Wednesday, 15 May 2013

dll - MFC Win32 application + application verifier - virtual reservation leaked -



dll - MFC Win32 application + application verifier - virtual reservation leaked -

i'm trying analyse win32 application using application verifier. checked of categories under basic. in next code,

// function unloads dll int unloaddll() { if(dllhandle != null) { if(0 == freelibrary(dllhandle)) { // failed unload dll homecoming -1; } dllhandle = null; } homecoming 0; }

application verifier stops , throws following,

======================================= verifier stop 00000903: pid 0x770: virtual reservation leaked. 04db0000 : leaked reservation address. 00825fc4 : address allocation stack trace. run dps <address> view allocation stack. 07870fe0 : address of owner dll name. run du <address> read dll name. 04b00000 : base of operations of owner dll. run .reload <dll_name> = <address> reload owner dll. utilize 'lm' more info loaded , unloaded modules. ======================================= verifier stop continuable. after debugging utilize `go' continue. =======================================

what virtual reservation address? haven't been able find related links. also, why occurring?

edit:

here outputs of commands executed according above suggestions.

dps 00825fc4:

00825fc4 00000000 00825fc8 0000f801 00825fcc 002001e6 00825fd0 6aa1441e vfbasics+0x1441e 00825fd4 04b081ad <unloaded_testdll.dll>+0x81ad 00825fd8 04b07bbd <unloaded_testdll.dll>+0x7bbd 00825fdc 04b07683 <unloaded_testdll.dll>+0x7683 00825fe0 04b0c4ec <unloaded_testdll.dll>+0xc4ec 00825fe4 04b107d6 <unloaded_testdll.dll>+0x107d6 00825fe8 004354ac*** warning: unable verify checksum gui.exe gui!cgui::check+0x17c [e:\gui\dllinterface.cpp @ 832] 00825fec 00435a47 gui!cgui::oninitdialog+0x1e7 [e:\gui\dllinterface.cpp @ 988] 00825ff0 004d3a6b gui!afxdlgproc+0x3b [dlgcore.cpp @ 35] 00825ff4 773e86ef*** error: symbol file not found. defaulted export symbols c:\windows\system32\user32.dll - user32!isthreaddesktopcomposited+0x11f 00825ff8 773d9eb2 user32!createdialogparamw+0x2b3 00825ffc 773db98b user32!getmenuitemid+0x17b 00826000 773f90f9 user32!defdlgproca+0x22 00826004 773e86ef user32!isthreaddesktopcomposited+0x11f 00826008 773e8876 user32!isthreaddesktopcomposited+0x2a6 0082600c 773e43cf user32!windowfromdc+0xeb 00826010 774041f9 user32!callwindowproca+0x1b 00826014 004d705d gui!cwnd::defwindowproca+0x32 [wincore.cpp @ 1000] 00826018 004d59eb gui!cwnd::default+0x39 [wincore.cpp @ 249] 0082601c 004d4c67 gui!cdialog::handleinitdialog+0xad [dlgcore.cpp @ 621] 00826020 004d83bb gui!cwnd::onwndmsg+0x68d [wincore.cpp @ 1815] 00826024 004d7d04 gui!cwnd::windowproc+0x2e [wincore.cpp @ 1585] 00826028 004d58a9 gui!afxcallwndproc+0xed [wincore.cpp @ 215] 0082602c 004d5d45 gui!afxwndproc+0x81 [wincore.cpp @ 368] 00826030 773e86ef user32!isthreaddesktopcomposited+0x11f 00826034 773e8876 user32!isthreaddesktopcomposited+0x2a6 00826038 773e7631 user32!isrectempty+0x120 0082603c 773d9b1d user32!registermessagepumphook+0x9d9 00826040 773d9bf6 user32!createdialogindirectparamaorw+0x33

du 07870fe0:

