|
|
/*++
Copyright (c) 2001 Microsoft Corporation
Module Name:
oh.cxx
Abstract:
Prints out kernel handle information for a given process or systemwide and compares logs with handle information for possible leaks.
Author:
SteveWo (probably) ChrisW - tweaks, GC style leak checking SilviuC - support for stack traces SilviuC - added log compare functionality (a la ohcmp)
Futures:
get -h to work without -p (ie stack traces for all processes) for the -u feature, look for unaligned values
--*/
//
// OH version.
//
// Please update this for important changes
// so that people can understand what version of the tool
// created a log.
//
#define LARGE_HITCOUNT 1234
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <memory.h>
#include <tchar.h>
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <common.ver>
#include <dbghelp.h>
#include "MAPSTRINGINT.h"
LPTSTR OhHelpText =
TEXT("oh - Object handles dump --") BUILD_MACHINE_TAG TEXT("\n") VER_LEGALCOPYRIGHT_STR TEXT("\n") TEXT(" \n") TEXT("OH [DUMP_OPTIONS ...] \n") TEXT("OH [FLAGS_OPTIONS ...] \n") TEXT("OH -c [COMPARE_OPTIONS ...] BEFORE_LOG AFTER_LOG \n") TEXT(" \n") TEXT("DUMP_OPTIONS are: \n") TEXT(" \n") TEXT(" -p N - displays only open handles for process with ID of n. If not \n") TEXT(" specified perform a system wide dump. \n") TEXT(" -t TYPENAME - displays only open object names of specified type. \n") TEXT(" -o FILENAME - specifies the name of the file to write the output to.\n") TEXT(" -a includes objects with no name. \n") TEXT(" -s display summary information \n") TEXT(" -h display stack traces for handles (a process ID must be specified)\n") TEXT(" -u display only handles with no references in process memory \n") TEXT(" -v verbose mode (used for debugging oh) \n") TEXT(" NAME - displays only handles that contain the specified name. \n") TEXT(" \n") TEXT("FLAGS_OPTIONS are: \n") TEXT(" \n") TEXT(" [+kst|-kst] - enable or disable kst flag (kernel mode stack traces).\n") TEXT(" [+otl|-otl] - enable or disable otl flag (object lists). \n") TEXT(" \n") TEXT("The `OH [+otl] [+kst]' command can be used to set the global flags \n") TEXT("needed by OH. `+otl' is needed for all OH options and `+kst' is needed \n") TEXT("by the `-h' option. The changes will take effect only after reboot. \n") TEXT("The flags can be disabled by using `-otl' or `-kst' respectively. \n") TEXT(" \n") TEXT("COMPARE_OPTIONS are: \n") TEXT(" \n") TEXT(" -l Print most interesting increases in a separate initial section. \n") TEXT(" -t Do not add TRACE id to the names if files contain traces. \n") TEXT(" -all Report decreases as well as increases. \n") TEXT(" \n") TEXT("If the OH files have been created with -h option (they contain traces) \n") TEXT("then handle names will be printed using this syntax: (TRACEID) NAME. \n") TEXT("In case of a potential leak just search for the TRACEID in the original\n") TEXT("OH file to find the stack trace. \n") TEXT(" \n");
typedef DWORD PID;
PID ProcessId;WCHAR TypeName[ 128 ];WCHAR SearchName[ 512 ];
typedef struct _HANDLE_AUX_INFO { ULONG_PTR HandleValue; // value of handle for a process
PID Pid; // Process ID for this handle
DWORD HitCount; // number of references
PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleEntry; // points to main table entry
} HANDLE_AUX_INFO, *PHANDLE_AUX_INFO;
//
// Globals
//
struct {
FILE* Output; // output file
PRTL_PROCESS_BACKTRACES TraceDatabase; // stack traces
HANDLE TargetProcess; // process handle to get symtab info from
BOOL DumpTraces; // True if we are to dump stack traces
HANDLE_AUX_INFO* AuxInfo; // additional data for every handle
DWORD AuxSize; // number of entries in AuxInfo
BOOL fOnlyShowNoRefs; // Only show handles with NO references
BOOL fVerbose; // display debugging text
} Globals;
//
// Log comparing main function (ohcmp).
//
VOIDOhCmpCompareLogs ( IN LONG argc, IN LPTSTR argv[] );
//
// Global flags handling
//
DWORDOhGetCurrentGlobalFlags ( );
VOIDOhSetRequiredGlobalFlag ( DWORD Flags );
VOIDOhResetRequiredGlobalFlag ( DWORD Flags );
//
// Memory management
//
PVOIDOhAlloc ( SIZE_T Size );
VOIDOhFree ( PVOID P );
PVOIDOhZoneAlloc( IN OUT SIZE_T *Length );
VOIDOhZoneFree( IN PVOID Buffer );
PVOIDOhZoneAllocEx( SIZE_T Size );
//
// Others
//
VOIDOhError ( PCHAR File, ULONG Line, PCHAR Format, ... );
VOIDOhDumpHandles ( BOOLEAN DumpAnonymousHandles );
VOIDOhInitializeHandleStackTraces ( PID Pid );
VOIDOhDumpStackTrace ( PRTL_PROCESS_BACKTRACES TraceDatabase, USHORT Index );
BOOLOhSetSymbolsPath ( );
VOIDOhStampLog ( VOID );
VOIDInfo ( PCHAR Format, ... );
VOIDOhComment ( PCHAR Format, ... );
VOIDWarning ( PCHAR File, ULONG Line, PCHAR Format, ... );
PRTL_DEBUG_INFORMATIONRtlQuerySystemDebugInformation( ULONG Flags );
VOIDDoSummary( VOID );
BOOLEANAnsiToUnicode( LPCSTR Source, PWSTR Destination, ULONG NumberOfChars ){ if (NumberOfChars == 0) { NumberOfChars = strlen( Source ); }
if (MultiByteToWideChar( CP_ACP, MB_PRECOMPOSED, Source, NumberOfChars, Destination, NumberOfChars ) != (LONG)NumberOfChars ) { SetLastError( ERROR_NO_UNICODE_TRANSLATION ); return FALSE; } else { Destination[ NumberOfChars ] = UNICODE_NULL; return TRUE; }}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////// main(), command line processing
/////////////////////////////////////////////////////////////////////
VOID Help ( VOID )/*++
Routine Description:
This routine prints out a message describing the proper usage of OH.
Arguments:
None.
Return value:
None. --*/{ fputs (OhHelpText, stderr); exit (1);}
int __cdeclmain ( int argc, char *argv[], char *envp[] ){ BOOLEAN fAnonymousToo; BOOLEAN fDoSummary; char *s; NTSTATUS Status; PRTL_DEBUG_INFORMATION p; CHAR OutputFileName [MAX_PATH]; DWORD GlobalFlags; int Index; BOOL FlagsSetRequested = FALSE; BOOLEAN bJunk;
_try {
//
// Print to stdout for now.
//
Globals.Output = stdout;
//
// Check for help first.
//
if (argc >= 2 && strstr (argv[1], "?") != NULL) { Help (); }
//
// Get current global flags.
//
GlobalFlags = OhGetCurrentGlobalFlags ();
OutputFileName[0]='\0';
ProcessId = 0;
fAnonymousToo = FALSE; fDoSummary = FALSE ;
//
// Before any other command line parsing check for `+otl' or `+kst' options.
//
for (Index = 1; Index < argc; Index += 1) {
if (_stricmp (argv[Index], "+otl") == 0) {
OhSetRequiredGlobalFlag (FLG_MAINTAIN_OBJECT_TYPELIST); FlagsSetRequested = TRUE; } else if (_stricmp (argv[Index], "+kst") == 0) {
OhSetRequiredGlobalFlag (FLG_KERNEL_STACK_TRACE_DB); FlagsSetRequested = TRUE; } else if (_stricmp (argv[Index], "-otl") == 0) {
OhResetRequiredGlobalFlag (FLG_MAINTAIN_OBJECT_TYPELIST); FlagsSetRequested = TRUE; } else if (_stricmp (argv[Index], "-kst") == 0) {
OhResetRequiredGlobalFlag (FLG_KERNEL_STACK_TRACE_DB); FlagsSetRequested = TRUE; } }
if (FlagsSetRequested == TRUE) { exit (0); }
//
// Now check if we want log comparing functionality (a la ohcmp).
//
if (argc > 2 && _stricmp (argv[1], "-c") == 0) {
OhCmpCompareLogs (argc - 1, &(argv[1])); exit (0); }
//
// Figure out if we have the +otl global flag. We need to do this
// before getting into real oh functionality.
//
if ((GlobalFlags & FLG_MAINTAIN_OBJECT_TYPELIST) == 0) {
Info ("The system global flag `maintain object type lists' is not enabled \n" "for this system. Please use `oh +otl' to enable it and then reboot. \n");
exit (1); }
//
// Finally parse the `oh' command line.
