Search code examples
debuggingreverse-engineeringwindbgdangling-pointer

Dangling Pointer - Find Out when The Object is being Created

I'm debugging a software Use-After-Free bug using windbg(Don't have access to source code).

Where 

An Object Created --(do something)--> Object Deleted  --(do something)--> Object Reference Re-used [App. CRASHHHH!!!]

Using windbg and 'PageHeap' I can easily find out when that object is being Freed (!heap -p -a 0xXXXXXXX) and Re-used.

My question is, what are the ways to find out, when that object is being created.

Thx

Solution

  • One neat trick you can pull is to use (well, maybe abuse) leak tracking to save allocation stack traces and look at them in the debugger.

    Since you already have pageheap enabled, this should be pretty easy to explain.

    • Open gflags.exe (it comes with Windbg) and change the flags for your process's image file.
    • Check the boxes for Enable page heap and Create user mode stack trace database then click apply. glfags.exe with pageheap and ust checked.
    • Close and relaunch your application so the new setting will take effect.
    • Attach a Windbg and run !heap -p -a <allocation address you want the callstack of>

    I ran it on one of the heap allocations in notepad.exe's stack and got this:

    0:000> !heap -p -a 00000261`1a43b6c8
    address 000002611a43b6c8 found in
    _DPH_HEAP_ROOT @ 26119821000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             26119847750:      2611a43b6c0              938 -      2611a43b000             2000
          COMDLG32!CFileOpenSave::`vftable'
    00007ffa890622c7 ntdll!RtlDebugAllocateHeap+0x0000000000000047
    00007ffa88ff79ce ntdll!RtlpAllocateHeap+0x00000000000000ee
    00007ffa88ff595f ntdll!RtlpAllocateHeapInternal+0x000000000000064f
    00007ffa884c0f38 COMDLG32!CFileOpenSave::s_CreateInstance+0x0000000000000088
    00007ffa884d6750 COMDLG32!`CommonPrintDialogTelemetry::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x00000000000103c0
    00007ffa886ffee7 combase!CServerContextActivator::CreateInstance+0x0000000000000207 [d:\th\com\combase\objact\actvator.cxx @ 872]
    00007ffa8876c0b3 combase!ActivationPropertiesIn::DelegateCreateInstance+0x00000000000000e3 [d:\th\com\combase\actprops\actprops.cxx @ 1926]
    00007ffa88700687 combase!CApartmentActivator::CreateInstance+0x00000000000000c7 [d:\th\com\combase\objact\actvator.cxx @ 2168]
    00007ffa886ff3e9 combase!CProcessActivator::CCICallback+0x0000000000000079 [d:\th\com\combase\objact\actvator.cxx @ 1631]
    00007ffa886ff504 combase!CProcessActivator::AttemptActivation+0x0000000000000064 [d:\th\com\combase\objact\actvator.cxx @ 1518]
    00007ffa886ff5e0 combase!CProcessActivator::ActivateByContext+0x00000000000000b0 [d:\th\com\combase\objact\actvator.cxx @ 1364]
    00007ffa886ff900 combase!CProcessActivator::CreateInstance+0x0000000000000090 [d:\th\com\combase\objact\actvator.cxx @ 1262]
    00007ffa8876c104 combase!ActivationPropertiesIn::DelegateCreateInstance+0x0000000000000134 [d:\th\com\combase\actprops\actprops.cxx @ 1926]
    00007ffa8876929a combase!CClientContextActivator::CreateInstance+0x000000000000015a [d:\th\com\combase\objact\actvator.cxx @ 561]
    00007ffa8876c0c6 combase!ActivationPropertiesIn::DelegateCreateInstance+0x00000000000000f6 [d:\th\com\combase\actprops\actprops.cxx @ 1978]
    00007ffa88760c61 combase!ICoCreateInstanceEx+0x0000000000000c91 [d:\th\com\combase\objact\objact.cxx @ 1817]
    00007ffa8875fea7 combase!CComActivator::DoCreateInstance+0x0000000000000147 [d:\th\com\combase\objact\immact.hxx @ 376]
    00007ffa8875fd0c combase!CoCreateInstance+0x000000000000019c [d:\th\com\combase\objact\actapi.cxx @ 120]
    00007ff6d5321be8 notepad!InvokeOpenDialog+0x000000000000004c
    00007ff6d53225d7 notepad!NPCommand+0x00000000000003b7
    00007ff6d53238a9 notepad!NPWndProc+0x0000000000000509
    00007ffa88a41169 USER32!UserCallWinProcCheckWow+0x00000000000001f9
    00007ffa88a40c97 USER32!DispatchMessageWorker+0x00000000000001a7
    00007ff6d5323ba1 notepad!WinMain+0x0000000000000269
    00007ff6d53390b5 notepad!WinMainCRTStartup+0x00000000000001c5
    00007ffa866c8102 KERNEL32!BaseThreadInitThunk+0x0000000000000022
    00007ffa8902c2e4 ntdll!RtlUserThreadStart+0x0000000000000034

    If you don't get a stack trace, one thing to try is increasing the size of the stack backtrace database.