1. 必须在命令行中设置为要分析的进程打开用户堆栈信息:C:\Program Files\Debugging Tools for Windows (x64)>gflags.exe -i YourDebugProcess.exe +ust
2. 必须是Debug版本的进程
3. 设置好windbg的pdb路径,即symbol path
4. 利用windbg的AttachToProcess (貌似后面这个方案不行:在目标机器上产生转储文件(dump)然后用windbg分析)。
5. 利用!heap命令
示例:
0:032> !heap -s
NtGlobalFlag enables following debugging aids for new heaps:
stack back traces
LFH Key : 0x00000052389f3a7e
Termination on corruption : ENABLED
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast
(k) (k) (k) (k) length blocks cont. heap
-------------------------------------------------------------------------------------
0000000001b40000 08000002 1024 828 1024 19 20 1 0 0 LFH
0000000000010000 08008000 64 8 64 5 1 1 0 0
0000000000020000 08008000 64 64 64 61 1 1 0 0
0000000001d30000 08001002 1088 308 1088 18 2 2 0 0 LFH
00000000036b0000 08001002 512 288 512 7 9 1 0 0 LFH
0000000001c60000 08001002 355456 338872 355456 7750 140 26 0 0 LFH
0000000003e40000 08001002 512 260 512 7 2 1 0 0 LFH
0000000003f80000 08001002 64 8 64 3 1 1 0 0
0000000004040000 08001002 64 8 64 3 1 1 0 0
00000000048c0000 08011002 512 8 512 3 2 1 0 0
00000000049e0000 08001002 512 8 512 3 2 1 0 0
0000000004850000 08001002 3136 2192 3136 403 6 3 0 0 LFH
External fragmentation 18 % (6 free blocks)
0000000006d30000 08001002 1088 288 1088 5 2 2 0 0 LFH
00000000049a0000 08001002 1088 544 1088 265 4 2 0 0 LFH
00000000048a0000 08001002 1088 288 1088 9 3 2 0 0 LFH
00000000079d0000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000007b30000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000004c10000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000008820000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000008d80000 08001002 1088 288 1088 13 3 2 0 0 LFH
0000000004c00000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000006ce0000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000004940000 08001002 1088 288 1088 9 3 2 0 0 LFH
000000000a510000 08001002 1088 288 1088 9 3 2 0 0 LFH
000000000a780000 08001002 1088 292 1088 12 4 2 0 0 LFH
0000000008d70000 08001002 1088 256 1088 8 3 2 0 0 LFH
000000000b1a0000 08001002 512 8 512 2 1 1 0 0
-------------------------------------------------------------------------------------
0:032> !heap -stat -h 0000000001c60000
heap @ 0000000001c60000
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
261 - 13087bb4 (96.84)
8c 3579 - 1d3e2c (0.58)
44 4a8a - 13cca8 (0.39)
5c 35c9 - 13543c (0.38)
12c d0b - f48e4 (0.30)
54 2a65 - de924 (0.28)
4c 2c7f - d35b4 (0.26)
6c e53 - 60b04 (0.12)
1825c 3 - 48714 (0.09)
8034 8 - 401a0 (0.08)
2003e 2 - 4007c (0.08)
834 64 - 33450 (0.06)
64 815 - 32834 (0.06)
74 5a0 - 28c80 (0.05)
4034 9 - 241d4 (0.04)
84 273 - 1434c (0.03)
402c 4 - 100b0 (0.02)
10034 1 - 10034 (0.02)
1035 f - f31b (0.02)
94 185 - e0e4 (0.02)
0:032> !heap -flt s 80034
_HEAP @ 1b40000
_HEAP @ 10000
_HEAP @ 20000
_HEAP @ 1d30000
_HEAP @ 36b0000
_HEAP @ 1c60000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
00000000102e5a40 8006 0000 [00] 00000000102e5a70 80034 - (busy)
0000000010365aa0 8006 8006 [00] 0000000010365ad0 80034 - (busy)
0000000010402210 8006 8006 [00] 0000000010402240 80034 - (busy)
0000000010482270 8006 8006 [00] 00000000104822a0 80034 - (busy)