//
while (--argc) { s = *++argv; if (*s == '/' || *s == '-') { while (*++s) { switch (tolower(*s)) { case 'a': case 'A': fAnonymousToo = TRUE; break;
case 'p': case 'P': if (--argc) { ProcessId = (PID)atol( *++argv ); } else { Help(); } break;
case 'h': case 'H': Globals.DumpTraces = TRUE; break;
case 'o': case 'O': if (--argc) { strncpy( OutputFileName, *++argv, sizeof(OutputFileName)-1 ); OutputFileName[sizeof(OutputFileName)-1]= 0; } else { Help(); } break;
case 't': case 'T': if (--argc) { AnsiToUnicode( *++argv, TypeName, 0 ); } else { Help(); } break;
case 's': case 'S': fDoSummary = TRUE; break;
case 'u': case 'U': Globals.fOnlyShowNoRefs= TRUE; break;
case 'v': case 'V': Globals.fVerbose= TRUE; break;
default: Help(); } } } else if (*SearchName) { Help(); } else { AnsiToUnicode( s, SearchName, 0 ); } }
if (OutputFileName[0] == '\0') { Globals.Output = stdout; } else { Globals.Output = fopen (OutputFileName, "w"); }
if (Globals.Output == NULL) {
OhError (NULL, 0, "cannot open output file `%s' (error %u) \n", OutputFileName, GetLastError ()); }
//
// Get debug privilege. This will be useful for opening processes.
//
Status= RtlAdjustPrivilege( SE_DEBUG_PRIVILEGE, TRUE, FALSE, &bJunk);
if( !NT_SUCCESS(Status) ) {
Info ( "RtlAdjustPrivilege(SE_DEBUG) failed with status = %X. -u may not work.", Status); }
//
// Stamp the log with OS version, time, machine name, etc.
//
OhStampLog ();
if (Globals.DumpTraces) {
if (ProcessId == 0) {
OhError (NULL, 0, "`-h' option can be used only if a process ID is specified with `-p PID'"); }
if ((GlobalFlags & FLG_KERNEL_STACK_TRACE_DB) == 0) {
Info ("The system global flag `get kernel mode stack traces' is not enabled \n" "for this system. Please use `oh +kst' to enable it and then reboot. \n");
exit (1); }
OhInitializeHandleStackTraces ( ProcessId ); }
p = RtlQuerySystemDebugInformation( 0 ); if (p == NULL) { fprintf( stderr, "OH1: Unable to query kernel mode information.\n" ); exit( 1 ); }
OhDumpHandles (fAnonymousToo);
if ( fDoSummary ) { DoSummary(); }
if (Globals.Output != stdout) { fclose (Globals.Output); }
RtlDestroyQueryDebugBuffer( p ); return 0; } _except (EXCEPTION_EXECUTE_HANDLER) {
OhComment ("Exception %X raised within OH process. Aborting ... \n", _exception_code()); }
return 0;}
typedef struct _PROCESS_INFO { LIST_ENTRY Entry; PSYSTEM_PROCESS_INFORMATION ProcessInfo; PSYSTEM_THREAD_INFORMATION ThreadInfo[ 1 ];} PROCESS_INFO, *PPROCESS_INFO;
LIST_ENTRY ProcessListHead;
PSYSTEM_OBJECTTYPE_INFORMATION ObjectInformation;PSYSTEM_HANDLE_INFORMATION_EX HandleInformation;PSYSTEM_PROCESS_INFORMATION ProcessInformation;
typedef struct _TYPE_COUNT { UNICODE_STRING TypeName ; ULONG HandleCount ;} TYPE_COUNT, * PTYPE_COUNT ;
#define MAX_TYPE_NAMES 128
TYPE_COUNT TypeCounts[ MAX_TYPE_NAMES + 1 ] ;
UNICODE_STRING UnknownTypeIndex;
#define RTL_NEW( p ) RtlAllocateHeap( RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof( *p ) )
BOOLEANOhLoadSystemModules( PRTL_DEBUG_INFORMATION Buffer );
BOOLEANOhLoadSystemObjects( PRTL_DEBUG_INFORMATION Buffer );
BOOLEANOhLoadSystemHandles( PRTL_DEBUG_INFORMATION Buffer );
BOOLEANOhLoadSystemProcesses( PRTL_DEBUG_INFORMATION Buffer );
PSYSTEM_PROCESS_INFORMATIONOhFindProcessInfoForCid( IN PID UniqueProcessId );
PRTL_DEBUG_INFORMATIONRtlQuerySystemDebugInformation( ULONG Flags )/*++
Routine description:
Parameters:
Return value:
--*/{ PRTL_DEBUG_INFORMATION Buffer;
Buffer = (PRTL_DEBUG_INFORMATION)RTL_NEW( Buffer ); if (Buffer == NULL) { return NULL; }
if (!OhLoadSystemObjects( Buffer )) { fprintf( stderr, "OH2: Unable to query system object information.\n" ); exit (1); }
if (!OhLoadSystemHandles( Buffer )) { fprintf( stderr, "OH3: Unable to query system handle information.\n" ); exit (1); }
if (!OhLoadSystemProcesses( Buffer )) { fprintf( stderr, "OH4: Unable to query system process information.\n" ); exit (1); }
return Buffer;}
BOOLEANOhLoadSystemObjects( PRTL_DEBUG_INFORMATION Buffer )/*++
Routine description:
Parameters:
Return value:
--*/{ NTSTATUS Status; SYSTEM_OBJECTTYPE_INFORMATION ObjectInfoBuffer; SIZE_T RequiredLength, NewLength=0; ULONG i; PSYSTEM_OBJECTTYPE_INFORMATION TypeInfo;
ObjectInformation = &ObjectInfoBuffer; RequiredLength = sizeof( *ObjectInformation ); while (TRUE) { Status = NtQuerySystemInformation( SystemObjectInformation, ObjectInformation, (ULONG)RequiredLength, (ULONG *)&NewLength );
if (Status == STATUS_INFO_LENGTH_MISMATCH && NewLength > RequiredLength) { if (ObjectInformation != &ObjectInfoBuffer) { OhZoneFree (ObjectInformation); } RequiredLength = NewLength + 4096; ObjectInformation = (PSYSTEM_OBJECTTYPE_INFORMATION)OhZoneAlloc (&RequiredLength); if( ObjectInformation == NULL ) { return FALSE; } } else if (!NT_SUCCESS( Status )) { if( ObjectInformation != &ObjectInfoBuffer ) { OhZoneFree (ObjectInformation); } return FALSE; } else { break; } }
TypeInfo = ObjectInformation;
while (TRUE) {
if (TypeInfo->TypeIndex < MAX_TYPE_NAMES) { TypeCounts[ TypeInfo->TypeIndex ].TypeName = TypeInfo->TypeName; }
if (TypeInfo->NextEntryOffset == 0) { break; }
TypeInfo = (PSYSTEM_OBJECTTYPE_INFORMATION) ((PCHAR)ObjectInformation + TypeInfo->NextEntryOffset); }
RtlInitUnicodeString( &UnknownTypeIndex, L"UnknownTypeIdx" ); for (i=0; i<=MAX_TYPE_NAMES; i++) { if (TypeCounts[ i ].TypeName.Length == 0 ) { TypeCounts[ i ].TypeName = UnknownTypeIndex; } }
return TRUE;}
BOOLEANOhLoadSystemHandles( PRTL_DEBUG_INFORMATION Buffer )/*++
Routine description:
This routine ... Parameters:
Information buffer to fill. Return value:
True if all information was obtained from kernel side.
--*/{ NTSTATUS Status; SYSTEM_HANDLE_INFORMATION_EX HandleInfoBuffer; SIZE_T RequiredLength; SIZE_T NewLength = 0; PSYSTEM_OBJECTTYPE_INFORMATION TypeInfo; PSYSTEM_OBJECT_INFORMATION ObjectInfo;
HandleInformation = &HandleInfoBuffer; RequiredLength = sizeof( *HandleInformation );
while (TRUE) {
Status = NtQuerySystemInformation( SystemExtendedHandleInformation, HandleInformation, (ULONG)RequiredLength, (ULONG *)&NewLength );
if (Status == STATUS_INFO_LENGTH_MISMATCH && NewLength > RequiredLength) { if (HandleInformation != &HandleInfoBuffer) { OhZoneFree (HandleInformation); }
RequiredLength = NewLength + 4096; // slop, since we may trigger more handle creations.
HandleInformation = (PSYSTEM_HANDLE_INFORMATION_EX)OhZoneAlloc( &RequiredLength ); if (HandleInformation == NULL) { return FALSE; } } else if (!NT_SUCCESS( Status )) { if (HandleInformation != &HandleInfoBuffer) { OhZoneFree (HandleInformation); }
OhError (__FILE__, __LINE__, "query (SystemExtendedHandleInformation) failed with status %08X \n", Status);
return FALSE; } else { break; } }
TypeInfo = ObjectInformation; while (TRUE) { ObjectInfo = (PSYSTEM_OBJECT_INFORMATION) ((PCHAR)TypeInfo->TypeName.Buffer + TypeInfo->TypeName.MaximumLength); while (TRUE) { if (ObjectInfo->HandleCount != 0) { PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleEntry; ULONG HandleNumber;
HandleEntry = &HandleInformation->Handles[ 0 ]; HandleNumber = 0; while (HandleNumber++ < HandleInformation->NumberOfHandles) { if (!(HandleEntry->HandleAttributes & 0x80) && HandleEntry->Object == ObjectInfo->Object ) { HandleEntry->Object = ObjectInfo; HandleEntry->HandleAttributes |= 0x80; }
HandleEntry++; } }
if (ObjectInfo->NextEntryOffset == 0) { break; }
ObjectInfo = (PSYSTEM_OBJECT_INFORMATION) ((PCHAR)ObjectInformation + ObjectInfo->NextEntryOffset); }
if (TypeInfo->NextEntryOffset == 0) { break; }
TypeInfo = (PSYSTEM_OBJECTTYPE_INFORMATION) ((PCHAR)ObjectInformation + TypeInfo->NextEntryOffset); }
return TRUE;}
BOOLEANOhLoadSystemProcesses( PRTL_DEBUG_INFORMATION Buffer )/*++
Routine description:
Parameters:
Return value:
--*/{ NTSTATUS Status; SIZE_T RequiredLength; ULONG i, TotalOffset; PSYSTEM_PROCESS_INFORMATION ProcessInfo; PSYSTEM_THREAD_INFORMATION ThreadInfo; PPROCESS_INFO ProcessEntry; UCHAR NameBuffer[ MAX_PATH ]; ANSI_STRING AnsiString; const SIZE_T SIZE_64_KB = 0x10000;
//
// Always initialize the list head, so that a failed
// NtQuerySystemInformation call won't cause an AV later on.
