Windbg debugging Memory leakage

First, use windbgtool gflags.exe to set memory startupTrace memory leakage ProcessUser Stack

The startup method is to run the following commandGflags.exe/I test.exe + UST

EquivalentHKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options, command to configure gflags.exe/I test.exe success "and create a REG_DWORD value named globalflag whose content is 0x00001000.

Use windbg‑test.exe to cause memory leakage in windbg when the instance is shut down.

 
Normal block at 0x026a5f98, 4000 bytes long. Data: <> CD object dump complete.
 

It can be found that the address 0x026a5f98 is the memory leakage address, which contains 4000 bytes.

Pass! The heap command analyzes the address to find the specific call stack.

 0: 000>! Heap-p-a secure address 026a5f98 found in _ heap @ 14f0000 heap_entry size Prev flags userptr usersize-State limit 01fc 0000 [00] 026a5f78 00fc4-(busy) 77a1b234 NTDLL! Rtlallocateheap + 0x00000274 584d7743 msvcr100d! _ Heap_alloc_base + 0x00000053 584e5d8c msvcr100d! _ Heap_alloc_dbg_impl + 0x000001fc 584e5b2f msvcr100d! _ Nh_malloc_dbg_impl + 0x0000001f 584e5adc msvcr100d! _ Nh_malloc_dbg + 0x0000002c 584e5a91 msvcr100d! _ Malloc_dbg + 0x00000021 58694dd6 mfc100ud! Operator New + 0x00000026 58694e6a mfc100ud! Operator new [] + 0x0000001a 58694768 mfc100ud! Operator new [] + 0x00000018 *** warning: unable to verify checksum for sendmsgex.exe 2a3c25 sendmsgex! Csendmsgexdlg: thread1proc + 0x00000055 767c1174 Kernel32! Basethreadinitthunk + 0x0000000e 779fb3f5 NTDLL! _ Rtluserthreadstart + 0x00000070 779fb3c8 NTDLL! _ Rtluserthreadstart + 0x0000001b 

We can find that the address of Memory leakage is csendmsgexdlg: thread1proc, and new [] is called in this address, resulting in Memory leakage.

 
DWORD winapi csendmsgexdlg: thread1proc (_ in lpvoid lpparameter) {int * pval = new int [1000]; //..................}
 

In this way, we can find out the cause and address of Memory leakage!