00000000105022d0 8006 8006 [00] 0000000010502300 80034 - (busy)
00000000105e9630 8006 8006 [00] 00000000105e9660 80034 - (busy)
NtGlobalFlag enables following debugging aids for new heaps:
stack back traces
LFH Key : 0x00000052389f3a7e
Termination on corruption : ENABLED
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast
(k) (k) (k) (k) length blocks cont. heap
-------------------------------------------------------------------------------------
0000000001b40000 08000002 1024 828 1024 19 20 1 0 0 LFH
0000000000010000 08008000 64 8 64 5 1 1 0 0
0000000000020000 08008000 64 64 64 61 1 1 0 0
0000000001d30000 08001002 1088 308 1088 18 2 2 0 0 LFH
00000000036b0000 08001002 512 288 512 7 9 1 0 0 LFH
0000000001c60000 08001002 355456 338872 355456 7750 140 26 0 0 LFH
0000000003e40000 08001002 512 260 512 7 2 1 0 0 LFH
0000000003f80000 08001002 64 8 64 3 1 1 0 0
0000000004040000 08001002 64 8 64 3 1 1 0 0
00000000048c0000 08011002 512 8 512 3 2 1 0 0
00000000049e0000 08001002 512 8 512 3 2 1 0 0
0000000004850000 08001002 3136 2192 3136 403 6 3 0 0 LFH
External fragmentation 18 % (6 free blocks)
0000000006d30000 08001002 1088 288 1088 5 2 2 0 0 LFH
00000000049a0000 08001002 1088 544 1088 265 4 2 0 0 LFH
00000000048a0000 08001002 1088 288 1088 9 3 2 0 0 LFH
00000000079d0000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000007b30000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000004c10000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000008820000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000008d80000 08001002 1088 288 1088 13 3 2 0 0 LFH
0000000004c00000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000006ce0000 08001002 1088 288 1088 9 3 2 0 0 LFH
0000000004940000 08001002 1088 288 1088 9 3 2 0 0 LFH
000000000a510000 08001002 1088 288 1088 9 3 2 0 0 LFH
000000000a780000 08001002 1088 292 1088 12 4 2 0 0 LFH
0000000008d70000 08001002 1088 256 1088 8 3 2 0 0 LFH
000000000b1a0000 08001002 512 8 512 2 1 1 0 0
-------------------------------------------------------------------------------------
0:032> !heap -stat -h 0000000001c60000
heap @ 0000000001c60000
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
261 - 13087bb4 (96.84)
8c 3579 - 1d3e2c (0.58)
44 4a8a - 13cca8 (0.39)
5c 35c9 - 13543c (0.38)
12c d0b - f48e4 (0.30)
54 2a65 - de924 (0.28)
4c 2c7f - d35b4 (0.26)
6c e53 - 60b04 (0.12)
1825c 3 - 48714 (0.09)
8034 8 - 401a0 (0.08)
2003e 2 - 4007c (0.08)
834 64 - 33450 (0.06)
64 815 - 32834 (0.06)
74 5a0 - 28c80 (0.05)
4034 9 - 241d4 (0.04)
84 273 - 1434c (0.03)
402c 4 - 100b0 (0.02)
10034 1 - 10034 (0.02)
1035 f - f31b (0.02)
94 185 - e0e4 (0.02)
0:032> !heap -flt s 80034
_HEAP @ 1b40000
_HEAP @ 10000
_HEAP @ 20000
_HEAP @ 1d30000
_HEAP @ 36b0000
_HEAP @ 1c60000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
00000000102e5a40 8006 0000 [00] 00000000102e5a70 80034 - (busy)
0000000010365aa0 8006 8006 [00] 0000000010365ad0 80034 - (busy)
0000000010402210 8006 8006 [00] 0000000010402240 80034 - (busy)
0000000010482270 8006 8006 [00] 00000000104822a0 80034 - (busy)
00000000105022d0 8006 8006 [00] 0000000010502300 80034 - (busy)
00000000105e9630 8006 8006 [00] 00000000105e9660 80034 - (busy)
...............