//
InitializeListHead (&ProcessListHead);
RequiredLength = SIZE_64_KB; ProcessInformation = (PSYSTEM_PROCESS_INFORMATION)OhZoneAllocEx (RequiredLength);
while (TRUE) { Status = NtQuerySystemInformation (SystemProcessInformation, ProcessInformation, (ULONG)RequiredLength, NULL);
if (Status == STATUS_INFO_LENGTH_MISMATCH) {
OhZoneFree (ProcessInformation);
//
// Check for number overflow.
//
if (RequiredLength * 2 < RequiredLength) { return FALSE; }
RequiredLength *= 2; ProcessInformation = (PSYSTEM_PROCESS_INFORMATION)OhZoneAllocEx (RequiredLength); } else if (! NT_SUCCESS(Status)) {
OhError (__FILE__, __LINE__, "query (SystemProcessInformation) failed with status %08X \n", Status); } else { //
// We managed to read the process information.
//
break; } }
ProcessInfo = ProcessInformation; TotalOffset = 0;
while (TRUE) {
SIZE_T ProcessEntrySize;
if (ProcessInfo->ImageName.Buffer == NULL) {
sprintf ((PCHAR)NameBuffer, "System Process (%p)", ProcessInfo->UniqueProcessId ); } else {
sprintf ((PCHAR)NameBuffer, "%wZ", &ProcessInfo->ImageName ); }
RtlInitAnsiString( &AnsiString, (PCSZ)NameBuffer ); RtlAnsiStringToUnicodeString( &ProcessInfo->ImageName, &AnsiString, TRUE );
ProcessEntrySize = sizeof (*ProcessEntry) + sizeof (ThreadInfo) * ProcessInfo->NumberOfThreads; ProcessEntry = (PPROCESS_INFO)OhAlloc (ProcessEntrySize); InitializeListHead( &ProcessEntry->Entry ); ProcessEntry->ProcessInfo = ProcessInfo; ThreadInfo = (PSYSTEM_THREAD_INFORMATION)(ProcessInfo + 1); for (i = 0; i < ProcessInfo->NumberOfThreads; i += 1) { ProcessEntry->ThreadInfo[i] = ThreadInfo; ThreadInfo += 1; }
InsertTailList( &ProcessListHead, &ProcessEntry->Entry );
if (ProcessInfo->NextEntryOffset == 0) { break; }
TotalOffset += ProcessInfo->NextEntryOffset; ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) ((PCHAR)ProcessInformation + TotalOffset); }
return TRUE;}
PSYSTEM_PROCESS_INFORMATIONOhFindProcessInfoForCid( IN PID UniqueProcessId )/*++
Routine description:
Parameters:
Return value:
--*/{ PLIST_ENTRY Next, Head; PSYSTEM_PROCESS_INFORMATION ProcessInfo; PPROCESS_INFO ProcessEntry; UCHAR NameBuffer [64]; ANSI_STRING AnsiString;
Head = &ProcessListHead; Next = Head->Flink; while (Next != Head) {
ProcessEntry = CONTAINING_RECORD (Next, PROCESS_INFO, Entry);
ProcessInfo = ProcessEntry->ProcessInfo; if( ProcessInfo->UniqueProcessId == UlongToHandle(UniqueProcessId) ) { return ProcessInfo; }
Next = Next->Flink; }
ProcessEntry = (PPROCESS_INFO)RtlAllocateHeap (RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof( *ProcessEntry ) + sizeof( *ProcessInfo )); if (ProcessEntry == NULL) { printf ("Failed to allocate memory for process\n"); ExitProcess (0); } ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)(ProcessEntry+1);
ProcessEntry->ProcessInfo = ProcessInfo; sprintf ((PCHAR)NameBuffer, "Unknown Process" ); RtlInitAnsiString( &AnsiString, (PCSZ)NameBuffer ); RtlAnsiStringToUnicodeString( (PUNICODE_STRING)&ProcessInfo->ImageName, &AnsiString, TRUE ); ProcessInfo->UniqueProcessId = UlongToHandle(UniqueProcessId);
InitializeListHead( &ProcessEntry->Entry ); InsertTailList( &ProcessListHead, &ProcessEntry->Entry );
return ProcessInfo;}
//
// comparison routine used by qsort and bsearch routines
// key: (Pid, HandleValue)
//
int _cdecl AuxInfoCompare( const void* Arg1, const void* Arg2 ){ HANDLE_AUX_INFO* Ele1= (HANDLE_AUX_INFO*) Arg1; HANDLE_AUX_INFO* Ele2= (HANDLE_AUX_INFO*) Arg2;
if( Ele1->Pid < Ele2->Pid ) { return -1; } if( Ele1->Pid > Ele2->Pid ) { return 1; }
if( Ele1->HandleValue < Ele2->HandleValue ) { return -1; } if( Ele1->HandleValue > Ele2->HandleValue ) { return 1; } return 0;}
// OhGatherData
//
// Search through a region of process space for anything that looks
// like it could the value of a handle that is opened by that process.
// If we find a reference, increment the AuxInfo.Hitcount field for that handle.
//
// returns: FALSE if it couldn't scan the region
BOOLOhGatherData( IN HANDLE ProcHan, IN PID PidToExamine, IN PVOID VAddr, IN SIZE_T RegionSize){ PDWORD Buf; SIZE_T BytesRead; BOOL bStatus; SIZE_T i; HANDLE_AUX_INFO AuxToCompare; HANDLE_AUX_INFO* AuxInfo;
Buf= (PDWORD)LocalAlloc( LPTR, RegionSize ); if( Buf == NULL ) { OhComment("Failed to alloc mem size= %d\n",RegionSize); SetLastError( ERROR_NOT_ENOUGH_MEMORY); return FALSE; }
bStatus= ReadProcessMemory( ProcHan, VAddr, Buf, RegionSize, &BytesRead ); if( !bStatus ) { OhComment ( "Failed to ReadProcessMemory\n"); if( Buf ) { LocalFree( Buf ); } return FALSE; }
// feature: this only looks for aligned dword refs. may want unaligned too.
for( i=0; i < BytesRead/sizeof(DWORD); i++ ) { AuxToCompare.HandleValue= Buf[ i ] & (~3); // kernel ignores 2 lsb
AuxToCompare.Pid= PidToExamine;
AuxInfo= (HANDLE_AUX_INFO*) bsearch( &AuxToCompare, Globals.AuxInfo, Globals.AuxSize, sizeof( HANDLE_AUX_INFO ), &AuxInfoCompare ); if( AuxInfo ) { AuxInfo->HitCount++; } }
LocalFree( Buf ); return TRUE;}
VOID OhSearchForReferencedHandles( PID PidToExamine ){ HANDLE_AUX_INFO AuxToCompare; DWORD HandleNumber; HANDLE ProcHan= NULL; // process to examine
PVOID VAddr; // pointer into process virtual memory
MEMORY_BASIC_INFORMATION MemoryInfo; DWORD CurrentProtect; SIZE_T Size;
// ignore process IDs= 0 or 4 because they are the system process
if( ( PidToExamine == (PID)0 ) || ( PidToExamine == (PID)4 ) ) { return; }
AuxToCompare.Pid= PidToExamine;
ProcHan= OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, (PID) PidToExamine ); if( NULL == ProcHan ) { OhComment ( "Could not open process %d\n",PidToExamine ); goto errorexit; }
// zero the hit counts for this process number
// if we can't read the memory, we will re-fill the HitCount fields with non-zero
for( HandleNumber=0; HandleNumber < Globals.AuxSize; HandleNumber++ ) { if( Globals.AuxInfo[ HandleNumber ].Pid == PidToExamine ) { Globals.AuxInfo[ HandleNumber ].HitCount= 0; } }
// read thru all interesting process memory
// if we get a value that the process could have written, then see if
// it matches one of our handle values. Keep track of the number of matches.
// if any HitCount field is zero when we are done, there is no way to reference it.
