Yesterday, today dump, WinDbg quite unfamiliar, but also slowly know some commonly used commands, a few weeks ago heard that there are gflags such a tool, today just test.
Gflags.exe is a small tool in the <debugging tools for windows>.
Install download Link: http://msdn.microsoft.com/en-us/windows/hardware/gg463016
Once installed, set the GFlags folder (which also has a lot of good things) to the path of the environment variable to facilitate use by the command line. (My Computer--> right button-->--> advanced--> environment variable--> system variable-->path)
In the command line cmd enter: Cdb-iae.
Set CDB as the default JIT (just in time) debugger, which stops when command line execution encounters a crash.
(the last learning material in this article is quite good)
?
1 2 3 4 5 6 7 8 9 10 |
Test program:///////////////////////////////////////////////////////////////////////////////////int main () {char *p = n EW Char [10]; for (int i = 0; I!= ++i) p[i] = i; return 0; } /////////////////////////////////////////////////////////////////////////////////// |
This is a very simple cross-border procedure, when i = 10 o'clock, access crossed the line. But if you don't use the test tools, there's no crash. In general, the program gets 16-byte-aligned space, so P[10] accesses the space added after the alignment and does not cause a cross-border crash. But this is a hidden danger, in order to make the hidden danger as early as possible, the use of tools is a good choice.
GFlags is used to track the execution of this program, you can set each new allocated heap space to occupy a single space, and the adjacent location of the space is set to inaccessible, once the access to the border immediately triggered access to invalid error, early triggering crash.
The test process is as follows:
1, with VC compiled release version of the executable file: Test.exe. (Note: not debug version)
2, with Gflag registration needs to monitor the executable file test.exe.
Under CMD, the input commands are as follows: gflags/p/enable test.exe/full/unaligned.
Enter to display the following information:
*************************************************************************************
Path:software\microsoft\windows nt\currentversion\image File Execution Options
Test.exe:page heap enabled.
*************************************************************************************
At this time, has been to monitor the Test.exe registration.
/p/enable is a must.
/full indicates that the allocated space is exclusive, and that adjacent spaces are inaccessible.
/unaligned the allocation of space is not aligned, to ensure that once the cross border immediately found, will not be hidden because of memory alignment.
The above is actually in the registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution options\ Test.exe written to the pageheapflags=0x23
3, then double-click the execution test.exe, this time, will break down:
*************************************************************************************
(17f8.5d0): Access violation-code c0000005 (!!! Second chance!!!)
Eax=0161eff6 ebx=7c80ac61 ecx=0000000a edx=015c5000 esi=00000002 edi=00000a28
eip=00401010 esp=0012ff74 ebp=0012ffc0 iopl=0 nv up ei ng nz ac pe CY
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
WINDBGTEST!MAIN+0X10:
00401010 880C01 mov byte ptr [ecx+eax],cl ds:0023:0161f000=??
*************************************************************************************
If you put the exe in the WinDbg, use the command:!address, you can find that EAX can read and write,
EAX+ECX is not accessible:
*************************************************************************************
0:000>!address eax
015c0000:0161e000-00001000
Type 00020000 Mem_private
Protect 00000004 Page_readwrite
State 00001000 Mem_commit
Usage Regionusagepageheap
Handle 015c1000
0:000>!address EAX+ECX
015c0000:0161f000-000a1000
Type 00020000 Mem_private
Protect 00000001 page_noaccess
State 00001000 Mem_commit
Usage Regionusagepageheap
Handle 015c1000
*************************************************************************************