00000000250306d0 8006 8006 [00] 0000000025030700 80034 - (busy)
00000000250b0730 8006 8006 [00] 00000000250b0760 80034 - (busy)
0000000025130790 8006 8006 [00] 00000000251307c0 80034 - (busy)
00000000251b07f0 8006 8006 [00] 00000000251b0820 80034 - (busy)
0000000025230850 8006 8006 [00] 0000000025230880 80034 - (busy)
00000000252b08b0 8006 8006 [00] 00000000252b08e0 80034 - (busy)
0000000025330910 8006 8006 [00] 0000000025330940 80034 - (busy)
00000000253b0970 8006 8006 [00] 00000000253b09a0 80034 - (busy)
00000000254309d0 8006 8006 [00] 0000000025430a00 80034 - (busy)
00000000254b0a30 8006 8006 [00] 00000000254b0a60 80034 - (busy)
0000000025530a90 8006 8006 [00] 0000000025530ac0 80034 - (busy)
00000000255b0af0 8006 8006 [00] 00000000255b0b20 80034 - (busy)
0000000025630b50 8006 8006 [00] 0000000025630b80 80034 - (busy)
00000000256b0bb0 8006 8006 [00] 00000000256b0be0 80034 - (busy)
0000000025780070 8006 8006 [00] 00000000257800a0 80034 - (busy)
00000000258000d0 8006 8006 [00] 0000000025800100 80034 - (busy)
_HEAP @ 3e40000
_HEAP @ 3f80000
_HEAP @ 4040000
_HEAP @ 48c0000
_HEAP @ 49e0000
_HEAP @ 4850000
_HEAP @ 6d30000
_HEAP @ 49a0000
_HEAP @ 48a0000
_HEAP @ 79d0000
_HEAP @ 7b30000
_HEAP @ 4c10000
_HEAP @ 8820000
_HEAP @ 8d80000
_HEAP @ 4c00000
_HEAP @ 6ce0000
_HEAP @ 4940000
_HEAP @ a510000
_HEAP @ a780000
_HEAP @ 8d70000
_HEAP @ b1a0000
0:032> !heap -p -a 0000000025030700
address 0000000025030700 found in
_HEAP @ 1c60000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
00000000250306d0 8006 0000 [00] 0000000025030700 80034 - (busy)
76efcc0d ntdll! ?? ::FNODOBFM::`string'+0x000000000001913b
fbaf4fd MSVCR100D!heap_alloc_base+0x000000000000005d
fbc1efd MSVCR100D!nh_malloc_dbg+0x00000000000003bd
fbc1c09 MSVCR100D!nh_malloc_dbg+0x00000000000000c9
fbc1b89 MSVCR100D!nh_malloc_dbg+0x0000000000000049
fbc617a MSVCR100D!malloc+0x000000000000002a
*** WARNING: Unable to verify checksum for D:\XXXXXXXXXX\XXXXXXXXXXXXXXX.dll
7febb5c37e1 XXXXXXXXX!XXXXXX::XXXXXXXXXXX::TransformPixelData+0x00000000000009a1
X 7febb5dca4c XXXXXXXXXXXXXXXXX!XXXXXXXXX::LogicProcess::UpdatePixelDataByPSR+0x000000000000017c
7febb5e07f5 XXXXXXXXXX!XXXXXXXXX::LogicProcess::RenderToOverlay+0x0000000000000055
7febb5df0b2 XXXXXXXXXXXXXX!XXXXXXXXXXXX::LogicProcess::ExportBySpecifiedMode+0x00000000000005b2
7feb800918f XXXXXXXXXXX!XXXXXXXXX::XXXXXXXXXXXXXXXXXX::ExportGSPSInfoBySpecifiedMode+0x0000000000000daf
7feb808fb89 XXXXXXXXXX!XXXXXXX::XXXXXXXXXX::storeSCU+0x0000000000000c29
7feb808e628 XXXXXXXXXXXX!XXXXXXXXXX::XXXXXXXXXX::DoRealStore+0x0000000000000438
7feb80a763a XXXXXXXXXXXXX!boost::_bi::list0::operator()<void (__cdecl*)(void),boost::_bi::list0>+0x000000000000003a
7feb80a75c1 XXXXXXXXXXXXX!boost::_bi::bind_t<void,void (__cdecl*)(void),boost::_bi::list0>::operator()+0x0000000000000061
7feb80a753f XXXXXXXXXXXXXXXX!boost::detail::thread_data<boost::_bi::bind_t<void,void (__cdecl*)(void),boost::_bi::list0> >::run+0x000000000000002f
7feb82ef7a7 XXXXXXXXXXXX!boost::`anonymous namespace'::thread_start_function+0x0000000000000037
fab72e5 MSVCR100D!beginthreadex+0x00000000000002d5
fab72a4 MSVCR100D!beginthreadex+0x0000000000000294
76d5652d kernel32!BaseThreadInitThunk+0x000000000000000d