// modulo (encrypted it in memory (xor), truncated into a short, or hidden it
// in a file, memory section not mapped, registry.)
for( VAddr= 0; VAddr < (PVOID) (0x80000000-0x10000); VAddr= (PVOID) ((PCHAR) VAddr+ MemoryInfo.RegionSize) ) {
MemoryInfo.RegionSize=0x1000; Size= VirtualQueryEx( ProcHan, VAddr, &MemoryInfo, sizeof( MemoryInfo ) ); if( Size != sizeof(MemoryInfo) ) { fprintf(stderr,"VirtualQueryEx failed at %p LastError %d\n",VAddr,GetLastError() ); } else { CurrentProtect= MemoryInfo.Protect;
if( MemoryInfo.State == MEM_COMMIT ) { if( (CurrentProtect & (PAGE_READWRITE|PAGE_READWRITE) ) && ( (CurrentProtect&PAGE_GUARD)==0 ) ) { BOOL bSta;
bSta= OhGatherData( ProcHan, PidToExamine, VAddr, MemoryInfo.RegionSize ); if( !bSta ) { goto errorexit; } } } } }
CloseHandle( ProcHan ); ProcHan= NULL;
return;
// If we have an error, just mark all the HitCount values so it looks like they
// have been referenced.
errorexit:
for( HandleNumber=0; HandleNumber < Globals.AuxSize; HandleNumber++ ) { if( Globals.AuxInfo[ HandleNumber ].Pid == PidToExamine ) { Globals.AuxInfo[ HandleNumber].HitCount= LARGE_HITCOUNT; } } CloseHandle( ProcHan ); ProcHan= NULL; return;}
VOIDOhBuildAuxTables( PID PidToExamine )/*++
Routine description:
Creates auxillary table keyed with (HandleValue,Pid) containing HitCount
Parameters:The Process ID to examine
Return value:
--*/{ PID PreviousUniqueProcessId; PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleEntry; ULONG HandleNumber; PSYSTEM_PROCESS_INFORMATION ProcessInfo; DWORD TotalHandles; PID LastPid;
HANDLE_AUX_INFO* AuxInfo;
Globals.AuxInfo= NULL; Globals.AuxSize= 0;
TotalHandles=(DWORD) HandleInformation->NumberOfHandles;
// Allocate AuxInfo table
AuxInfo= (HANDLE_AUX_INFO*) LocalAlloc( LPTR, TotalHandles*sizeof(HANDLE_AUX_INFO) ); if( NULL == AuxInfo ) { return; } Globals.AuxInfo= AuxInfo; Globals.AuxSize= TotalHandles;
// populate the table with key information
HandleEntry = &HandleInformation->Handles[ 0 ]; PreviousUniqueProcessId = (PID) -1;
for (HandleNumber = 0; HandleNumber < TotalHandles; HandleNumber++ ) {
if (PreviousUniqueProcessId != (PID)HandleEntry->UniqueProcessId) { PreviousUniqueProcessId = (PID)HandleEntry->UniqueProcessId; ProcessInfo= OhFindProcessInfoForCid( PreviousUniqueProcessId ); }
AuxInfo[ HandleNumber ].HandleValue= HandleEntry->HandleValue; AuxInfo[ HandleNumber ].Pid= HandleToUlong(ProcessInfo->UniqueProcessId); AuxInfo[ HandleNumber ].HitCount= LARGE_HITCOUNT; AuxInfo[ HandleNumber ].HandleEntry= HandleEntry;
HandleEntry++;
}
// Sort the table so bsearch works later
qsort( AuxInfo, TotalHandles, sizeof( HANDLE_AUX_INFO ), AuxInfoCompare );
//
// Search the process or processes for references and keep count
//
if( PidToExamine ) { OhSearchForReferencedHandles( PidToExamine ); return; }
//
// No Pid then do all the Pids on the system
// (actually only search Pids that have kernel handles)
//
LastPid= (PID) -1; for( HandleNumber=0; HandleNumber < TotalHandles; HandleNumber++ ) { PID ThisPid= Globals.AuxInfo[ HandleNumber ].Pid; if( LastPid != ThisPid ) { OhSearchForReferencedHandles( ThisPid ); LastPid= ThisPid; } }
}
VOIDOhDumpHandles ( BOOLEAN DumpAnonymousHandles )/*++
Routine description:
Parameters:
Return value:
--*/{ PID PreviousUniqueProcessId; PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleEntry; ULONG HandleNumber; PSYSTEM_PROCESS_INFORMATION ProcessInfo; PSYSTEM_OBJECT_INFORMATION ObjectInfo; PUNICODE_STRING ObjectTypeName; WCHAR ObjectName[ 1024 ]; PVOID Object; CHAR OutputLine[ 512 ]; PWSTR s; ULONG n; DWORD d = 0; BOOL AnyRefs;
OhBuildAuxTables( ProcessId );
HandleEntry = &HandleInformation->Handles[ 0 ]; HandleNumber = 0; PreviousUniqueProcessId = (PID) -1; for (HandleNumber = 0; HandleNumber < HandleInformation->NumberOfHandles; HandleNumber++, HandleEntry++ ) { if (PreviousUniqueProcessId != (PID)HandleEntry->UniqueProcessId) { PreviousUniqueProcessId = (PID)HandleEntry->UniqueProcessId; ProcessInfo = OhFindProcessInfoForCid( PreviousUniqueProcessId ); }
ObjectName[ 0 ] = UNICODE_NULL; if (HandleEntry->HandleAttributes & 0x80) { ObjectInfo = (PSYSTEM_OBJECT_INFORMATION)(HandleEntry->Object); Object = ObjectInfo->Object; _try { if (ObjectInfo->NameInfo.Name.Length != 0 && *(ObjectInfo->NameInfo.Name.Buffer) == UNICODE_NULL ) { ObjectInfo->NameInfo.Name.Length = 0; }
n = ObjectInfo->NameInfo.Name.Length / sizeof( WCHAR ); wcsncpy( ObjectName, ObjectInfo->NameInfo.Name.Buffer, n ); ObjectName[ n ] = UNICODE_NULL; } _except( EXCEPTION_EXECUTE_HANDLER ) { _snwprintf( ObjectName, 1024, L"[%04x, %04x, %08x]", ObjectInfo->NameInfo.Name.MaximumLength, ObjectInfo->NameInfo.Name.Length, ObjectInfo->NameInfo.Name.Buffer ); } } else { ObjectInfo = NULL; Object = HandleEntry->Object; }
if( ProcessId != 0 && ProcessInfo->UniqueProcessId != UlongToHandle(ProcessId) ) { continue; }
ObjectTypeName = &TypeCounts[ HandleEntry->ObjectTypeIndex < MAX_TYPE_NAMES ? HandleEntry->ObjectTypeIndex : MAX_TYPE_NAMES ].TypeName ;
TypeCounts[ HandleEntry->ObjectTypeIndex < MAX_TYPE_NAMES ? HandleEntry->ObjectTypeIndex : MAX_TYPE_NAMES ].HandleCount++ ;
if (TypeName[0]) { if (_wcsicmp( TypeName, ObjectTypeName->Buffer )) { continue; } }
if (!*ObjectName) { if (! DumpAnonymousHandles) { continue; } } else if (SearchName[0]) { if (!wcsstr( ObjectName, SearchName )) { s = ObjectName; n = wcslen( SearchName ); while (*s) { if (!_wcsnicmp( s, SearchName, n )) { break; } s += 1; }
if (!*s) { continue; } } }
// See if there were any references to this handle in the process memory space
AnyRefs= TRUE; { HANDLE_AUX_INFO* AuxInfo; HANDLE_AUX_INFO AuxToCompare;
AuxToCompare.Pid= HandleToUlong( ProcessInfo->UniqueProcessId ); AuxToCompare.HandleValue= HandleEntry->HandleValue;
AuxInfo= (HANDLE_AUX_INFO*) bsearch( &AuxToCompare, Globals.AuxInfo, Globals.AuxSize, sizeof( HANDLE_AUX_INFO ), &AuxInfoCompare ); if( AuxInfo ) { if( AuxInfo->HitCount == 0 ) { AnyRefs=FALSE; } }
}
if( (!Globals.fOnlyShowNoRefs) || (Globals.fOnlyShowNoRefs && (AnyRefs==FALSE) ) ) {
if( Globals.fOnlyShowNoRefs) { Info ( "noref_" ); }
if (Globals.DumpTraces) { Info ("%p %-14wZ %-14wZ %04x (%04x) %ws\n", ProcessInfo->UniqueProcessId, &ProcessInfo->ImageName, ObjectTypeName, HandleEntry->HandleValue, HandleEntry->CreatorBackTraceIndex, *ObjectName ? ObjectName : L""); } else { Info ("%p %-14wZ %-14wZ %04x %ws\n", ProcessInfo->UniqueProcessId, &ProcessInfo->ImageName, ObjectTypeName, HandleEntry->HandleValue, *ObjectName ? ObjectName : L""); }
if (HandleEntry->CreatorBackTraceIndex && Globals.TraceDatabase) {
OhDumpStackTrace (Globals.TraceDatabase, HandleEntry->CreatorBackTraceIndex); } } }
return;}
VOIDDoSummary( VOID )/*++
Routine description:
Parameters:
Return value:
--*/{ ULONG i ; ULONG ignored ;
Info ("Summary: \n"); for ( i = 0 ; i < MAX_TYPE_NAMES ; i++ ) { if ( TypeCounts[ i ].HandleCount ) { Info (" %-20ws\t%d\n", TypeCounts[ i ].TypeName.Buffer, TypeCounts[ i ].HandleCount ); } }}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////// Handle stack traces
/////////////////////////////////////////////////////////////////////
VOIDOhError ( PCHAR File, ULONG Line, PCHAR Format, ... );
PCHAROhNameForAddress( IN HANDLE UniqueProcess, IN PVOID Address );
PRTL_PROCESS_BACKTRACESOhLoadSystemTraceDatabase ( ){ const SIZE_T OneMb = 0x100000; NTSTATUS Status; PRTL_PROCESS_BACKTRACES TraceDatabase; SIZE_T RequiredLength; SIZE_T CurrentLength; CurrentLength = OneMb; RequiredLength = 0;
TraceDatabase = (PRTL_PROCESS_BACKTRACES)VirtualAlloc (NULL, CurrentLength, MEM_COMMIT, PAGE_READWRITE);
if (TraceDatabase == NULL) { OhError (__FILE__, __LINE__, "failed to allocate %p bytes", CurrentLength); }
while (TRUE) {
Status = NtQuerySystemInformation (SystemStackTraceInformation, TraceDatabase, (ULONG)CurrentLength, (ULONG *)&RequiredLength);
if (Status == STATUS_INFO_LENGTH_MISMATCH) {
CurrentLength = RequiredLength + OneMb;
VirtualFree (TraceDatabase, 0, MEM_RELEASE);
TraceDatabase = (PRTL_PROCESS_BACKTRACES)VirtualAlloc (NULL, CurrentLength, MEM_COMMIT, PAGE_READWRITE);
if (TraceDatabase == NULL) { OhError (__FILE__, __LINE__, "failed to allocate %p bytes", CurrentLength); } } else if (! NT_SUCCESS(Status)) {
OhError (__FILE__, __LINE__, "QuerySystemInformation failed with status %08x",Status); } else {
//
// We managed to read the stack trace database.
