通过在OllyIce中对VirtualAlloc和VirtualFree设置条件记录断点,最后发现问题来自于msjet40.1B007C23(其中msjet40的ImageBase为1B000000)
1B007C00 > > \8B46 24 mov eax, dword ptr ds:[esi+24] ; _mptableidisib
1B007C03 . 85C0 test eax, eax
1B007C05 . 74 3B je short msjet40.1B007C42
1B007C07 > 8B46 2C mov eax, dword ptr ds:[esi+2C]
1B007C0A . 8B4E 28 mov ecx, dword ptr ds:[esi+28]
1B007C0D . 8B6E 24 mov ebp, dword ptr ds:[esi+24]
1B007C10 . 8BD7 mov edx, edi
1B007C12 . 2BD0 sub edx, eax
1B007C14 . 6A 04 push 4 ; /Protect = PAGE_READWRITE
1B007C16 . D3E0 shl eax, cl ; |
1B007C18 . D3E2 shl edx, cl ; |
1B007C1A . 68 00100000 push 1000 ; |AllocationType = MEM_COMMIT
1B007C1F . 03C5 add eax, ebp ; |
1B007C21 . 52 push edx ; |Size
1B007C22 . 50 push eax ; |Address
1B007C23 . FF15 7410001B call near dword ptr ds:[<&KERNEL32.Vi>; \VirtualAlloc
1B007C29 . 85C0 test eax, eax
1B007C2B . 74 03 je short msjet40.1B007C30
1B007C2D . 897E 2C mov dword ptr ds:[esi+2C], edi
1B007C30 > 8B6C24 10 mov ebp, dword ptr ss:[esp+10]
1B007C34 > 3B7E 2C cmp edi, dword ptr ds:[esi+2C]
1B007C37 .^ 0F86 30FFFFFF jbe msjet40.1B007B6D
1B007C3D . E9 804A0A00 jmp msjet40.1B0AC6C2
1B007C42 > 8B46 40 mov eax, dword ptr ds:[esi+40]
1B007C45 . 6A 01 push 1 ; /Protect = PAGE_NOACCESS
1B007C47 . C1E0 0C shl eax, 0C ; |
1B007C4A . 68 00200000 push 2000 ; |AllocationType = MEM_RESERVE
1B007C4F . 50 push eax ; |Size
1B007C50 . 55 push ebp ; |Address
1B007C51 . FF15 7410001B call near dword ptr ds:[<&KERNEL32.Vi>; \VirtualAlloc
1B007C57 . 85C0 test eax, eax
1B007C59 . 8946 24 mov dword ptr ds:[esi+24], eax
1B007C5C .^ 75 A9 jnz short msjet40.1B007C07
1B007C5E .^ EB D4 jmp short msjet40.1B007C34
而esi = msjet40.1B120E10地址处是一张表格,描述了这个分配的地址。这张表格位于msjet40的.data段,显然是一个全局变量或者静态变量,而不是堆栈变量,不是临时分配的,这里面定有玄机。
直接想到的办法就是想办法使[esi+24] = 02E40000不增长,也就是使1B007C23不向其中分配内存或及时将其释放。但是我猜想这应该是一个日志,想要阻止它恐怕没那么容易,仍需研究。
通过阅读过去的研究记录发现它是一个缓冲池(Cache),而不是日志,它里面包含很多我GetChunk时的大数据。由此观之,想阻止它的增长,不是一件容易的事,仍需研究。
1B0039BF > $ 81EC 20020000 sub esp, 220 ; ErrIsamInit3(x,x)
1B0039C5 . 8D4424 00 lea eax, dword ptr ss:[esp]
1B0039C9 . 56 push esi
1B0039CA . 50 push eax
1B0039CB . B9 100E121B mov ecx, msjet40.1B120E10
1B0039D0 . C74424 08 01000000 mov dword ptr ss:[esp+8], 1
1B0039D8 . 33F6 xor esi, esi
1B0039DA . E8 D1000000 call <msjet40.System::InitializationError(Err &)>
1B0039DF . F64424 04 08 test byte ptr ss:[esp+4], 8
1B0039E4 . 0F85 DBCA0900 jnz msjet40.1B0A04C5
1B0039EA . 6A 70 push 70
1B0039EC . E8 91320000 call <msjet40.operator new(uint)>
1B0039F1 . 83C4 04 add esp, 4
1B0039F4 . 85C0 test eax, eax
1B0039F6 . 0F84 85CA0900 je msjet40.1B0A0481
1B0039FC . 8D4C24 04 lea ecx, dword ptr ss:[esp+4]
1B003A00 . 51 push ecx
1B003A01 . 8BC8 mov ecx, eax
1B003A03 . E8 B5000000 call <msjet40.Connection::Connection(Err &)>
1B003A08 . 8BF0 mov esi, eax
1B003A0A > 85F6 test esi, esi
1B003A0C . 0F84 76CA0900 je msjet40.1B0A0488
1B003A12 . F64424 04 08 test byte ptr ss:[esp+4], 8
