Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions
On Tue, Dec 15, 2015 at 2:00 PM, Vincent Torriwrote: > On Tue, Dec 15, 2015 at 12:05 PM, Jacek Caban wrote: >> Hi Vincent, >> >> On 12/15/15 7:20 AM, Vincent Torri wrote: >>> Hello >>> >>> I am still working on Examine, my small valgrind-like memory leak >>> detector (http://vtorri.github.io/examine/) and I have 2 questions. >>> >>> First, I recall that it works by doing DLL injection with >>> CreateRemoteThread, and API hooking by patching the IAT. >>> >>> So Examine is working well, now, but I have 2 questions, about >>> _strdup() and malloc() : >>> >>> 1) If I call malloc() in a program, it is detected by Examine. If I >>> call _strdup(), malloc is not detected at all, while MSDN says that >>> _strdup() "calls malloc to allocate storage space" (see >>> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone >>> have an idea why malloc() is not catched ? >> >> Both malloc and _strdup live in the same DLL (like msvcrt.dll or any >> other msvcr*.dll version), so calls from _strdup to malloc don't use >> import table, it's a direct call. You could have more luck by hot >> patching malloc function itself, but I don't think it's the right solution. >> >> You may have more luck patching HeapAlloc (or even RtlAllocateHeap) >> instead. At least in Wine, malloc ends up calling it. > > I've already patched HeapAlloc(), but malloc is already patched. I'll > try to remove malloc() hook. No luck. I have removed all the hooks except HeapAlloc. If I test Examine with a program with only 1 malloc(), malloc is not detected. Vincent Torri -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions
On Tue, Dec 15, 2015 at 8:54 AM, LRNwrote: > On 15.12.2015 9:20, Vincent Torri wrote: >> Hello >> >> I am still working on Examine, my small valgrind-like memory leak >> detector (http://vtorri.github.io/examine/) and I have 2 questions. >> >> First, I recall that it works by doing DLL injection with >> CreateRemoteThread, and API hooking by patching the IAT. >> >> So Examine is working well, now, but I have 2 questions, about >> _strdup() and malloc() : >> >> 1) If I call malloc() in a program, it is detected by Examine. If I >> call _strdup(), malloc is not detected at all, while MSDN says that >> _strdup() "calls malloc to allocate storage space" (see >> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone >> have an idea why malloc() is not catched ? >> >> 2) So to fix 1), i've just patched the IAT to detect _strdup() (but >> i'm not satisfied with this). Now if I call strdup(), _strdup() is not >> detected. I thought first that strdup() was a macro, but it is >> actually declared in string.h. Does someone know why strdup() is not >> catched too ? > > One possibility is the strdup builtin that gcc has. Though i'm not sure > what exactly does it do, aside from checking for argument not being a NULL > pointer. I'll check that , thank you Vincent -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions
Hi Vincent, On 12/15/15 7:20 AM, Vincent Torri wrote: > Hello > > I am still working on Examine, my small valgrind-like memory leak > detector (http://vtorri.github.io/examine/) and I have 2 questions. > > First, I recall that it works by doing DLL injection with > CreateRemoteThread, and API hooking by patching the IAT. > > So Examine is working well, now, but I have 2 questions, about > _strdup() and malloc() : > > 1) If I call malloc() in a program, it is detected by Examine. If I > call _strdup(), malloc is not detected at all, while MSDN says that > _strdup() "calls malloc to allocate storage space" (see > https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone > have an idea why malloc() is not catched ? Both malloc and _strdup live in the same DLL (like msvcrt.dll or any other msvcr*.dll version), so calls from _strdup to malloc don't use import table, it's a direct call. You could have more luck by hot patching malloc function itself, but I don't think it's the right solution. You may have more luck patching HeapAlloc (or even RtlAllocateHeap) instead. At least in Wine, malloc ends up calling it. Cheers, Jacek -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions
On 15.12.2015 14:05, Jacek Caban wrote: > Hi Vincent, > > On 12/15/15 7:20 AM, Vincent Torri wrote: >> Hello >> >> I am still working on Examine, my small valgrind-like memory leak >> detector (http://vtorri.github.io/examine/) and I have 2 questions. >> >> First, I recall that it works by doing DLL injection with >> CreateRemoteThread, and API hooking by patching the IAT. >> >> So Examine is working well, now, but I have 2 questions, about >> _strdup() and malloc() : >> >> 1) If I call malloc() in a program, it is detected by Examine. If I >> call _strdup(), malloc is not detected at all, while MSDN says that >> _strdup() "calls malloc to allocate storage space" (see >> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone >> have an idea why malloc() is not catched ? > > You could have more luck by hot > patching malloc function itself, but I don't think it's the right solution. AFAIK, gcc sanitizer does exactly that. Except that it was not ported to W32/gcc (it works only on POSIX/gcc or W32/MSVC). -- O< ascii ribbon - stop html email! - www.asciiribbon.org signature.asc Description: OpenPGP digital signature -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions
On Tue, Dec 15, 2015 at 12:05 PM, Jacek Cabanwrote: > Hi Vincent, > > On 12/15/15 7:20 AM, Vincent Torri wrote: >> Hello >> >> I am still working on Examine, my small valgrind-like memory leak >> detector (http://vtorri.github.io/examine/) and I have 2 questions. >> >> First, I recall that it works by doing DLL injection with >> CreateRemoteThread, and API hooking by patching the IAT. >> >> So Examine is working well, now, but I have 2 questions, about >> _strdup() and malloc() : >> >> 1) If I call malloc() in a program, it is detected by Examine. If I >> call _strdup(), malloc is not detected at all, while MSDN says that >> _strdup() "calls malloc to allocate storage space" (see >> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone >> have an idea why malloc() is not catched ? > > Both malloc and _strdup live in the same DLL (like msvcrt.dll or any > other msvcr*.dll version), so calls from _strdup to malloc don't use > import table, it's a direct call. You could have more luck by hot > patching malloc function itself, but I don't think it's the right solution. > > You may have more luck patching HeapAlloc (or even RtlAllocateHeap) > instead. At least in Wine, malloc ends up calling it. I've already patched HeapAlloc(), but malloc is already patched. I'll try to remove malloc() hook. Vincent -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
[Mingw-w64-public] patching IAT and _strdup() and malloc() functions
Hello I am still working on Examine, my small valgrind-like memory leak detector (http://vtorri.github.io/examine/) and I have 2 questions. First, I recall that it works by doing DLL injection with CreateRemoteThread, and API hooking by patching the IAT. So Examine is working well, now, but I have 2 questions, about _strdup() and malloc() : 1) If I call malloc() in a program, it is detected by Examine. If I call _strdup(), malloc is not detected at all, while MSDN says that _strdup() "calls malloc to allocate storage space" (see https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone have an idea why malloc() is not catched ? 2) So to fix 1), i've just patched the IAT to detect _strdup() (but i'm not satisfied with this). Now if I call strdup(), _strdup() is not detected. I thought first that strdup() was a macro, but it is actually declared in string.h. Does someone know why strdup() is not catched too ? thank you Vincent Torri -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions
On 15.12.2015 9:20, Vincent Torri wrote: > Hello > > I am still working on Examine, my small valgrind-like memory leak > detector (http://vtorri.github.io/examine/) and I have 2 questions. > > First, I recall that it works by doing DLL injection with > CreateRemoteThread, and API hooking by patching the IAT. > > So Examine is working well, now, but I have 2 questions, about > _strdup() and malloc() : > > 1) If I call malloc() in a program, it is detected by Examine. If I > call _strdup(), malloc is not detected at all, while MSDN says that > _strdup() "calls malloc to allocate storage space" (see > https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone > have an idea why malloc() is not catched ? > > 2) So to fix 1), i've just patched the IAT to detect _strdup() (but > i'm not satisfied with this). Now if I call strdup(), _strdup() is not > detected. I thought first that strdup() was a macro, but it is > actually declared in string.h. Does someone know why strdup() is not > catched too ? One possibility is the strdup builtin that gcc has. Though i'm not sure what exactly does it do, aside from checking for argument not being a NULL pointer. -- O< ascii ribbon - stop html email! - www.asciiribbon.org signature.asc Description: OpenPGP digital signature -- ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public