//
break; } }
return TraceDatabase;}
VOIDOhDumpStackTrace ( PRTL_PROCESS_BACKTRACES TraceDatabase, USHORT Index ){ PRTL_PROCESS_BACKTRACE_INFORMATION Trace; USHORT I; PCHAR Name; if (Index >= TraceDatabase->NumberOfBackTraces) { return; }
Trace = &(TraceDatabase->BackTraces[Index - 1]);
if (Trace->Depth > 0) { Info ("\n"); }
for (I = 0; I < Trace->Depth; I += 1) {
if ((ULONG_PTR)(Trace->BackTrace[I]) < 0x80000000) {
if (Trace->BackTrace[I] == NULL) { break; }
Name = OhNameForAddress (Globals.TargetProcess, Trace->BackTrace[I]); Info ("\t%p %s\n", Trace->BackTrace[I], (Name ? Name : "<unknown>")); } else {
Info ("\t%p <kernel address>\n", Trace->BackTrace[I]); } }
Info ("\n");}
BOOLOhEnumerateModules( IN LPSTR ModuleName, IN ULONG_PTR BaseOfDll, IN PVOID UserContext )/*++
UmdhEnumerateModules
Module enumeration 'proc' for imagehlp. Call SymLoadModule on the specified module and if that succeeds cache the module name.
ModuleName is an LPSTR indicating the name of the module imagehlp is enumerating for us; BaseOfDll is the load address of the DLL, which we don't care about, but SymLoadModule does; UserContext is a pointer to the relevant SYMINFO, which identifies our connection.--*/{ DWORD64 Result;
Result = SymLoadModule(Globals.TargetProcess, NULL, // hFile not used
NULL, // use symbol search path
ModuleName, // ModuleName from Enum
BaseOfDll, // LoadAddress from Enum
0); // Let ImageHlp figure out DLL size
// SilviuC: need to understand exactly what does this function return
if (Result) {
Warning (NULL, 0, "SymLoadModule (%s, %p) failed with error %X (%u)", ModuleName, BaseOfDll, GetLastError(), GetLastError());
return FALSE; }
OhComment (" %s (%p) ...", ModuleName, BaseOfDll);
return TRUE;}
VOIDInfo ( PCHAR Format, ... ){ va_list Params;
va_start (Params, Format);
vfprintf (Globals.Output, Format, Params);}
VOIDOhComment ( PCHAR Format, ... ){ va_list Params;
va_start (Params, Format);
fprintf (Globals.Output, "// "); vfprintf (Globals.Output, Format, Params); fprintf (Globals.Output, "\n");}
VOIDWarning ( PCHAR File, ULONG Line, PCHAR Format, ... ){ va_list Params;
va_start (Params, Format);
if (File) { fprintf (stderr, "Warning: %s: %u: ", File, Line); } else { fprintf (stderr, "Warning: "); }
vfprintf (stderr, Format, Params); fprintf (stderr, "\n");}
VOIDOhError ( PCHAR File, ULONG Line, PCHAR Format, ... ){ va_list Params;
va_start (Params, Format);
if (File) { fprintf (stderr, "Error: %s: %u: ", File, Line); } else { fprintf (stderr, "Error: "); }
vfprintf (stderr, Format, Params); fprintf (stderr, "\n");
exit (1);}
VOIDOhStampLog ( VOID )/*++
Routine description: This routines writes an initial stamp in the log. Parameters: None. Return value: None. --*/{ CHAR CompName[MAX_COMPUTERNAME_LENGTH + 1]; DWORD CompNameLength = MAX_COMPUTERNAME_LENGTH + 1; SYSTEMTIME st; OSVERSIONINFOEX OsInfo;
//
// Stamp the log
//
ZeroMemory (&OsInfo, sizeof OsInfo); OsInfo.dwOSVersionInfoSize = sizeof OsInfo;
GetVersionEx ((POSVERSIONINFO)(&OsInfo));
GetLocalTime(&st); GetComputerName(CompName, &CompNameLength);
OhComment (""); OhComment ("TIME: %4u-%02u-%02u %02u:%02u", st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute); OhComment ("MACHINE: %s", CompName); OhComment ("BUILD: %u", OsInfo.dwBuildNumber); OhComment ("OH version: %s", BUILD_MACHINE_TAG); OhComment (""); OhComment ("");}
VOIDOhInitializeHandleStackTraces ( PID Pid )/*++
Routine description: This routine initializes all interal structures required to read handle stack traces. It will adjust priviles (in order for this to work on lsass, winlogon, etc.), open the process, read from kernel the trace database. Parameters: Pid - process ID for the process for which we will get traces. Return value: None. --*/{ BOOL Result; NTSTATUS Status;
//
// Check if we have a symbols path defined and define a default one
// if not.
//
OhSetSymbolsPath ();
//
// Imagehlp library needs the query privilege for the process
// handle and of course we need also read privilege because
// we will read all sorts of things from the process.
//
Globals.TargetProcess = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, Pid);
if (Globals.TargetProcess == NULL) {
OhError (__FILE__, __LINE__, "OpenProcess(%u) failed with error %u", Pid, GetLastError()); }
OhComment ("Process %u opened.", Pid);
//
// Attach ImageHlp and enumerate the modules.
//
Result = SymInitialize(Globals.TargetProcess, // target process
NULL, // standard symbols search path
TRUE); // invade process space with symbols
if (Result == FALSE) {
ULONG ErrorCode = GetLastError();
if (ErrorCode >= 0x80000000) { OhError (__FILE__, __LINE__, "imagehlp.SymInitialize() failed with error %X", ErrorCode); } else {
OhError (__FILE__, __LINE__, "imagehlp.SymInitialize() failed with error %u", ErrorCode); } }
OhComment ("Dbghelp initialized.");
SymSetOptions(SYMOPT_CASE_INSENSITIVE | SYMOPT_DEFERRED_LOADS | SYMOPT_LOAD_LINES | SYMOPT_UNDNAME);
OhComment ("Enumerating modules ..."); OhComment ("");
Result = SymEnumerateModules (Globals.TargetProcess, OhEnumerateModules, Globals.TargetProcess); if (Result == FALSE) {
OhError (__FILE__, __LINE__, "SymEnumerateModules() failed with error %u", GetLastError()); }
OhComment (""); OhComment ("Finished module enumeration.");
//
// Initialize local trace database. Note that order is important.
// Initialize() assumes the process handle to the target process
// already exists and the symbol management package was initialized.
//
OhComment ("Loading stack trace database ...");
Globals.TraceDatabase = OhLoadSystemTraceDatabase ();
OhComment ("Initialization finished."); OhComment ("");
OhComment ("\n");}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////// Symbol lookup
/////////////////////////////////////////////////////////////////////
#define HNDL_SYMBOL_MAP_BUCKETS 4096
typedef struct _HNDL_SYMBOL_ENTRY{ PVOID Address; PCHAR Symbol; struct _HNDL_SYMBOL_ENTRY * Next;
} HNDL_SYMBOL_ENTRY, * PHNDL_SYMBOL_ENTRY;
PHNDL_SYMBOL_ENTRY OhSymbolsMap [HNDL_SYMBOL_MAP_BUCKETS];
PCHAR OhFindSymbol ( PVOID Address ){ ULONG_PTR Bucket = ((ULONG_PTR)Address >> 2) % HNDL_SYMBOL_MAP_BUCKETS; PHNDL_SYMBOL_ENTRY Node = OhSymbolsMap[Bucket];
while (Node != NULL ) {
if (Node->Address == Address) { return Node->Symbol; }
Node = Node->Next; }
return NULL;}
VOID OhInsertSymbol ( PCHAR Symbol, PVOID Address ){ ULONG_PTR Bucket = ((ULONG_PTR)Address >> 2) % HNDL_SYMBOL_MAP_BUCKETS;
PHNDL_SYMBOL_ENTRY New; New = (PHNDL_SYMBOL_ENTRY) OhAlloc (sizeof (HNDL_SYMBOL_ENTRY)); New->Symbol = Symbol; New->Address = Address; New->Next = OhSymbolsMap[Bucket];
OhSymbolsMap[Bucket] = New;}
PCHAROhNameForAddress( IN HANDLE UniqueProcess, IN PVOID Address ){ IMAGEHLP_MODULE ModuleInfo; CHAR SymbolBuffer[512]; PIMAGEHLP_SYMBOL Symbol; ULONG_PTR Offset; CHAR Name [512 + 100]; SIZE_T TotalSize; BOOL Result; PVOID Duplicate; PCHAR SymbolName;
//
// Lookup in map first ..
