пятница, 29 июня 2018 г.

interesting case of memory leak

after three weeks of work service osqueryd.exe consumed about 150 mb of memory. so I made full memory dump with process explorer and run !heap -l in windbg
298991 string in log ! lets write quick and ditry perl script to calculate sizes of leaked blocks:
my $state = 0;
my($str, %dict, $size);
while( $str = <> )
{
  chomp $str;
  last if ( $str eq '' );
  if ( ! $state )
  {
    $state = 1 if ( $str =~ /^-----/ );
    next;
  }
  $str = substr($str, 72, 10);
  $str =~ s/^\s+//g;
  $str =~ s/\s+$//g;
  $size = hex($str);
  next if ( !$size );
  $dict{$size} += 1;
}

# dump results
my $iter;
foreach $iter ( sort { $dict{$b} <=> $dict{$a} } keys %dict )
{
  printf("%X %d\n", $iter, $dict{$iter});
}
results are encouraging:

среда, 17 января 2018 г.

wincheck rc8.60

download
mirror
Changelog:
  • add some support of meltdown patched kernels. It seems that Microsoft backported from w10 InterruptObject to KPRCB on windows 8.1. so all offsets below this field were shifted downward and previous version of wincheck produced BSODs
  • add dumping of SYSTEM_KERNEL_VA_SHADOW_INFORMATION
  • add support of windows 10 build 17063
  • add lots of new WNF IDs names from ADK version 10.1.16299