Package vtrace :: Package tools :: Module win32alloc
[hide private]
[frames] | no frames]

Source Code for Module vtrace.tools.win32alloc

 1  ''' 
 2  A module with some cute toys for monitoring allocations. 
 3  ''' 
 4   
 5  import vtrace 
 6   
 7  import envi.archs.i386 as e_i386 
 8   
9 -class ReturnBreak(vtrace.Breakpoint):
10 - def __init__(self, addr, chsize, chflags):
11 vtrace.Breakpoint.__init__(self, addr) 12 self.fastbreak = True 13 self._chsize = chsize 14 self._chflags = chflags
15
16 - def notify(self, event, trace):
17 eax = trace.getRegister(e_i386.REG_EAX) 18 a = trace.getMeta('HeapAllocs') 19 a.append((self.address, eax, self._chsize, self._chflags)) 20 trace.runAgain()
21
22 -class RtlAllocateHeapBreak(vtrace.Breakpoint):
23
24 - def __init__(self, addr):
25 vtrace.Breakpoint.__init__(self, addr) 26 self.fastbreak = True
27
28 - def notify(self, event, trace):
29 30 sp = trace.getStackCounter() 31 ( saved_eip, 32 heap, 33 flags, 34 size ) = trace.readMemoryFormat(sp, '<4P') 35 36 if trace.getBreakpointByAddr(saved_eip) == None: 37 bp = ReturnBreak(saved_eip, size, flags) 38 trace.addBreakpoint(bp) 39 40 trace.runAgain()
41
42 -def watchHeapAllocs(trace):
43 ''' 44 Add a breakpoint to ntdll.RtlAllocateHeap to watch for 45 allocations and track who made them... 46 ''' 47 clearHeapAllocs(trace) 48 addr = trace.parseExpression('ntdll.RtlAllocateHeap') 49 bp = RtlAllocateHeapBreak(addr) 50 trace.addBreakpoint(bp)
51
52 -def clearHeapAllocs(trace):
53 trace.setMeta('HeapAllocs', [])
54
55 -def getHeapAllocs(trace):
56 ''' 57 Return a list of (caller_eip, heap_chunk, size, flags) tuples 58 ''' 59 return trace.getMeta('HeapAllocs', [])
60