//
SymbolName = OhFindSymbol (Address);
if (SymbolName != NULL) { return SymbolName; } TotalSize = 0; ModuleInfo.SizeOfStruct = sizeof(IMAGEHLP_MODULE);
if (SymGetModuleInfo (UniqueProcess, (ULONG_PTR)Address, &ModuleInfo)) {
TotalSize += strlen( ModuleInfo.ModuleName ); } else {
Warning (NULL, 0, "Symbols: cannot identify module for address %p", Address); return NULL; }
Symbol = (PIMAGEHLP_SYMBOL)SymbolBuffer; Symbol->MaxNameLength = 512 - sizeof(IMAGEHLP_SYMBOL) - 1;
if (SymGetSymFromAddr (UniqueProcess, (ULONG_PTR)Address, &Offset, Symbol)) {
TotalSize += strlen (Symbol->Name) + 16 + 3;
sprintf (Name, "%s!%s+%08X", ModuleInfo.ModuleName, Symbol->Name, Offset);
Duplicate = _strdup(Name); OhInsertSymbol ((PCHAR)Duplicate, Address); return (PCHAR)Duplicate; } else {
Warning (NULL, 0, "Symbols: incorrect symbols for module %s (address %p)", ModuleInfo.ModuleName, Address);
TotalSize += strlen ("???") + 16 + 5;
sprintf (Name, "%s!%s @ %p", ModuleInfo.ModuleName, "???", Address);
Duplicate = _strdup(Name); OhInsertSymbol ((PCHAR)Duplicate, Address); return (PCHAR)Duplicate; }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////// Registry handling
/////////////////////////////////////////////////////////////////////
//
// Registry key name to read/write system global flags
//
#define KEYNAME_SESSION_MANAGER "SYSTEM\\CurrentControlSet\\Control\\Session Manager"
DWORDOhGetCurrentGlobalFlags ( ){ SYSTEM_FLAGS_INFORMATION Information; NTSTATUS Status;
Status = NtQuerySystemInformation (SystemFlagsInformation, &Information, sizeof Information, NULL);
if (! NT_SUCCESS(Status)) {
OhError (NULL, 0, "cannot get current global flags settings (error %08X) \n", Status); }
return Information.Flags;}
DWORDOhGetSystemRegistryFlags ( ){ DWORD cbKey; DWORD GFlags; DWORD type; HKEY hKey; LONG Result;
Result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, KEYNAME_SESSION_MANAGER, 0, KEY_READ | KEY_WRITE, &hKey);
if (Result != ERROR_SUCCESS) {
OhError (NULL, 0, "cannot open registry key `%s' \n", KEYNAME_SESSION_MANAGER); }
cbKey = sizeof (GFlags);
Result = RegQueryValueEx (hKey, "GlobalFlag", 0, &type, (LPBYTE)&GFlags, &cbKey); if (Result != ERROR_SUCCESS || type != REG_DWORD) {
OhError (NULL, 0, "cannot read registry value '%s'\n", KEYNAME_SESSION_MANAGER "\\GlobalFlag"); }
RegCloseKey (hKey); hKey = NULL;
return GFlags;}
VOIDOhSetSystemRegistryFlags( DWORD GFlags ){ HKEY hKey; LONG Result;
Result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, KEYNAME_SESSION_MANAGER, 0, KEY_READ | KEY_WRITE, &hKey);
if (Result != ERROR_SUCCESS) { OhError (NULL, 0, "cannot open registry key '%s'\n", KEYNAME_SESSION_MANAGER ); }
Result = RegSetValueEx (hKey, "GlobalFlag", 0, REG_DWORD, (LPBYTE)&GFlags, sizeof( GFlags ));
if (Result != ERROR_SUCCESS) { OhError (NULL, 0, "cannot write registry value '%s'\n", KEYNAME_SESSION_MANAGER "\\GlobalFlag" ); }
RegCloseKey (hKey); hKey = NULL;}
VOIDOhSetRequiredGlobalFlag ( DWORD Flags ){ DWORD RegistryFlags;
if ((Flags & FLG_KERNEL_STACK_TRACE_DB)) { RegistryFlags = OhGetSystemRegistryFlags ();
OhSetSystemRegistryFlags (RegistryFlags | FLG_KERNEL_STACK_TRACE_DB);
Info ("Enabled `kernel mode stack traces' flag needed for handle traces. \n" "Will take effect next time you boot. \n" " \n"); } else if ((Flags & FLG_MAINTAIN_OBJECT_TYPELIST)) { RegistryFlags = OhGetSystemRegistryFlags ();
OhSetSystemRegistryFlags (RegistryFlags | FLG_MAINTAIN_OBJECT_TYPELIST);
Info ("Enabled `object type list' flag needed by the OH utility. \n" "Will take effect next time you boot. \n" " \n"); }}
VOIDOhResetRequiredGlobalFlag ( DWORD Flags ){ DWORD RegistryFlags;
if ((Flags & FLG_KERNEL_STACK_TRACE_DB)) { RegistryFlags = OhGetSystemRegistryFlags (); RegistryFlags &= ~FLG_KERNEL_STACK_TRACE_DB;
OhSetSystemRegistryFlags (RegistryFlags);
Info ("Disabled `kernel mode stack traces' flag needed for handle traces. \n" "Will take effect next time you boot. \n" " \n"); } else if ((Flags & FLG_MAINTAIN_OBJECT_TYPELIST)) { RegistryFlags = OhGetSystemRegistryFlags (); RegistryFlags &= ~FLG_MAINTAIN_OBJECT_TYPELIST;
OhSetSystemRegistryFlags (RegistryFlags);
Info ("Disabled `object type list' flag needed by the OH utility. \n" "Will take effect next time you boot. \n" " \n"); }}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////////// Memory management routines
/////////////////////////////////////////////////////////////////////
PVOIDOhAlloc ( SIZE_T Size ){ PVOID P;
P = RtlAllocateHeap (RtlProcessHeap(), HEAP_ZERO_MEMORY, Size);
if (P == NULL) { OhError (__FILE__, __LINE__, "failed to allocate %u bytes", Size); }
return P;}
VOIDOhFree ( PVOID P ){ RtlFreeHeap (RtlProcessHeap(), 0, P);}
PVOIDOhZoneAlloc( IN OUT SIZE_T *Length )/*++
Routine description:
Parameters:
Return value:
--*/{ PVOID Buffer; MEMORY_BASIC_INFORMATION MemoryInformation;
Buffer = VirtualAlloc (NULL, *Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (Buffer == NULL) { OhError (__FILE__, __LINE__, "failed to allocate %u bytes", *Length); } else if (Buffer != NULL && VirtualQuery (Buffer, &MemoryInformation, sizeof (MemoryInformation))) {
*Length = MemoryInformation.RegionSize; }
return Buffer;}
PVOIDOhZoneAllocEx( SIZE_T Size )/*++
Routine description:
Parameters:
Return value:
--*/{ PVOID Buffer;
Buffer = VirtualAlloc (NULL, Size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (Buffer == NULL) { OhError (__FILE__, __LINE__, "failed to allocate %u bytes", Size); }
return Buffer;}
VOIDOhZoneFree( IN PVOID Buffer )/*++
Routine description:
Parameters:
Return value:
--*/{ if (!VirtualFree (Buffer, 0, MEM_DECOMMIT)) { fprintf( stderr, "Unable to free buffer memory %p, error == %u\n", Buffer, GetLastError() ); exit( 1 ); }}
BOOLOhSetSymbolsPath ( )/*++
Routine Description:
OhSetSymbolsPath tries to set automatically the symbol path if _NT_SYMBOL_PATH environment variable is not already defined.
Arguments:
None.
