0

How is allocation handled within a C++ compiled EXE? Is the allocation manager baked into the app making it impossible to track allocations / unallocations if you don't have the code? Or is there a WinAPI call or something similar for memory allocation?

Robin Rodricks
  • 110,798
  • 141
  • 398
  • 607
  • 1
    When you lanch an application from [VMMap](http://technet.microsoft.com/en-us/sysinternals/dd535533.aspx) the app is instrumented to track individual memory allocations (Heep*, Alloc*, malloc) along with the associated **call stack** Knowing functions address you can understand where the allocations take place in an EXE – Serg Jan 28 '13 at 17:52

3 Answers3

3

Generally, the allocation function is provided by your C runtime library. That library in turn is written by your vendor. Microsoft's Visual C++ will presumably use Windows kernel routines to implement allo­cations, but you should check the documentation and/or ask your vendor.

Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
  • Lets say I open up an EXE in IDA Pro, is there any way to identify such allocations? – Robin Rodricks Jan 28 '13 at 15:55
  • maybe just start with loading the mscvrt.dll symbol signatures.. if the binaries were not heavily optimized or obfuscated, you will probably find imported externals like .. 'malloc' :) – quetzalcoatl Jan 28 '13 at 16:00
  • 1
    I'd start with something like `STraceNT` to check for system calls. Alternatively, you can use some kind of DLL explorer ("Dependency Walker"?) to see if you can find the relevant library function in the C runtime DLL and disassemble that one. – Kerrek SB Jan 28 '13 at 16:18
3

There's usually some of both. Normal code allocates memory via the heap manager that's built into the standard library. That, in turn, allocates larger blocks of memory from the OS, then allows the rest of the code to allocate smaller pieces of memory out of that big block.

Whether the heap manager is actually in the application or not depends how it was compiled and linked. If it uses the standard library in a DLL, then it'll use code from the standard library DLL. If it's linked to the standard library statically, then the heap manager code will be linked into the executable itself.

Jerry Coffin
  • 476,176
  • 80
  • 629
  • 1,111
  • Lets say I open up an EXE in IDA Pro, is there any way to identify such allocations? – Robin Rodricks Jan 28 '13 at 16:00
  • 1
    @Geotarget: Allocations from the OS will normally end up as calls to `VirtualAlloc`, `HeapAlloc`, etc. Allocations inside the program will typically end up as calls to `malloc`, `calloc`, `::operator new`, etc. – Jerry Coffin Jan 28 '13 at 16:02
  • Are remenants of any of these calls visible easily in the EXE? For instance `malloc` - can it be easily spotted in the EXE? – Robin Rodricks Jan 28 '13 at 16:59
  • @Geotarget: Yes, normally. IDA Pro knows enough by the standard library that calls to `malloc` will normally be labeled as such (i.e., the code will read something like `push some_val; call _malloc`) – Jerry Coffin Jan 28 '13 at 17:03
3

The basis for the memory allocation is indeed some WinAPI call (typically the Heap functionality). These are "hidden" behind the operator new and malloc and other related functionality. You should be able to identify the calls to the Heap Functions, but there are probably several layers of functions between the raw heap and the actual memory allocation call.

Edit: Clearly, if the program is compiled to use the C runtime as a .DLL, the code to actually perform the allocation is not in the executable at all - it would be in the DLL.

And of course, it's interely possible that the programmer who wrote the code: 1. didn't use C/C++, in which case all bets are off. 2. wrote their own version of memory management in some way, using for example VirtualAlloc

Mats Petersson
  • 126,704
  • 14
  • 140
  • 227
  • Lets say I open up an EXE in IDA Pro, is there any way to identify such allocations? – Robin Rodricks Jan 28 '13 at 16:01
  • It depends - I just added some more info. Look for malloc, new, realloc and such things. Or "Heap", or "Alloc". – Mats Petersson Jan 28 '13 at 16:02
  • Since this is an XY questioin, where you are asking how to do Y, because you want to do X and you think Y will be the way forward [like asking a car mechanic how to losen a wheel nut when you have a puncture- later realizing you need to lift the car up to prevent it from falling down when you take the wheel off], it may help if you clarify what you are actually trying to achieve. – Mats Petersson Jan 28 '13 at 16:07
  • I'm just trying to understand where the allocations take place in an EXE that I don't have the code for. I'm asking if this is easily possible and trying to understand how it works. – Robin Rodricks Jan 28 '13 at 16:58
  • If you have a fair amount of experience, it's certainly possible. Depending on the size, style and generally how the application is written, it mkay not be easy even with experience! Why do you care about allocations in particular is more what I'm asking about. – Mats Petersson Jan 28 '13 at 17:08