search

ufrisk / MemProcFS

MemProcFS
GNU Affero General Public License v3.0
2.8k stars 352 forks source link

VMMDLL_Map_GetHeapAlloc() VMMDLL_MAP_HEAPALLOCENTRY.cb off by 8 low #276

Closed kweatherman closed 3 months ago

kweatherman commented 3 months ago

Relatively small issue once you see it, but the size/byte-count returned by VMMDLL_Map_GetHeapAlloc() via VMMDLL_MAP_HEAPALLOCENTRY.cb is down by 8 bytes from the actual heap allocation.

Ran into a problem and did a side by side comparison using a console app that allocates very little (but still many allocations by the OS for the process).

Examples:

Real:
P: 0x9305A0, S: 0x10, SO: 0x8, RI: 0, F: 0x4, CS: 0x1A000, UCS: 0x0

MemProcFS:
VA: 0x930568 0x1C, TP: 1
Real:
P: 0x9305A0, S: 0x10, SO: 0x8, RI: 0, F: 0x4, CS: 0x1A000, UCS: 0x0

MemProcFS:
VA: 0x9305A0 0x8, TP: 1
Real:
P: 0x9332C8, S: 0x220, SO: 0x8, RI: 0, F: 0x4, CS: 0x1A000, UCS: 0x0

MemProcFS:
VA: 0x9332C8 0x218, TP: 1

The Windows API console code (32bit process):

PROCESS_HEAP_ENTRY he;

while (HeapWalk(handle, &he))
{       
    if(!(he.wFlags & (PROCESS_HEAP_REGION | PROCESS_HEAP_UNCOMMITTED_RANGE | PROCESS_HEAP_ENTRY_DDESHARE)))
    {
        printf("P: 0x%X, S: 0x%X, SO: 0x%X, RI: %u, F: 0x%X, CS: 0x%X, UCS: 0x%X\n", (UINT32) he.lpData, he.cbData, he.cbOverhead, he.iRegionIndex, he.wFlags, he.Region.dwCommittedSize, he.Region.dwUnCommittedSize);
    }
};

MemProcFS API code (64bit process):

for (UINT32 i = 0; i < pHeapMap->cMap; i++)
{
    PVMMDLL_MAP_HEAPENTRY pMap = &pHeapMap->pMap[i];        

    PVMMDLL_MAP_HEAPALLOC pHeap = NULL;
    if (VMMDLL_Map_GetHeapAlloc(DMA::Handle(), DMA::PID(), pMap->iHeap, &pHeap))
    {
        printf("[%u] heap:\n", i);

        for (UINT32 j = 0; j < pHeap->cMap; j++)
        {
            VMMDLL_MAP_HEAPALLOCENTRY &hae = pHeap->pMap[j];
            printf(" [%u]: VA: 0x%llX 0x%X, TP: %u\n", j, hae.va, hae.cb, hae.tp);
        }

        VMMDLL_MemFree(pHeap);
    }
    else
        puts("VMMDLL_Map_GetHeapAlloc() failed!");
}
ufrisk commented 3 months ago

It's really nice to see that someone actually use this API. Less nice that there are bugs in it. I'll check it out in the weekend most probably to see if I can fix it.

I should be able to find this issue thanks to your excellent documentation.

Thanks,

kweatherman commented 3 months ago

Oh thanks to you. You put so many nice features it in. I'll eventually play with them all :-)

ufrisk commented 3 months ago

Thank you for reporting. There was a 16-byte 0x10 mis-match in the allocation sizing. Also this made smaller allocation (<16) bytes not being reported. Anyway this should now be resolved.

Let me know if you should find any remaining issues around this.