Return Value:
Returns TRUE if the symbols path seems to be ok, that is _NT_SYMBOL_PATH was defined or we managed to define it to a meaningful value. --*/{ TCHAR Buffer [MAX_PATH]; DWORD Length; BOOL Result;
Length = GetEnvironmentVariable (TEXT("_NT_SYMBOL_PATH"), Buffer, MAX_PATH);
if (Length == 0) { Warning (NULL, 0, "_NT_SYMBOL_PATH variable is not defined. Will be set to %%windir%%\\symbols.");
Length = GetEnvironmentVariable (TEXT("windir"), Buffer, MAX_PATH);
if (Length == 0) { OhError (NULL, 0, "Cannot get value of WINDIR environment variable."); return FALSE; }
strcat (Buffer, TEXT("\\symbols"));
Result = SetEnvironmentVariable (TEXT("_NT_SYMBOL_PATH"), Buffer);
if (Result == FALSE) {
OhError (NULL, 0, "Failed to set _NT_SYMBOL_PATH to `%s'", Buffer);
return FALSE; }
OhComment ("_NT_SYMBOL_PATH set by default to %s", Buffer); }
return TRUE;}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////// Log compare
/////////////////////////////////////////////////////////////////////
LPTSTROhCmpSearchStackTrace ( LPTSTR FileName, LPTSTR TraceId );
PSTRINGTOINTASSOCIATIONMAPSTRINGTOINT::GetStartPosition( VOID )/*++
Routine Description:
This routine retrieves the first association in the list for iteration with the MAPSTRINGTOINT::GetNextAssociation function. Arguments:
None.
Return value:
The first association in the list, or NULL if the map is empty.
--*/
{ return Associations;}
VOIDMAPSTRINGTOINT::GetNextAssociation( IN OUT PSTRINGTOINTASSOCIATION & Position, OUT LPTSTR & Key, OUT LONG & Value)/*++
Routine Description:
This routine retrieves the data for the current association and sets Position to point to the next association (or NULL if this is the last association.) Arguments:
Position - Supplies the current association and returns the next association. Key - Returns the key for the current association.
Value - Returns the value for the current association.
Return value:
None.
--*/
{ Key = Position->Key; Value = Position->Value; Position = Position->Next;}
MAPSTRINGTOINT::MAPSTRINGTOINT( )/*++
Routine Description:
This routine initializes a MAPSTRINGTOINT to be empty. Arguments:
None.
Return value:
None.
--*/
{ Associations = NULL;}
MAPSTRINGTOINT::~MAPSTRINGTOINT( )/*++
Routine Description:
This routine cleans up memory used by a MAPSTRINGTOINT. Arguments:
None. Return value:
None.
--*/
{ PSTRINGTOINTASSOCIATION Deleting; // clean up associations
while (Associations != NULL) { // save pointer to first association
Deleting = Associations; // remove first association from list
Associations = Deleting->Next; // free removed association
free (Deleting->Key); delete Deleting; }}
LONG & MAPSTRINGTOINT::operator [] ( IN LPTSTR Key )/*++
Routine Description:
This routine retrieves an l-value for the value associated with a given key. Arguments:
Key - The key for which the value is to be retrieved.
Return value:
A reference to the value associated with the provided key.
--*/
{ PSTRINGTOINTASSOCIATION CurrentAssociation = Associations;
// search for key
while(CurrentAssociation != NULL) { if(!_tcscmp(CurrentAssociation->Key, Key)) { // found key, return value
return CurrentAssociation->Value; } CurrentAssociation = CurrentAssociation->Next; } // not found, create new association
CurrentAssociation = new STRINGTOINTASSOCIATION; if (CurrentAssociation == NULL) { _tprintf(_T("Memory allocation failure\n")); exit (0); }
if (Key == NULL) { _tprintf(_T("Null object name\n")); exit (0); } else if (_tcscmp (Key, "") == 0) { _tprintf(_T("Invalid object name `%s'\n"), Key); exit (0); }
CurrentAssociation->Key = _tcsdup(Key); if (CurrentAssociation->Key == NULL) { _tprintf(_T("Memory string allocation failure\n")); exit (0); }
// add association to front of list
CurrentAssociation->Next = Associations; Associations = CurrentAssociation; // return value for new association
return CurrentAssociation->Value;}
BOOLEANMAPSTRINGTOINT::Lookup( IN LPTSTR Key, OUT LONG & Value ) /*++
Routine Description:
This routine retrieves an r-value for the value association with a given key. Arguments:
Key - The key for which the associated value is to be retrieved.
Value - Returns the value associated with Key if Key is present in the map.
Return value:
TRUE if the key is present in the map, FALSE otherwise.
--*/
{ PSTRINGTOINTASSOCIATION CurrentAssociation = Associations; // search for key
while (CurrentAssociation != NULL) { if(!_tcscmp(CurrentAssociation->Key , Key)) {
// found key, return it
Value = CurrentAssociation->Value; return TRUE; } CurrentAssociation = CurrentAssociation->Next; } // didn't find it
return FALSE;}
BOOLEANOhCmpPopulateMapsFromFile( IN LPTSTR FileName, OUT MAPSTRINGTOINT & TypeMap, OUT MAPSTRINGTOINT & NameMap, BOOLEAN FileWithTraces )/*++
Routine Description:
This routine parses an OH output file and fills two maps with the number of handles ofeach type and the number of handles to each named object.
Arguments:
FileName - OH output file to parse.
TypeMap - Map to fill with handle type information.
NameMap - Map to fill with named object information.
Return value:
TRUE if the file was successfully parsed, FALSE otherwise. --*/
{ LONG HowMany; LPTSTR Name, Type, Process, Pid; LPTSTR NewLine; TCHAR LineBuffer[512]; TCHAR ObjectName[512]; TCHAR TypeName[512]; FILE *InputFile; ULONG LineNumber;
BOOLEAN rc;
LineNumber = 0;
// open file
InputFile = _tfopen(FileName, _T("rt"));
if (InputFile == NULL) { _ftprintf(stderr, _T("Error opening oh file %s.\n"), FileName); return FALSE; }
rc = TRUE; // loop through lines in oh output
while (_fgetts(LineBuffer, sizeof(LineBuffer), InputFile) && !( feof(InputFile) || ferror(InputFile) ) ) { LineNumber += 1;
// trim off newline
if((NewLine = _tcschr(LineBuffer, _T('\n'))) != NULL) { *NewLine = _T('\0'); }
// ignore lines that start with white space or are empty.
if (LineBuffer[0] == _T('\0') || LineBuffer[0] == _T('\t') || LineBuffer[0] == _T(' ')) { continue; }
// ignore lines that start with a comment
if( LineBuffer[0] == _T('/') && LineBuffer[1] == _T('/') ) { continue; }
// skip pid
if((Pid = _tcstok(LineBuffer, _T(" \t"))) == NULL) { rc = FALSE; break; }
// skip process name
if((Process = _tcstok(NULL, _T(" \t"))) == NULL) { rc = FALSE; break; }
// Type points to the type of handle
if ((Type = _tcstok(NULL, _T(" \t"))) == NULL) { rc = FALSE; break; }
// HowMany = number of previous handles with this type
_stprintf (TypeName, TEXT("<%s/%s/%s>"), Process, Pid, Type);
if (TypeMap.Lookup(TypeName, HowMany) == FALSE) { HowMany = 0; }
// add another handle of this type
TypeMap[TypeName] = (HowMany + 1); //
// Name points to the name. These are magic numbers based on the way
// OH formats output. The output is a little bit different if the
// `-h' option of OH was used (this dumps stack traces too).
//
Name = LineBuffer + 39 + 5;
if (FileWithTraces) { Name += 7; }
if (_tcscmp (Name, "") == 0) {
_stprintf (ObjectName, TEXT("<%s/%s/%s>::<<noname>>"), Process, Pid, Type); } else {
_stprintf (ObjectName, TEXT("<%s/%s/%s>::%s"), Process, Pid, Type, Name); }
// HowMany = number of previous handles with this name
// printf("name --> `%s' \n", ObjectName);
if (NameMap.Lookup(ObjectName, HowMany) == FALSE) { HowMany = 0; }
// add another handle with this name and read the next line
// note -- NameMap[] is a class operator, not an array.
NameMap[ObjectName] = (HowMany + 1); }
// done, close file
fclose(InputFile);
return rc;}
int__cdeclOhCmpKeyCompareAssociation ( const void * Left, const void * Right ){ PSTRINGTOINTASSOCIATION X; PSTRINGTOINTASSOCIATION Y;
X = (PSTRINGTOINTASSOCIATION)Left; Y = (PSTRINGTOINTASSOCIATION)Right;
return _tcscmp (X->Key, Y->Key);}
int__cdeclOhCmpValueCompareAssociation ( const void * Left, const void * Right ){ PSTRINGTOINTASSOCIATION X; PSTRINGTOINTASSOCIATION Y;
X = (PSTRINGTOINTASSOCIATION)Left; Y = (PSTRINGTOINTASSOCIATION)Right;
return Y->Value - X->Value;}
VOID OhCmpPrintIncreases( IN MAPSTRINGTOINT & BeforeMap, IN MAPSTRINGTOINT & AfterMap, IN BOOLEAN ReportIncreasesOnly, IN BOOLEAN PrintHighlights, IN LPTSTR AfterLogName )/*++
Routine Description:
This routine compares two maps and prints out the differences between them.
Arguments:
BeforeMap - First map to compare.
AfterMap - Second map to compare.
ReportIncreasesOnly - TRUE for report only increases from BeforeMap to AfterMap, FALSE for report all differences.
Return value:
None. --*/
{ PSTRINGTOINTASSOCIATION Association = NULL; LONG HowManyBefore = 0; LONG HowManyAfter = 0; LPTSTR Key = NULL; PSTRINGTOINTASSOCIATION SortBuffer; ULONG SortBufferSize; ULONG SortBufferIndex; //
// Loop through associations in map and figure out how many output lines
// we will have.