1B003A17 . 0F85 A8CA0900 jnz msjet40.1B0A04C5
1B003A1D . 8B8424 28020000 mov eax, dword ptr ss:[esp+228]
1B003A24 . 85C0 test eax, eax
1B003A26 . 74 29 je short msjet40.1B003A51
1B003A28 . 8D5424 1C lea edx, dword ptr ss:[esp+1C]
1B003A2C . 68 08020000 push 208
1B003A31 . 8D4C24 1C lea ecx, dword ptr ss:[esp+1C]
1B003A35 . 52 push edx
1B003A36 . 51 push ecx
1B003A37 . 6A 37 push 37
1B003A39 . 6A 00 push 0
1B003A3B . 50 push eax
1B003A3C . E8 A00C0000 call <msjet40.ErrGetSystemParameterInst(x,x,x,x,x,x)>
1B003A41 . 85C0 test eax, eax
1B003A43 . 7C 0C jl short msjet40.1B003A51
1B003A45 . 66:837C24 1C 00 cmp word ptr ss:[esp+1C], 0
1B003A4B . 0F85 59CA0900 jnz msjet40.1B0A04AA
1B003A51 > 8BCE mov ecx, esi
1B003A53 . E8 900E0000 call <msjet40.Connection::ReadConfig(void)>
1B003A58 . 8B46 3C mov eax, dword ptr ds:[esi+3C]
1B003A5B . B9 100E121B mov ecx, msjet40.1B120E10
1B003A60 . 99 cdq
1B003A61 . 83E2 03 and edx, 3
1B003A64 . 03C2 add eax, edx
1B003A66 . C1F8 02 sar eax, 2
1B003A69 . 50 push eax
1B003A6A . E8 88120000 call <msjet40.System::SetMaxBufferSize(ulong)>
1B003A6F . 56 push esi
1B003A70 . E8 9F120000 call <msjet40.ErrIsamGetReplCallbacks(Connection *)>
1B003A75 . F64424 04 08 test byte ptr ss:[esp+4], 8
1B003A7A . 0F85 45CA0900 jnz msjet40.1B0A04C5
1B003A80 . 8B9424 2C020000 mov edx, dword ptr ss:[esp+22C]
1B003A87 . 8932 mov dword ptr ds:[edx], esi
1B003A89 > F64424 04 01 test byte ptr ss:[esp+4], 1
1B003A8E . 0F84 4ECA0900 je msjet40.1B0A04E2
1B003A94 . 33F6 xor esi, esi
1B003A96 > F74424 04 FEFFFFFF test dword ptr ss:[esp+4], FFFFFFFE
1B003A9E . 0F85 50CA0900 jnz msjet40.1B0A04F4
1B003AA4 > 8BC6 mov eax, esi
1B003AA6 . 5E pop esi
1B003AA7 . 81C4 20020000 add esp, 220
1B003AAD . C2 0800 retn 8
1B004CF7 > $ 8B41 60 mov eax, dword ptr ds:[ecx+60] ; System::SetMaxBufferSize(ulong)
1B004CFA . 85C0 test eax, eax
1B004CFC . 75 13 jnz short msjet40.1B004D11
1B004CFE . 8B4424 04 mov eax, dword ptr ss:[esp+4]
1B004D02 . C741 60 01000000 mov dword ptr ds:[ecx+60], 1
1B004D09 . 85C0 test eax, eax
1B004D0B . 0F85 81790A00 jnz msjet40.1B0AC692
1B004D11 > C2 0400 retn 4
1B0A250D >/$ 83EC 14 sub esp, 14 ; ErrIsamSetSystemParameter(x,x,x,x)
1B0A2510 |. 8B4424 1C mov eax, dword ptr ss:[esp+1C]
1B0A2514 |. 56 push esi
1B0A2515 |. 8B7424 1C mov esi, dword ptr ss:[esp+1C]
1B0A2519 |. 83C0 FA add eax, -6 ; Switch (cases 6..46)
1B0A251C |. 83F8 40 cmp eax, 40
1B0A251F |. C74424 04 01000000 mov dword ptr ss:[esp+4], 1
1B0A2527 |. 8B0E mov ecx, dword ptr ds:[esi]
1B0A2529 |. 77 19 ja short msjet40.1B0A2544
1B0A252B |. 33D2 xor edx, edx
1B0A252D |. 8A90 58260A1B mov dl, byte ptr ds:[eax+1B0A2658]
1B0A2533 |. FF2495 24260A1B jmp near dword ptr ds:[edx*4+1B0A2624]
1B0A253A |> 8B4424 24 mov eax, dword ptr ss:[esp+24] ; Case 6 of switch 1B0A2519
1B0A253E |. 50 push eax
1B0A253F |. E8 3C90FFFF call <msjet40.Connection::SetPageTimeout(ulong)>
