Examine, a memory leak checker on Windows
vtorri / examine Goto Github PK
View Code? Open in Web Editor NEWExamine, a memory leak checker on Windows
License: GNU Lesser General Public License v3.0
Examine, a memory leak checker on Windows
License: GNU Lesser General Public License v3.0
Thanks for this superb tool.
I am using the examine_memcheck::exm_mc_run()
as a dll injection mechanism for processes created in suspended mode. The code works flawlessly for 32 bit process but for 64 bit processes I am getting the following message:
(487) Attempt to access invalid address.
I have checked this for calc.exe on 64 bit Windows 7 machine. The injection was performed from a 64 bit process and target was also 64 bit process. The complete message was:
Can not protect page 0x000000010001B9B8 in process handle 0x0000000000000064 failed: ( 487) Attempt to access invalid address.
I have used the dumpbin utility to verify the entry point and it appears to be correctly calculated (see the part of dumpbin output below).
The code crashes in method exm_process_entry_point_patch()
at the very first VirtualProtectEx
. Any suggestion to correct it. Thanks.
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
6 number of sections
4A5BC9D4 time date stamp Tue Jul 14 05:27:08 2009
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses
OPTIONAL HEADER VALUES
20B magic # (PE32+)
9.00 linker version
60E00 size of code
7F200 size of initialized data
0 size of uninitialized data
1B9B8 entry point (000000010001B9B8)
1000 base of code
100000000 image base (0000000100000000 to 00000001000E2FFF)
1000 section alignment
200 file alignment
6.01 operating system version
6.01 image version
6.01 subsystem version
0 Win32 version
E3000 size of image
600 size of headers
so, i got the process ID working. i guess the issue im having now is just that your tool has to many features :) i need to strip it down to simply do the PE patching and unpatching.
i think the functions i need are held in examine_process and examine_file and examine_PE. so im working on re-writing some of the functions to work with Stephen Fewer's dll injection
Ok, I'll create the 1st issue ๐
Running a command like in a 4NT.EXE shell:
examine --tool=depends --list examine.exe |& most
Or using the horrid CMD.EXE synatax:
examine --tool=depends --list examine.exe 2>&1 | most
causes the output from stderr
to be put last. I'd rather have that intermingled with the normal stdout
output to better see where the problem is.
There also seems to be another fflush()
(or newline?) problem. The above command could output:
IPHLPAPI.DLL (dl, f)
api-ms-win-security-lsalookup-l1-1-1.dll (dl, f) api-ms-win-service-management-l1-1-0.dll (d, f)
I.e. both on the same line. This is with MSVC-2015 in debug-mode.
As the subject says; trying to check the dependencies on a non-PE, it crashes due to:
pe->nt_header = (IMAGE_NT_HEADERS *)((unsigned char *)dos_header + dos_header>e_lfanew);
if (pe->nt_header->Signature != IMAGE_NT_SIGNATURE)
(line 167). The above could access memory outside the memory-mapped area.
An example of an old file: http://www.watt-32.net/misc/DISKSAVE.EXE.
I've fixed it here by:
--- a/examine_pe.c 2016-01-07 13:36:31
+++ b/examine_pe.c 2016-01-13 22:32:29
@@ -117,6 +117,25 @@
* API *
*============================================================================*/
+/**
+ * @brief Examine a dos_header and return a pointer
+ * to the memory-mapped 'IMAGE_NT_HEADERS'.
+ *
+ */
+static IMAGE_NT_HEADERS*
+get_nt_header (const IMAGE_DOS_HEADER *dos_header, DWORD size)
+{
+ const unsigned char *tmp1 = (const unsigned char*)dos_header + dos_header->e_lfanew;
+ const IMAGE_NT_HEADERS *tmp2;
+
+ if (tmp1 - sizeof(*tmp1) > (const unsigned char*)dos_header + size)
+ return (NULL);
+
+ tmp2 = (IMAGE_NT_HEADERS *) tmp1;
+ if (tmp2->Signature != IMAGE_NT_SIGNATURE)
+ return (NULL);
+ return (IMAGE_NT_HEADERS*) tmp2;
+}
/**
* @brief Return a new #Exm_Pe object.
@@ -163,8 +182,8 @@
goto del_pe_map;
}
- pe->nt_header = (IMAGE_NT_HEADERS *)((unsigned char *)dos_header + dos_header->e_lfanew);
- if (pe->nt_header->Signature != IMAGE_NT_SIGNATURE)
+ pe->nt_header = get_nt_header (dos_header, exm_map_size_get(pe->map));
+ if (!pe->nt_header)
{
EXM_LOG_ERR("not a valid NT header");
goto del_pe_map;
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.