1,安装
在安装完windbg之后,就会在windbg的目录下发现gflag.exe和umdh.exe 。
2,配置环境:
在环境变量中添加安装windbg的目录
3,配置gflag
打开gflag.exe,按照图中配置
4,开始检测
(1),打开命令符:提示win + r
(2),输入umdh,可以看看命令的意思
(3)写一个测试程序:
char* cc3 = NULL; for (int i = 0; i < 10000; i++) { std::cout << file_name2 << std::endl; cc3 = new char[1024]; Sleep(200); }
(4)设置_NT_SYMBOL_PATH:pdb的路径
set _NT_SYMBOL_PATH=H:/MyProcess/TestTChar/x64/Release;SRVf:\symbolshttp://msdl.microsoft.com/download/symbols
H:/MyProcess/TestTChar/x64/Release 是你测试程序的pdb
SRVf:\symbolshttp://msdl.microsoft.com/download/symbols 是微软的pdb,会下载到f:\symbol里面。
(5)启动测试程序
(6)生成节点文件
生成第一个时间节点分析文件
umdh -pn:newChar.exe -f:D:/FirstDump.txt
等待一段时间,newChar.exe运行ing
生成第二个时间节点分析文件
umdh -pn:newChar.exe -f:D:/SecondDump.txt
(7)对比节点文件
将两次文件综得到最终分析文件
umdh D:/FirstDump.txt D:/SecondDump.txt -f:D:/Result.txt
(8)分析
// Debug library initialized ... a ntdll!LdrInitializeThunk+00000063 ntdll!LdrInitializeThunk+0000000E - 4608 ( 0 - 4608) 0 allocs BackTraceA9BECFC0 - 1 ( 0 - 1) BackTraceA9BECFC0 allocations ntdll!RtlAllocateHeap+00000AFD apphelp!SdbTagRefToTagID+00000B82 apphelp!SdbPackAppCompatData+000011CD apphelp!SE_WINRT_HookObject+00004085 apphelp!SE_WINRT_HookObject+00000F77 apphelp!SdbFreeFileInfo+000009CC apphelp!SE_InstallBeforeInit+000002E4 apphelp!SE_InstallBeforeInit+00000065 ntdll!RtlQueryDepthSList+00000268 ntdll!RtlQueryDepthSList+0000015B ntdll!LdrInitShimEngineDynamic+00003693 ntdll!LdrInitializeThunk+000001DB ntdll!LdrInitializeThunk+00000063 ntdll!LdrInitializeThunk+0000000E - 10747 ( 0 - 10747) 0 allocs BackTraceA8378320 - 19 ( 0 - 19) BackTraceA8378320 allocations ntdll!RtlAllocateHeap+00000AFD ucrtbase!calloc_base+0000004E ucrtbase!wsetlocale+00000FC4 ucrtbase!initialize_narrow_environment+00000074 ucrtbase!initialize_narrow_environment+00000019 ucrtbase!o__recalloc+00000150 ucrtbase!msize+00000146 ntdll!RtlActivateActivationContextUnsafeFast+0000011D ntdll!LdrGetProcedureAddressEx+000002D7 ntdll!LdrGetProcedureAddressEx+0000006A ntdll!LdrGetProcedureAddressEx+000000F0 ntdll!LdrGetProcedureAddressEx+000000F0 ntdll!LdrGetProcedureAddressEx+000000F0 ntdll!LdrInitShimEngineDynamic+000038DA ntdll!LdrInitializeThunk+000001DB ntdll!LdrInitializeThunk+00000063 ntdll!LdrInitializeThunk+0000000E - 14336 ( 0 - 14336) 0 allocs BackTraceA9D395E0 - 14 ( 0 - 14) BackTraceA9D395E0 allocations ntdll!RtlAllocateHeap+00000AFD ucrtbase!malloc_base+00000036 TestTChar!operator new+0000001F (D:\agent\_work\13\s\src\vctools\crt\vcstartup\src\heap\new_scalar.cpp, 35) TestTChar!main+0000048A (H:\MyProcess\TestTChar\TestTChar\TestTChar.cpp, 53) TestTChar!__scrt_common_main_seh+0000010C (D:\agent\_work\13\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl, 288) KERNEL32!BaseThreadInitThunk+00000014 ntdll!RtlUserThreadStart+00000021 - 26444 ( 0 - 26444) 0 allocs BackTraceA9BE8EC0 - 1 ( 0 - 1) BackTraceA9BE8EC0 allocations ntdll!RtlAllocateHeap+00000AFD ntdll!RtlSetEnvironmentVar+0000036F ntdll!RtlSetEnvironmentVariable+00000031 apphelp!SdbPackAppCompatData+0000063B apphelp!Ordinal34+000021B4 apphelp!SE_InitializeEngine+0000011D ntdll!RtlQueryDepthSList+0000014D ntdll!LdrInitShimEngineDynamic+00003693 ntdll!LdrInitializeThunk+000001DB ntdll!LdrInitializeThunk+00000063 ntdll!LdrInitializeThunk+0000000E Total decrease == 113803 requested + 10293 overhead = 124096
TestTChar.exe是我们的测试程序,可以看到在这里H:\MyProcess\TestTChar\TestTChar\TestTChar.cpp, 53发生了内存泄漏,修改了就行
【注意】new的空间大一点,不然找不到