76e8c521 ntdll!RtlUserThreadStart+0x000000000000001d
00000000250b0730 8006 8006 [00] 00000000250b0760 80034 - (busy)
0000000025130790 8006 8006 [00] 00000000251307c0 80034 - (busy)
00000000251b07f0 8006 8006 [00] 00000000251b0820 80034 - (busy)
0000000025230850 8006 8006 [00] 0000000025230880 80034 - (busy)
00000000252b08b0 8006 8006 [00] 00000000252b08e0 80034 - (busy)
0000000025330910 8006 8006 [00] 0000000025330940 80034 - (busy)
00000000253b0970 8006 8006 [00] 00000000253b09a0 80034 - (busy)
00000000254309d0 8006 8006 [00] 0000000025430a00 80034 - (busy)
00000000254b0a30 8006 8006 [00] 00000000254b0a60 80034 - (busy)
0000000025530a90 8006 8006 [00] 0000000025530ac0 80034 - (busy)
00000000255b0af0 8006 8006 [00] 00000000255b0b20 80034 - (busy)
0000000025630b50 8006 8006 [00] 0000000025630b80 80034 - (busy)
00000000256b0bb0 8006 8006 [00] 00000000256b0be0 80034 - (busy)
0000000025780070 8006 8006 [00] 00000000257800a0 80034 - (busy)
00000000258000d0 8006 8006 [00] 0000000025800100 80034 - (busy)
_HEAP @ 3e40000
_HEAP @ 3f80000
_HEAP @ 4040000
_HEAP @ 48c0000
_HEAP @ 49e0000
_HEAP @ 4850000
_HEAP @ 6d30000
_HEAP @ 49a0000
_HEAP @ 48a0000
_HEAP @ 79d0000
_HEAP @ 7b30000
_HEAP @ 4c10000
_HEAP @ 8820000
_HEAP @ 8d80000
_HEAP @ 4c00000
_HEAP @ 6ce0000
_HEAP @ 4940000
_HEAP @ a510000
_HEAP @ a780000
_HEAP @ 8d70000
_HEAP @ b1a0000
0:032> !heap -p -a 0000000025030700
address 0000000025030700 found in
_HEAP @ 1c60000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
00000000250306d0 8006 0000 [00] 0000000025030700 80034 - (busy)
76efcc0d ntdll! ?? ::FNODOBFM::`string'+0x000000000001913b
fbaf4fd MSVCR100D!heap_alloc_base+0x000000000000005d
fbc1efd MSVCR100D!nh_malloc_dbg+0x00000000000003bd
fbc1c09 MSVCR100D!nh_malloc_dbg+0x00000000000000c9
fbc1b89 MSVCR100D!nh_malloc_dbg+0x0000000000000049
fbc617a MSVCR100D!malloc+0x000000000000002a
*** WARNING: Unable to verify checksum for D:\XXXXXXXXXX\XXXXXXXXXXXXXXX.dll
7febb5c37e1 XXXXXXXXX!XXXXXX::XXXXXXXXXXX::TransformPixelData+0x00000000000009a1
X 7febb5dca4c XXXXXXXXXXXXXXXXX!XXXXXXXXX::LogicProcess::UpdatePixelDataByPSR+0x000000000000017c
7febb5e07f5 XXXXXXXXXX!XXXXXXXXX::LogicProcess::RenderToOverlay+0x0000000000000055
7febb5df0b2 XXXXXXXXXXXXXX!XXXXXXXXXXXX::LogicProcess::ExportBySpecifiedMode+0x00000000000005b2
7feb800918f XXXXXXXXXXX!XXXXXXXXX::XXXXXXXXXXXXXXXXXX::ExportGSPSInfoBySpecifiedMode+0x0000000000000daf
7feb808fb89 XXXXXXXXXX!XXXXXXX::XXXXXXXXXX::storeSCU+0x0000000000000c29
7feb808e628 XXXXXXXXXXXX!XXXXXXXXXX::XXXXXXXXXX::DoRealStore+0x0000000000000438
7feb80a763a XXXXXXXXXXXXX!boost::_bi::list0::operator()<void (__cdecl*)(void),boost::_bi::list0>+0x000000000000003a
7feb80a75c1 XXXXXXXXXXXXX!boost::_bi::bind_t<void,void (__cdecl*)(void),boost::_bi::list0>::operator()+0x0000000000000061
7feb80a753f XXXXXXXXXXXXXXXX!boost::detail::thread_data<boost::_bi::bind_t<void,void (__cdecl*)(void),boost::_bi::list0> >::run+0x000000000000002f
7feb82ef7a7 XXXXXXXXXXXX!boost::`anonymous namespace'::thread_start_function+0x0000000000000037
fab72e5 MSVCR100D!beginthreadex+0x00000000000002d5
fab72a4 MSVCR100D!beginthreadex+0x0000000000000294
76d5652d kernel32!BaseThreadInitThunk+0x000000000000000d
76e8c521 ntdll!RtlUserThreadStart+0x000000000000001d