Memory leak on big time with temporary rules mode

[0x4E69676874466F78]

General

On startup after about 3 minutes simplewall takes up ~10-11MB. After some incomprehensible events, it can consume more than 2 gigabytes of memory (in current example 218MB). The main clue is the big uptime and high number of hibernation.

Basic info

Info from ProcessHacker v3.0.3959 (62242a7). OS: Windows 8.1, 64bit. Simplewall: 3.2.4 Release, 64-bit (Unicode)

Heaps on start

#	Address	Used	Commited	Entries	Flags	Class	Type
1	0x3c86200000	5,12 MB	5,29 MB	5	Growable (0x2)	Process Heap	NT Heap
2	0x3c85ef0000	1,83 kB	4 kB	1		CSRSS Port Heap	NT Heap
3	0x3c861b0000	208,48 kB	372 kB	3	Growable (0x2)	Private Heap	NT Heap
4	0x3c861a0000	66 kB	68 kB	2	Growable (0x2)	Private Heap	NT Heap
5	0x3c87b40000	1,61 MB	1,64 MB	4	Growable (0x2)	Private Heap	NT Heap

Heaps after some days

#	Address	Used	Commited	Entries	Flags	Class	Type
1	0x3c86200000	106,72 MB	112 MB	14	Growable (0x2)	Process Heap	NT Heap
2	0x3c85ef0000	1,83 kB	4 kB	1		CSRSS Port Heap	NT Heap
3	0x3c861b0000	223,33 kB	372 kB	3	Growable (0x2)	Private Heap	NT Heap
4	0x3c861a0000	66,69 kB	76 kB	3	Growable (0x2)	Private Heap	NT Heap
5	0x3c87b40000	100,14 MB	100,5 MB	12	Growable (0x2)	Private Heap	NT Heap

Threads on start

TID	Cycles	Start address	Priority (symbolic)
2880	15 912 160 695	simplewall.exe+0x58b90	Normal
5148	22 259 931	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
10408	387 228 664	simplewall.exe+0xec00	Lowest
10848	127 692	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
11204	14 248 181	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal

Stack Thread 2880

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMultipleObjects+0x3a0
4	win32k.sys!W32pArgumentTable+0x29d4
5	win32k.sys!W32pArgumentTable+0x5fd
6	win32k.sys!W32pArgumentTable+0x25f1
7	win32k.sys!EngCopyBits+0xc13a
8	win32k.sys!W32pArgumentTable+0x4da
9	ntoskrnl.exe!setjmpex+0x6553
10	user32.dll!GetMessageW+0x5a
11	user32.dll!GetMessageW+0x25
12	simplewall.exe+0x3b9ed
13	simplewall.exe+0x58b22
14	kernel32.dll!BaseThreadInitThunk+0x22
15	ntdll.dll!RtlUserThreadStart+0x34

Stack Thread 10408

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMutexObject+0x373
4	ntoskrnl.exe!NtWaitForSingleObject+0xb2
5	ntoskrnl.exe!setjmpex+0x6553
6	ntdll.dll!NtWaitForSingleObject+0xa
7	KernelBase.dll!WaitForSingleObjectEx+0x98
8	simplewall.exe+0x2c1db
9	simplewall.exe+0xec55
10	kernel32.dll!BaseThreadInitThunk+0x22
11	ntdll.dll!RtlUserThreadStart+0x34

Threads after some days:

TID	Cycles	Start address	Priority (symbolic)
2880	236 299 531 280	simplewall.exe+0x58b90	Normal
3004	289 440 143	winmm.dll!timeBeginPeriod+0xf0	Highest
10408	396 505 466 251	simplewall.exe+0xec00	Lowest
10848	2 736 935	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
12712	919 673 556	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
17936	2 140 457 702	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal

Stack Thread 2880

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMultipleObjects+0x3a0
4	win32k.sys!W32pArgumentTable+0x29d4
5	win32k.sys!W32pArgumentTable+0x5fd
6	win32k.sys!W32pArgumentTable+0x25f1
7	win32k.sys!EngCopyBits+0xc13a
8	win32k.sys!W32pArgumentTable+0x4da
9	ntoskrnl.exe!setjmpex+0x6553
10	user32.dll!GetMessageW+0x5a
11	user32.dll!GetMessageW+0x25
12	simplewall.exe+0x3b9ed
13	simplewall.exe+0x58b22
14	kernel32.dll!BaseThreadInitThunk+0x22
15	ntdll.dll!RtlUserThreadStart+0x34

Stack Thread 10408

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMutexObject+0x373
4	ntoskrnl.exe!NtWaitForSingleObject+0xb2
5	ntoskrnl.exe!setjmpex+0x6553
6	ntdll.dll!NtWaitForSingleObject+0xa
7	KernelBase.dll!WaitForSingleObjectEx+0x98
8	simplewall.exe+0x2c1db
9	simplewall.exe+0xec55
10	kernel32.dll!BaseThreadInitThunk+0x22
11	ntdll.dll!RtlUserThreadStart+0x34

Detail memory info

detail memory info.txt

[0x4E69676874466F78]

Additional information: this happens in the temporary rules mode and the Windows firewall is enabled.

[henrypp]

Try 3.3.2, a lot of dereference issues is fixed in this release.

FYI: new release has .pdb file package in release section, you can download it and see more details for process information.

[0x4E69676874466F78]

@henrypp,

Try 3.3.2, a lot of dereference issues is fixed in this release.

Leak continues...

Basic info

Threads on start (delay ~10 minutes)

TID	Cycles	Start address	Priority (symbolic)
32	225 920 646	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
6552	351 908 187	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
7828	975 729 178	simplewall.exe!_r_sys_basethreadstart	Lowest
9832	92 556	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
11468	16 496 681 459	simplewall.exe!wWinMainCRTStartup	Normal

Stack Thread 7828

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMutexObject+0x373
4	ntoskrnl.exe!NtWaitForSingleObject+0xb2
5	ntoskrnl.exe!setjmpex+0x6553
6	ntdll.dll!NtWaitForSingleObject+0xa
7	KernelBase.dll!WaitForSingleObjectEx+0x98
8	simplewall.exe!NetworkMonitorThread+0xc2a
9	simplewall.exe!_r_sys_basethreadstart+0x78
10	kernel32.dll!BaseThreadInitThunk+0x22
11	ntdll.dll!RtlUserThreadStart+0x34

Stack Thread 11468

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMultipleObjects+0x3a0
4	win32k.sys!W32pArgumentTable+0x29d4
5	win32k.sys!W32pArgumentTable+0x5fd
6	win32k.sys!W32pArgumentTable+0x25f1
7	win32k.sys!EngCopyBits+0xc13a
8	win32k.sys!W32pArgumentTable+0x4da
9	ntoskrnl.exe!setjmpex+0x6553
10	user32.dll!GetMessageW+0x5a
11	user32.dll!GetMessageW+0x25
12	simplewall.exe!wWinMain+0x3ed
13	simplewall.exe!__scrt_common_main_seh+0x106
14	kernel32.dll!BaseThreadInitThunk+0x22
15	ntdll.dll!RtlUserThreadStart+0x34

Threads 2 days ago

TID	Cycles	Start address	Priority (symbolic)
2608	2 207 735	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
7828	123 294 689 124	simplewall.exe!_r_sys_basethreadstart	Lowest
9832	494 064	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal
11468	96 981 646 487	simplewall.exe!wWinMainCRTStartup	Normal
12076	3 139 296 276	ntdll.dll!RtlFreeUnicodeString+0x1370	Normal

Stack Thread 7828

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMutexObject+0x373
4	ntoskrnl.exe!NtWaitForSingleObject+0xb2
5	ntoskrnl.exe!setjmpex+0x6553
6	ntdll.dll!NtWaitForSingleObject+0xa
7	KernelBase.dll!WaitForSingleObjectEx+0x98
8	simplewall.exe!NetworkMonitorThread+0xc2a
9	simplewall.exe!_r_sys_basethreadstart+0x78
10	kernel32.dll!BaseThreadInitThunk+0x22
11	ntdll.dll!RtlUserThreadStart+0x34

