WinDbg How to find HeapAlloc or HeapAllocStub?
I'm trying to find the address of the API HeapAlloc in Windbg using the following syntax u Kernel32!HeapAllocStub but windbg cannot resolve that. I have reloded the symbols and the error persist, for the Other api this method is working fine.
Can you point me what I'm doing wrong ?
Thanks in advance
why are you looking for HeapAllocStub ?
do you have any reason that it should exist ?
and in latest windows kernel32.dll does not have any implementation
most of the functions are implemented in kernelbase.dll
almost most of the heap functions are forwarded to ntdll.dll
HeapAlloc is implemented in ntdll as RtlAllocateHeap
windbg has a very powerful wild card Search
you can use a command like x *!*Heap*All*
which would look for any function that has the regex Heap.*All.*
in all the loaded Modules
kernel32 imports the function HeapAlloc as can be seen below
0:000> x *k*32*!*heap*all*
00007ffe`44eefb94 KERNEL32!`WerpHeapAlloc'::`1'::fin$0 (void)
00007ffe`44ea6330 KERNEL32!BasepJobObjectHeapAlloc (BasepJobObjectHeapAlloc)
00007ffe`44f023f8 KERNEL32!_imp_HeapAlloc = <no type information>
00007ffe`44f023e8 KERNEL32!_imp_HeapReAlloc = <no type information>
00007ffe`44eef90c KERNEL32!WerpHeapAlloc (void * __cdecl WerpHeapAlloc(struct _WER_HEAP_MAIN_HEADER *,unsigned __int64))
and the imported function is implemented in ntdll.dll
0:000> dps KERNEL32!_imp_HeapAlloc l1
00007ffe`44f023f8 00007ffe`460fa9a0 ntdll!RtlAllocateHeap
0:000> dps KERNEL32!_imp_HeapReAlloc l1
00007ffe`44f023e8 00007ffe`460f3640 ntdll!RtlReAllocateHeap
0:000>
0:000> u poi(KERNEL32!_imp_HeapAlloc) l5
ntdll!RtlAllocateHeap:
00007ffe`460fa9a0 48895c2408 mov qword ptr [rsp+8],rbx
00007ffe`460fa9a5 4889742410 mov qword ptr [rsp+10h],rsi
00007ffe`460fa9aa 57 push rdi
00007ffe`460fa9ab 4883ec30 sub rsp,30h
00007ffe`460fa9af 498bf8 mov rdi,r8
0:000>
- Can Windbg display thread names?
- Observing the default process heap getting created (breakpoint on heap creation)
- How to switch from non-invasive attach to invasive?
- .NET Core application deadlocks when reading stdout and stderr from a child process - how to troubleshoot using WinDBG?
- WINDBG: Display dump file capture flags
- Could not find the ... dump file, Win32 error 0n87 when opening SYS
- Are there any WinDBG replacements with a better GUI?
- No stack when creating "kernel" dump with procdump -mk
- Provide symbol server auth to windows debugger
- How to set up symbols in WinDbg?
- How to see managed exception details in WinDBG?
- Find address of C++ static class member using WinDbg
- Confusion over CPSR register for Aarch64: how to read it and encoding of the "ARM processor mode"
- Why can't Windbg's SOS extension give me Syncblock data?
- Setting a breakpoint on CreateFile() API in WinDbg
- Debuggers don't kick in when application crashes
- Unable to set a bp on LoadLibraryW
- WinDbg: Couldn't resolve error at xyz!abc::func while setting breakpoint
- TTD fails to do selective recording of multiple modules
- How to debug a windows driver with IDA and use its corresponding IDB?
- What is the location for windbg Preview in windows 10?And how to rename a project name in visual studio 2019?
- How to do hybrid user-mode/kernel-mode debugging?
- How do I get CDB to display the value of a std::filesystem::path?
- How do I get CDB to show source lines for Microsoft’s C++ Standard Library?
- How do I use a remote Linux system to debug an application that’s running on Windows?
- After modifying msr[lstar], why the expected breakpoint cannot be hit?
- Debugging Windows kernel on a Microsoft Azure platform virtual machine
- what does windbg command "d esp" exactly do?
- SOS does not support the current target architecture
- How to use WinDbg to analyze the crash dump for VC++ application?