- win-containers-cmclient
- win-core-backgroundtask
- win-core-com-private
- win-core-file-fromapp
- win-core-pcw
- win-core-state-helpers
- win-gaming-deviceinformation
- win-security-isolationapi
- win-security-isolationpolicy
- win-shcore-taskpool
- win-wsl-api
- win-appcompat-aeinv
- win-hostactivitymanager-hostidstore
- win-hyperv-hgs
- win-hyperv-hvemulation
- win-hyperv-hvplatform
- win-hyperv-compute
- win-networking-teredo
- win-rtcore-ntuser-controllernavigation
- win-security-authz-helper
- win-security-catalog-database
- ms-win-security-cfl
- win-security-ngc-local
- win-security-vaultcds
- win-session-candidateaccountmgr
пятница, 7 сентября 2018 г.
apisetschema.dll from windows 10 build 1774
new modules was added since 15025
среда, 8 августа 2018 г.
bug in wtsapi32!WTSFreeMemoryExA
prototype
WTS_TYPE_CLASS declared in WtsApi32.h as
ok, check in disasm what happens:
as you can see you cannot pass WTSTypeSessionInfoLevel1 to function WTSFreeMemoryExA - it gives error ERROR_INVALID_PARAMETER. As dirty workaround you can use WTSFreeMemoryExW - it has correct checking of WTSTypeClass. btw this lead to memory leaks and known at least since 2013
BOOL WTSFreeMemoryExA(
WTS_TYPE_CLASS WTSTypeClass,
PVOID pMemory,
ULONG NumberOfEntries
);WTS_TYPE_CLASS declared in WtsApi32.h as
enum _WTS_TYPE_CLASS {
WTSTypeProcessInfoLevel0 = 0x0,
WTSTypeProcessInfoLevel1 = 0x1,
WTSTypeSessionInfoLevel1 = 0x2,
};ok, check in disasm what happens:
WTSFreeMemoryExA proc near
push rbx
sub rsp, 20h
xor ebx, ebx
cmp ecx, ebx
jl short loc_7FF70582EC2
cmp ecx, 1 ; whut ?
jg short loc_7FF70582EC2
call WTSFreeMemoryExW
mov ebx, eax
jmp short loc_7FF70582ECD
loc_7FF70582EC2: mov ecx, 87 ; dwErrCode - ERROR_INVALID_PARAMETER
call cs:__imp_SetLastError as you can see you cannot pass WTSTypeSessionInfoLevel1 to function WTSFreeMemoryExA - it gives error ERROR_INVALID_PARAMETER. As dirty workaround you can use WTSFreeMemoryExW - it has correct checking of WTSTypeClass. btw this lead to memory leaks and known at least since 2013
вторник, 3 июля 2018 г.
пятница, 29 июня 2018 г.
interesting case of memory leak
after three weeks of work service osqueryd.exe consumed about 150 mb of memory. so I made full memory dump with process explorer and run !heap -l in windbg
298991 string in log ! lets write quick and ditry perl script to calculate sizes of leaked blocks:
298991 string in log ! lets write quick and ditry perl script to calculate sizes of leaked blocks:
my $state = 0; my($str, %dict, $size); while( $str = <> ) { chomp $str; last if ( $str eq '' ); if ( ! $state ) { $state = 1 if ( $str =~ /^-----/ ); next; } $str = substr($str, 72, 10); $str =~ s/^\s+//g; $str =~ s/\s+$//g; $size = hex($str); next if ( !$size ); $dict{$size} += 1; } # dump results my $iter; foreach $iter ( sort { $dict{$b} <=> $dict{$a} } keys %dict ) { printf("%X %d\n", $iter, $dict{$iter}); }results are encouraging:
среда, 17 января 2018 г.
wincheck rc8.60
download
mirror
Changelog:
mirror
Changelog:
- add some support of meltdown patched kernels. It seems that Microsoft backported from w10 InterruptObject to KPRCB on windows 8.1. so all offsets below this field were shifted downward and previous version of wincheck produced BSODs
- add dumping of SYSTEM_KERNEL_VA_SHADOW_INFORMATION
- add support of windows 10 build 17063
- add lots of new WNF IDs names from ADK version 10.1.16299