I'm debugging a software Use-After-Free bug using windbg(Don't have access to source code).
Where
An Object Created --(do something)--> Object Deleted --(do something)--> Object Reference Re-used [App. CRASHHHH!!!]
Using windbg and 'PageHeap' I can easily find out when that object is being Freed (!heap -p -a 0xXXXXXXX) and Re-used.
My question is, what are the ways to find out, when that object is being created.
Thx
One neat trick you can pull is to use (well, maybe abuse) leak tracking to save allocation stack traces and look at them in the debugger.
Since you already have pageheap enabled, this should be pretty easy to explain.
gflags.exe (it comes with Windbg) and change the flags for your process's image file.Enable page heap and Create user mode stack trace database then click apply. 
!heap -p -a <allocation address you want the callstack of>I ran it on one of the heap allocations in notepad.exe's stack and got this:
0:000> !heap -p -a 00000261`1a43b6c8
address 000002611a43b6c8 found in
_DPH_HEAP_ROOT @ 26119821000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
26119847750: 2611a43b6c0 938 - 2611a43b000 2000
COMDLG32!CFileOpenSave::`vftable'
00007ffa890622c7 ntdll!RtlDebugAllocateHeap+0x0000000000000047
00007ffa88ff79ce ntdll!RtlpAllocateHeap+0x00000000000000ee
00007ffa88ff595f ntdll!RtlpAllocateHeapInternal+0x000000000000064f
00007ffa884c0f38 COMDLG32!CFileOpenSave::s_CreateInstance+0x0000000000000088
00007ffa884d6750 COMDLG32!`CommonPrintDialogTelemetry::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x00000000000103c0
00007ffa886ffee7 combase!CServerContextActivator::CreateInstance+0x0000000000000207 [d:\th\com\combase\objact\actvator.cxx @ 872]
00007ffa8876c0b3 combase!ActivationPropertiesIn::DelegateCreateInstance+0x00000000000000e3 [d:\th\com\combase\actprops\actprops.cxx @ 1926]
00007ffa88700687 combase!CApartmentActivator::CreateInstance+0x00000000000000c7 [d:\th\com\combase\objact\actvator.cxx @ 2168]
00007ffa886ff3e9 combase!CProcessActivator::CCICallback+0x0000000000000079 [d:\th\com\combase\objact\actvator.cxx @ 1631]
00007ffa886ff504 combase!CProcessActivator::AttemptActivation+0x0000000000000064 [d:\th\com\combase\objact\actvator.cxx @ 1518]
00007ffa886ff5e0 combase!CProcessActivator::ActivateByContext+0x00000000000000b0 [d:\th\com\combase\objact\actvator.cxx @ 1364]
00007ffa886ff900 combase!CProcessActivator::CreateInstance+0x0000000000000090 [d:\th\com\combase\objact\actvator.cxx @ 1262]
00007ffa8876c104 combase!ActivationPropertiesIn::DelegateCreateInstance+0x0000000000000134 [d:\th\com\combase\actprops\actprops.cxx @ 1926]
00007ffa8876929a combase!CClientContextActivator::CreateInstance+0x000000000000015a [d:\th\com\combase\objact\actvator.cxx @ 561]
00007ffa8876c0c6 combase!ActivationPropertiesIn::DelegateCreateInstance+0x00000000000000f6 [d:\th\com\combase\actprops\actprops.cxx @ 1978]
00007ffa88760c61 combase!ICoCreateInstanceEx+0x0000000000000c91 [d:\th\com\combase\objact\objact.cxx @ 1817]
00007ffa8875fea7 combase!CComActivator::DoCreateInstance+0x0000000000000147 [d:\th\com\combase\objact\immact.hxx @ 376]
00007ffa8875fd0c combase!CoCreateInstance+0x000000000000019c [d:\th\com\combase\objact\actapi.cxx @ 120]
00007ff6d5321be8 notepad!InvokeOpenDialog+0x000000000000004c
00007ff6d53225d7 notepad!NPCommand+0x00000000000003b7
00007ff6d53238a9 notepad!NPWndProc+0x0000000000000509
00007ffa88a41169 USER32!UserCallWinProcCheckWow+0x00000000000001f9
00007ffa88a40c97 USER32!DispatchMessageWorker+0x00000000000001a7
00007ff6d5323ba1 notepad!WinMain+0x0000000000000269
00007ff6d53390b5 notepad!WinMainCRTStartup+0x00000000000001c5
00007ffa866c8102 KERNEL32!BaseThreadInitThunk+0x0000000000000022
00007ffa8902c2e4 ntdll!RtlUserThreadStart+0x0000000000000034
If you don't get a stack trace, one thing to try is increasing the size of the stack backtrace database.
