1

How can i access the total "user mode stack trace database" created by "gflags.exe" like sql DB? Otherwise, could you tell me some API docs about ust DB?

I truned on the +ust flag using "gflags.exe", So i can get stack trace creating a memory block.

But i want to compile statistics memory allocation group by callstack (like umdh or leakdiag) just for study. I guess there is some interface for query the ust DB, but i can't find.. Is there some way to query to or enumerate the ust DB?

genpfault
  • 51,148
  • 11
  • 85
  • 139
RammerChoi
  • 99
  • 6
  • 1
    There is no API. Just use umdh.exe to access UST information inside the running process. It would help if you clarify what your end goal is. If this is finding a memory leaks, just use a guadance at [this link](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/using-umdh-to-find-a-user-mode-memory-leak). – seva titov Apr 11 '18 at 14:25

2 Answers2

2

Use UMDH as the API. UMDH uses text files to store its data:

umdh -pn:Program.exe -f:before.txt
// do something
umdh -pn:Program.exe -f:after.txt

And you can even repeat these steps to get more text files. You then have n text files (that's your "database") that you can parse (you'll have to write the query in some programming language like C# or Python) and analyze.

There are tools out there which already work like this. In my former company we used UMDHGrapher (not publically available) and there is UmdhViz or Umdh Visualize which all do it that way.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
2

take a look at avrfsdk.h it exposes some interfaces to play with Stack_trace_database

a sample code that shows how to get an allocation stack trace is shown below

compile without optimizations
(cl /Zi /W4 /analyze /Od foo.cpp /link / release)

enable pageheap and collect stack trace on the compiled exe
gflags /i foo.exe +ust +hpa

run it to get the stacktrace for the single malloc() in allocme()

#include <windows.h>
#include <stdio.h>
#include <avrfsdk.h>
#include <intrin.h>
#define ALLOCSIZ 0x1337
typedef ULONG(WINAPI * VerifierEnumResource)(HANDLE Process, ULONG  Flags,
    ULONG  ResourceType, AVRF_RESOURCE_ENUMERATE_CALLBACK ResourceCallback,
    PVOID  EnumerationContext
    );
ULONG WINAPI HeapAllocCallback(PAVRF_HEAP_ALLOCATION HeapAllocation, PVOID, PULONG) {
    if (HeapAllocation->UserAllocationSize == ALLOCSIZ) {
        printf("Index=%x\tDepth=%x\n", HeapAllocation->BackTraceInformation->Index,
            HeapAllocation->BackTraceInformation->Depth);
        for (ULONG i = 0; i < HeapAllocation->BackTraceInformation->Depth; i++) {
            printf("%I64x\n", HeapAllocation->BackTraceInformation->ReturnAddresses[i]);
        }
    }return 0;
}
char * allocme() { printf("%p\n", _ReturnAddress()); return (char *)malloc(ALLOCSIZ); }
int main(void) {
    char *foo = allocme();
    if (foo) {
        memcpy(foo, "VerifierEnumerateResource\0", 26);
        HMODULE hMod;
        if ((hMod = LoadLibraryA("verifier.dll")) == NULL) { return 0; }
        VerifierEnumResource VerEnuRes;
        if ((*(FARPROC *)&VerEnuRes = GetProcAddress(hMod, foo)) == NULL) {
            return 0;
        };
        HANDLE hProcess = GetCurrentProcess();
        VerEnuRes(hProcess, 0, AvrfResourceHeapAllocation,
            (AVRF_RESOURCE_ENUMERATE_CALLBACK)HeapAllocCallback, NULL);
    }return getchar();
}

result of execution

:>ls
dbstk.cpp

:>cl /nologo /Zi /W4 /analyze /Od dbstk.cpp /link /nologo /release
dbstk.cpp

:>gflags /i dbstk.exe +ust +hpa
Current Registry Settings for dbstk.exe executable are: 02001000
    ust - Create user mode stack trace database
    hpa - Enable page heap
:>dbstk.exe
008710CB <<<<<<<<<<<<<<<<<<<<<<<<<< 
Index=0 Depth=b
10c38e89
77105ede
770ca40a
77095ae0
890e7d
8710ae
8710cb <<<<<<<<<<<<<<<<<<<<<<<<<<<
871390
76c4ed6c
770a37eb
770a37be
Community
  • 1
  • 1
blabb
  • 8,674
  • 1
  • 18
  • 27