//
SortBufferSize = 0;
for (Association = AfterMap.GetStartPosition(), AfterMap.GetNextAssociation(Association, Key, HowManyAfter); Association != NULL; AfterMap.GetNextAssociation(Association, Key, HowManyAfter)) { // look up value for this key in BeforeMap
if(BeforeMap.Lookup(Key, HowManyBefore) == FALSE) { HowManyBefore = 0; }
// should we report this?
if((HowManyAfter > HowManyBefore) || ((!ReportIncreasesOnly) && (HowManyAfter != HowManyBefore))) { SortBufferSize += 1; } } //
// Loop through associations in map again this time filling the output buffer.
//
SortBufferIndex = 0;
SortBuffer = new STRINGTOINTASSOCIATION[SortBufferSize];
if (SortBuffer == NULL) { _ftprintf(stderr, _T("Failed to allocate internal buffer of %u bytes.\n"), SortBufferSize); return; }
for (Association = AfterMap.GetStartPosition(), AfterMap.GetNextAssociation(Association, Key, HowManyAfter); Association != NULL; AfterMap.GetNextAssociation(Association, Key, HowManyAfter)) { // look up value for this key in BeforeMap
if(BeforeMap.Lookup(Key, HowManyBefore) == FALSE) { HowManyBefore = 0; }
// should we report this?
if((HowManyAfter > HowManyBefore) || ((!ReportIncreasesOnly) && (HowManyAfter != HowManyBefore))) { ZeroMemory (&(SortBuffer[SortBufferIndex]), sizeof (STRINGTOINTASSOCIATION));
SortBuffer[SortBufferIndex].Key = Key; SortBuffer[SortBufferIndex].Value = HowManyAfter - HowManyBefore; SortBufferIndex += 1; } }
//
// Sort the output buffer using the Key.
//
if (PrintHighlights) {
qsort (SortBuffer, SortBufferSize, sizeof (STRINGTOINTASSOCIATION), OhCmpValueCompareAssociation); } else {
qsort (SortBuffer, SortBufferSize, sizeof (STRINGTOINTASSOCIATION), OhCmpKeyCompareAssociation); }
//
// Dump the buffer.
//
for (SortBufferIndex = 0; SortBufferIndex < SortBufferSize; SortBufferIndex += 1) { if (PrintHighlights) {
if (SortBuffer[SortBufferIndex].Value >= 1) {
TCHAR TraceId[7]; LPTSTR Start;
_tprintf(_T("%d\t%s\n"), SortBuffer[SortBufferIndex].Value, SortBuffer[SortBufferIndex].Key);
Start = _tcsstr (SortBuffer[SortBufferIndex].Key, "(");
if (Start == NULL) { TraceId[0] = 0; } else {
_tcsncpy (TraceId, Start, 6);
TraceId[6] = 0; }
_tprintf (_T("%s"), OhCmpSearchStackTrace (AfterLogName, TraceId)); } } else {
_tprintf(_T("%d\t%s\n"), SortBuffer[SortBufferIndex].Value, SortBuffer[SortBufferIndex].Key); } }
//
// Clean up memory.
//
if (SortBuffer) { delete[] SortBuffer; }}
VOIDOhCmpCompareLogs ( IN LONG argc, IN LPTSTR argv[] )/*++
Routine Description:
This routine parses program arguments, reads the two input files, and prints out thedifferences.
Arguments:
argc - Number of command-line arguments.
argv - Command-line arguments.
Return value:
None. --*/{ MAPSTRINGTOINT TypeMapBefore, TypeMapAfter; MAPSTRINGTOINT NameMapBefore, NameMapAfter; LPTSTR BeforeFileName=NULL; LPTSTR AfterFileName=NULL; BOOLEAN ReportIncreasesOnly = TRUE; BOOLEAN Interpreted = FALSE; BOOLEAN Result; BOOLEAN FileWithTraces; BOOLEAN PrintHighlights;
// parse arguments
FileWithTraces = FALSE; PrintHighlights = FALSE;
for (LONG n = 1; n < argc; n++) {
Interpreted = FALSE;
switch(argv[n][0]) {
case _T('-'): case _T('/'):
// the argument is a switch
if(_tcsicmp(argv[n]+1, _T("all")) == 0) {
ReportIncreasesOnly = FALSE; Interpreted = TRUE;
} else if (_tcsicmp(argv[n]+1, _T("t")) == 0) {
FileWithTraces = TRUE; Interpreted = TRUE; } else if (_tcsicmp(argv[n]+1, _T("l")) == 0) {
PrintHighlights = TRUE; Interpreted = TRUE; }
break;
default:
// the argument is a file name
if(BeforeFileName == NULL) {
BeforeFileName = argv[n]; Interpreted = TRUE;
} else {
if(AfterFileName == NULL) {
AfterFileName = argv[n]; Interpreted = TRUE;
} else { Help(); }
}
break; }
if(!Interpreted) { Help(); } }
// did user specify required arguments?
if((BeforeFileName == NULL) || (AfterFileName == NULL)) { Help(); }
// read oh1 file
Result = OhCmpPopulateMapsFromFile (BeforeFileName, TypeMapBefore, NameMapBefore, FileWithTraces);
if(Result == FALSE) {
_ftprintf(stderr, _T("Failed to read first OH output file.\n")); return; }
// read oh2 file
Result = OhCmpPopulateMapsFromFile (AfterFileName, TypeMapAfter, NameMapAfter, FileWithTraces);
if(Result == FALSE) {
_ftprintf(stderr, _T("Failed to read second OH output file.\n")); return; }
// print out increases by handle name
if (PrintHighlights) {
_putts (TEXT ("\n") TEXT("// \n") TEXT("// Possible leaks (DELTA <PROCESS/PID/TYPE>::NAME): \n") TEXT("// \n") TEXT("// Note that the NAME can appear as `(TRACEID) NAME' if output \n") TEXT("// is generated by comparing OH files containing traces. In this case \n") TEXT("// just search in the `AFTER' OH log file for the trace id to \n") TEXT("// find the stack trace creating the handle possibly leaked. \n") TEXT("// \n\n"));
OhCmpPrintIncreases (NameMapBefore, NameMapAfter, ReportIncreasesOnly, TRUE, AfterFileName); }
// print out increases by handle type
_putts (TEXT ("\n") TEXT("// \n") TEXT("// Handle types (DELTA <PROCESS/PID/TYPE>): \n") TEXT("// \n") TEXT("// DELTA is the additional number of handles found in the `AFTER' log. \n") TEXT("// PROCESS is the process name having a handle increase. \n") TEXT("// PID is the process PID having a handle increase. \n") TEXT("// TYPE is the type of the handle \n") TEXT("// \n\n"));
OhCmpPrintIncreases (TypeMapBefore, TypeMapAfter, ReportIncreasesOnly, FALSE, NULL);
// print out increases by handle name
_putts (TEXT ("\n") TEXT("// \n") TEXT("// Objects (named and anonymous) (DELTA <PROCESS/PID/TYPE>::NAME): \n") TEXT("// \n") TEXT("// DELTA is the additional number of handles found in the `AFTER' log. \n") TEXT("// PROCESS is the process name having a handle increase. \n") TEXT("// PID is the process PID having a handle increase. \n") TEXT("// TYPE is the type of the handle \n") TEXT("// NAME is the name of the handle. Anonymous handles appear with name <<noname>>.\n") TEXT("// \n") TEXT("// Note that the NAME can appear as `(TRACEID) NAME' if output \n") TEXT("// is generated by comparing OH files containing traces. In this case \n") TEXT("// just search in the `AFTER' OH log file for the trace id to \n") TEXT("// find the stack trace creating the handle possibly leaked. \n") TEXT("// \n\n"));
OhCmpPrintIncreases (NameMapBefore, NameMapAfter, ReportIncreasesOnly, FALSE, NULL);}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
TCHAR OhCmpStackTraceBuffer [0x10000];
LPTSTROhCmpSearchStackTrace ( LPTSTR FileName, LPTSTR TraceId ){ TCHAR LineBuffer[512]; FILE *InputFile;
OhCmpStackTraceBuffer[0] = 0;
//
// Open file.
//
InputFile = _tfopen(FileName, _T("rt"));
if (InputFile == NULL) { _ftprintf(stderr, _T("Error opening oh file %s.\n"), FileName); return NULL; } //
// Loop through lines in oh output.
//
while (_fgetts(LineBuffer, sizeof(LineBuffer), InputFile) && !( feof(InputFile) || ferror(InputFile) ) ) { //
// Skip line if it does not contain trace ID.
//
if (_tcsstr (LineBuffer, TraceId) == NULL) { continue; }
//
// We have got a trace ID. We need now to copy everything
// to a trace buffer until we get a line containing a character
// in column zero.
//
while (_fgetts(LineBuffer, sizeof(LineBuffer), InputFile) && !( feof(InputFile) || ferror(InputFile) ) ) {
if (LineBuffer[0] == _T(' ') || LineBuffer[0] == _T('\0') || LineBuffer[0] == _T('\n') || LineBuffer[0] == _T('\t')) {
_tcscat (OhCmpStackTraceBuffer, LineBuffer); } else {
break; } }
break; }
//
// Close file.
fclose(InputFile);
return OhCmpStackTraceBuffer;}
|
