none
Malloc requesting for 32 bytes and "ZwAllocateVirtualMemory" allocates 16 MB. Can it be possible ? RRS feed

  • Question

  • 0:000> u ntdll!NtAllocateVirtualMemory

    ntdll!ZwAllocateVirtualMemory:

    77905318 b813000000      mov     eax,13h

    7790531d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)

    77905322 ff12            call    dword ptr [edx]

    77905324 c21800          ret     18h    ßwhat ever address is given copy and paste in following command.

    77905327 90              nop

    ntdll!ZwAlpcAcceptConnectPort:

    77905328 b814000000      mov     eax,14h

    7790532d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)

    77905332 ff12            call    dword ptr [edx]

    2)

    bp 77905324

     

    3)

    bp 77905324 "j (poi(poi[ESP+0x10]) > f00000)  '.echotime;~.;kv;.echo Address;dc poi[ESP+0x8] l1;.echo Return Size; dc poi[ESP+0x10] l1;.echo Request Size;dc [ESP+0x1c] l1;"

    Here f00000 is 15 MB.                    <- I am requesting that if "NtAllocateVirtualMemory" gets request for allocating more than 15 MB then dump a call stack.

    I am getting many such call stacks but when I observe malloc is requesting very small bytes then why "NtAllocateVirtualMemory" is giving too much more amount of bytes ? Is above command correct ? IF command is correct then why "NtAllocateVirtualMemory" is giving such a huge memory ? To validate how many bytes are allocated by "NtAllocateVirtualMemory" actually , I followed below commands .

    4) kM   (capital M)     or  kb

    If it gives our code’s call stack then you can go to step 5 otherwise keep pressing F5 from debugger .

    5) For example If you got the code’s call stack ( I took my sample application call stack below).

    # ChildEBP RetAddr  Args to Child             

    00

    00 3f88a7f0 7791f1f8 00fd0000 00020000 481862f7 ntdll!ZwAllocateVirtualMemory+0xc              ß-------------------- Press on “00” on the first line then go to 6th point.
    01 3f88a8d0 77915ae0 0001fff8 00020000 003500c4 ntdll!RtlAppendUnicodeToString+0x326
    02 3f88a954 77924998 00350000 00800000 0001fff8 ntdll!wcsnicmp+0x1e4
    03 3f88a9a0 779242d1 00000070 48186017 58fa7b00 ntdll!RtlGetCurrentTransaction+0xe3
    04 3f88aa30 77912e82 58fa7b00 00000064 3f88ab80 ntdll!RtlQueryInformationActivationContext+0x40a
    05 3f88aaa4 5b1a81eb 00350000 00000000 00000064 ntdll!RtlAllocateHeap+0xac
    06 3f88aabc 540c9089 00000064 3f88aad4 53fb8ddd ucrtbase!malloc+0x2b                            <- Requesting for 100 bytes(64 in hex)

    0:000> ~~[28f8]s;.frame 0n0;dv /t /v

    eax=00000000 ebx=07f30000 ecx=754e0000 edx=0008e3c8 esi=088d2fe8 edi=00000000

    eip=77c7fae5 esp=0018f7ec ebp=0018f80c iopl=0         nv up ei pl nz na po nc

    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202

    ntdll!ZwAllocateVirtualMemory+0x15:

    77c7fae5 c21800          ret     18h

    00 0018f7e8 74ff66f0 ntdll!ZwAllocateVirtualMemory+0x15

    Unable to enumerate locals, HRESULT 0x80004005

    Private symbols (symbols.pri) are required for locals.

    Type ".hh dbgerr005" for details.

    6) Apply now following command to get the exact arguments of “ZwAllocateVirtualMemory”

    0:000> ~~[28f8]s;.frame 0n0;dd ESP L6

    eax=00000000 ebx=07f30000 ecx=754e0000 edx=0008e3c8 esi=088d2fe8 edi=00000000

    eip=77c7fae5 esp=0018f7ec ebp=0018f80c iopl=0         nv up ei pl nz na po nc

    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202

    ntdll!ZwAllocateVirtualMemory+0x15:

    77c7fae5 c21800          ret     18h

    00 0018f7e8 74ff66f0 ntdll!ZwAllocateVirtualMemory+0x15

    0018f7ec  74ff66f0 ffffffff 0018f9a4 00000000     <- these are 6 arguments for “ZwAllocateVirtualMemory” function from which 4th parameter gives actual size as output.

    0018f7fc  0018f9a8 00001000

    7)

    0:000> ? (poi(poi(0018f7fc)))

    Evaluate expression: 4096 = 00001000  ß which is 4KB ( that is fine for 17 bytes of malloc request.

    This is how I verified : I wrote sample application which was demanding 17 bytes, 16 KB and 16 MB respectively. In response heap manager allocated : (4096 bytes,  20480 bytes, 16842752 ) .

    If "NtAllocateVirtualMemory" is allocating in some caping limit then why command listed in point - 3 is giving me all call stacks which are allocated more than 15 MB ?

    Either my above analysis is wrong OR command listed in point number 3 is wrong ?

    Any help will be appreciated .



    Friday, December 9, 2016 5:56 PM

All replies