Stack Thread 11468

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeWaitForMultipleObjects+0x3a0
4	win32k.sys!W32pArgumentTable+0x29d4
5	win32k.sys!W32pArgumentTable+0x5fd
6	win32k.sys!W32pArgumentTable+0x25f1
7	win32k.sys!EngCopyBits+0xc13a
8	win32k.sys!W32pArgumentTable+0x4da
9	ntoskrnl.exe!setjmpex+0x6553
10	user32.dll!GetMessageW+0x5a
11	user32.dll!GetMessageW+0x25
12	simplewall.exe!wWinMain+0x3ed
13	simplewall.exe!__scrt_common_main_seh+0x106
14	kernel32.dll!BaseThreadInitThunk+0x22
15	ntdll.dll!RtlUserThreadStart+0x34

Stack Thread 12076

#	Name
0	ntoskrnl.exe!_misaligned_access+0x135a
1	ntoskrnl.exe!KeWaitForMultipleObjects+0x152f
2	ntoskrnl.exe!KeWaitForMultipleObjects+0xdd9
3	ntoskrnl.exe!KeRemoveQueueEx+0x788
4	ntoskrnl.exe!_misaligned_access+0x21fe
5	ntoskrnl.exe!_misaligned_access+0x187f
6	ntoskrnl.exe!setjmpex+0x6553
7	ntdll.dll!NtWaitForWorkViaWorkerFactory+0xa
8	ntdll.dll!RtlFreeUnicodeString+0x1ab6
9	kernel32.dll!BaseThreadInitThunk+0x22
10	ntdll.dll!RtlUserThreadStart+0x34

Heaps on start

#	Address	Used	Commited	Entries	Flags	Class	Type
1	0xd78f150000	6,56 MB	6,69 MB	5	Growable (0x2)	Process Heap	NT Heap
2	0xd78eea0000	1,83 kB	4 kB	1		CSRSS Port Heap	NT Heap
3	0xd78f540000	216,39 kB	372 kB	3	Growable (0x2)	Private Heap	NT Heap
4	0xd78f460000	66,72 kB	80 kB	3	Growable (0x2)	Private Heap	NT Heap
5	0xd790ff0000	4,8 MB	4,85 MB	5	Growable (0x2)	Private Heap	NT Heap

Heaps 2 days ago

#	Address	Used	Commited	Entries	Flags	Class	Type
1	0xd78f150000	82,96 MB	84,99 MB	11	Growable (0x2)	Process Heap	NT Heap
2	0xd78eea0000	1,83 kB	4 kB	1		CSRSS Port Heap	NT Heap
3	0xd78f540000	222,97 kB	372 kB	3	Growable (0x2)	Private Heap	NT Heap
4	0xd78f460000	66,72 kB	80 kB	3	Growable (0x2)	Private Heap	NT Heap
5	0xd790ff0000	69,42 MB	69,49 MB	11	Growable (0x2)	Private Heap	NT Heap

Detail memory info

Process Hacker (simplewall.exe) Memory (13 minutes and 8 seconds ago (27.04.2021)).txt Process Hacker (simplewall.exe) Memory (2 days ago (27.04.2021)).txt

[henrypp]

Only with temporary rules you can see memory leak or persistent-mode leak too?

Do you enable "Packet logging interface"?

[0x4E69676874466F78]

Only with temporary rules you can see memory leak or persistent-mode leak too?

Not tested with persistent-mode.

Do you enable "Packet logging interface"?

Oh, Yes. I just opened the Packet logs tab and it freze. I did think that it is automatically truncate or has a virtual viewport (loading only visible items).

[0x4E69676874466F78]

I will test without packet logging.

[0x4E69676874466F78]

The leak seems to persist, but progress is noticeably slower. 4 days and 16 hours ago = 30,23 MB I continue to observe.

[henrypp]

fixed