 - (busy)
0000000005de51b0 002d 002d [00] 0000000005de51c0 002c8 - (busy)
0000000005de5480 002d 002d [00] 0000000005de5490 002c8 - (busy)
0000000005de5750 038b 002d [00] 0000000005de5760 038a8 - (busy)
//堆越界
ReadMemory error for address 0000000005de9000
Use `!address 0000000005de9000' to check validity of the address.
0:013> !heap -p -a 0000000005de9000
c0000005 Exception in ext.heap debugger extension.
PC: 00000000`01c2917e VA: 00000000`00000030 R/W: 0 Parameter: 00000000`0001003f
0:013> r
rax=006f004400200020 rbx=0000000005de0000 rcx=0000000005de0208
rdx=0000000005de5fd0 rsi=0000000001003828 rdi=0000000005de5fc0
rip=0000000077413fcf rsp=000000000a20f250 rbp=0000000000000000
r8=000000000000014a r9=0000000000000160 r10=0000000000000000
r11=ad5650000000014b r12=0000000000000004 r13=0000000000000016
r14=0000000000000002 r15=00000000774d5401
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ntdll!RtlpAllocateHeap+0xe83:
00000000`77413fcf 4d8b4b08 mov r9,qword ptr [r11+8] ds:ad565000`00000153=????????????????