07870fe0 "testdll.dll"

lm:

start end module name 00400000 007c5000 gui c (private pdb symbols) e:\gui\debug\gui.pdb 6aa00000 6aa58000 vfbasics (no symbols) 6cc80000 6ccb8000 odbcint (deferred) 6d180000 6d20a000 odbc32 (deferred) 70650000 70669000 olepro32 (deferred) 70670000 7068c000 oledlg (deferred) 70690000 706f0000 verifier (deferred) 709f0000 70a1b000 vrfcore (export symbols) c:\windows\system32\vrfcore.dll 71190000 711e1000 winspool (deferred) 721a0000 721b2000 pnrpnsp (deferred) 721c0000 721d0000 napinsp (deferred) 72230000 72236000 rasadhlp (deferred) 72240000 72248000 winrnr (deferred) 72280000 722a7000 wlidnsp (deferred) 73420000 73426000 sensapi (deferred) 738e0000 73918000 fwpuclnt (deferred) 73b50000 73b57000 winnsi (deferred) 73be0000 73bfc000 iphlpapi (deferred) 73ee0000 73ef0000 nlaapi (deferred) 74090000 740c2000 winmm (deferred) 740d0000 740f1000 ntmarta (deferred) 741e0000 741ed000 rtutils (deferred) 741f0000 74205000 rasman (deferred) 74210000 74262000 rasapi32 (deferred) 74380000 7438f000 wkscli (deferred) 74390000 743a1000 netapi32 (deferred) 745f0000 74603000 dwmapi (deferred) 74b30000 74b70000 uxtheme (deferred) 74b70000 74d0e000 comctl32_74b70000 (deferred) 74fd0000 74fd9000 version (deferred) 75060000 75065000 wshtcpip (deferred) 75320000 75329000 netutils (deferred) 75410000 75454000 dnsapi (deferred) 75540000 75546000 wship6 (deferred) 75550000 7558c000 mswsock (deferred) 75860000 75879000 srvcli (deferred) 75a00000 75a1a000 sspicli (deferred) 75a70000 75a7c000 cryptbase (deferred) 75b20000 75b2b000 profapi (deferred) 75b90000 75b9c000 msasn1 (deferred) 75ba0000 75c24000 comctl32 (deferred) 75c30000 75c7a000 kernelbase (deferred) 75d00000 75e1e000 crypt32 (deferred) 75e20000 75e9b000 comdlg32 (deferred) 75ea0000 75f41000 rpcrt4 (deferred) 75f50000 75ff0000 advapi32 (deferred) 75ff0000 761e9000 iertutil (deferred) 76390000 763c5000 ws2_32 (deferred) 763d0000 763e9000 sechost (deferred) 763f0000 7640f000 imm32 (deferred) 76410000 76455000 wldap32 (deferred) 76460000 76595000 urlmon (deferred) 765a0000 771e9000 shell32 (deferred) 771f0000 772c4000 kernel32 (deferred) 77300000 773cc000 msctf (deferred) 773d0000 77499000 user32 (export symbols) c:\windows\system32\user32.dll 77590000 7763c000 msvcrt (deferred) 77640000 7779c000 ole32 (deferred) 777a0000 7782f000 oleaut32 (deferred) 77830000 778ce000 usp10 (deferred) 778d0000 779c4000 wininet (deferred) 779d0000 77b0c000 ntdll (export symbols) c:\windows\system32\ntdll.dll 77b10000 77b1a000 lpk (deferred) 77b20000 77b25000 psapi (deferred) 77b30000 77b33000 normaliz (deferred) 77b40000 77b8e000 gdi32 (deferred) 77b90000 77b96000 nsi (deferred) 77ba0000 77bf7000 shlwapi (deferred) unloaded modules: 04b00000 04b60000 testdll.dll

"virtual reservation" presumably refers thought in windows, can "reserve" (claim) range of virtual addresses, without allocating physical memory.

e.g., http://msdn.microsoft.com/en-us/library/windows/desktop/aa366887(v=vs.85).aspx

mem_reserve 0x00002000 reserves range of process's virtual address space without allocating actual physical storage in memory or in paging file on disk.

so, presumably in testdll.dll called virtualalloc, , there never corresponding phone call virtualfree. you'd have include more info testdll investigation proceed further.

dll mfc application-verifier

No comments:

Post a Comment