1B0A2544 |> F64424 04 01 test byte ptr ss:[esp+4], 1 ; Default case of switch 1B0A2519
1B0A2549 |. 0F84 C0000000 je msjet40.1B0A260F
1B0A254F |. 33F6 xor esi, esi
1B0A2551 |> F74424 04 FEFFFFFF test dword ptr ss:[esp+4], FFFFFFFE
1B0A2559 |. 74 09 je short msjet40.1B0A2564
1B0A255B |. 8D4C24 04 lea ecx, dword ptr ss:[esp+4]
1B0A255F |. E8 906AF6FF call <msjet40.Err::Delete(void)>
1B0A2564 |> 8BC6 mov eax, esi
1B0A2566 |. 5E pop esi
1B0A2567 |. 83C4 14 add esp, 14
1B0A256A |. C2 1000 retn 10
1B0A256D |> 8B4C24 24 mov ecx, dword ptr ss:[esp+24] ; Case 8 of switch 1B0A2519
1B0A2571 |. C705 700E121B 000000>mov dword ptr ds:[1B120E70], 0
1B0A257B |. C1E9 02 shr ecx, 2
1B0A257E |. 51 push ecx
1B0A257F |. B9 100E121B mov ecx, msjet40.1B120E10
1B0A2584 |. E8 6E27F6FF call <msjet40.System::SetMaxBufferSize(ulong)>
1B0A2589 |.^ EB B9 jmp short msjet40.1B0A2544
1B0A258B |> 8B5424 24 mov edx, dword ptr ss:[esp+24] ; Case 39 of switch 1B0A2519
1B0A258F |. 52 push edx
1B0A2590 |. E8 0690FFFF call <msjet40.Connection::SetLockRetry(ulong)>
1B0A2595 |.^ EB AD jmp short msjet40.1B0A2544
1B0A2597 |> 8B4424 24 mov eax, dword ptr ss:[esp+24] ; Case 3A of switch 1B0A2519
1B0A259B |. 50 push eax
1B0A259C |. E8 0490FFFF call <msjet40.Connection::SetUserCommitSync(ulong)>
1B0A25A1 |.^ EB A1 jmp short msjet40.1B0A2544
1B0A25A3 |> 8B5424 24 mov edx, dword ptr ss:[esp+24] ; Case 3B of switch 1B0A2519
1B0A25A7 |. 52 push edx
1B0A25A8 |. E8 0990FFFF call <msjet40.Connection::SetImplicitCommitSync(ulong)>
1B0A25AD |.^ EB 95 jmp short msjet40.1B0A2544
1B0A25AF |> 8B4424 24 mov eax, dword ptr ss:[esp+24] ; Case 3C of switch 1B0A2519
1B0A25B3 |. 50 push eax
1B0A25B4 |. E8 0E90FFFF call <msjet40.Connection::SetExclusiveAsyncDelay(ulong)>
1B0A25B9 |.^ EB 89 jmp short msjet40.1B0A2544
1B0A25BB |> 8B5424 24 mov edx, dword ptr ss:[esp+24] ; Case 3D of switch 1B0A2519
1B0A25BF |. 52 push edx
1B0A25C0 |. E8 0C90FFFF call <msjet40.Connection::SetSharedAsyncDelay(ulong)>
1B0A25C5 |.^ E9 7AFFFFFF jmp msjet40.1B0A2544
1B0A25CA |> 8B4424 24 mov eax, dword ptr ss:[esp+24] ; Case 42 of switch 1B0A2519
1B0A25CE |. 50 push eax
1B0A25CF |. E8 0790FFFF call <msjet40.Connection::SetFlushTransTimeout(ulong)>
1B0A25D4 |.^ E9 6BFFFFFF jmp msjet40.1B0A2544
1B0A25D9 |> 8B5424 24 mov edx, dword ptr ss:[esp+24] ; Case 3E of switch 1B0A2519
1B0A25DD |. 52 push edx
1B0A25DE |. E8 0290FFFF call <msjet40.Connection::SetMaxLocksPerFile(ulong)>
1B0A25E3 |.^ E9 5CFFFFFF jmp msjet40.1B0A2544
1B0A25E8 |> 8B4424 24 mov eax, dword ptr ss:[esp+24] ; Case 3F of switch 1B0A2519
1B0A25EC |. 50 push eax
1B0A25ED |. E8 4490FFFF call <msjet40.Connection::SetLockDelay(ulong)>
1B0A25F2 |.^ E9 4DFFFFFF jmp msjet40.1B0A2544
1B0A25F7 |> 8B5424 24 mov edx, dword ptr ss:[esp+24] ; Case 41 of switch 1B0A2519
1B0A25FB |. 8951 60 mov dword ptr ds:[ecx+60], edx
1B0A25FE |.^ E9 41FFFFFF jmp msjet40.1B0A2544
1B0A2603 |> 8B4424 24 mov eax, dword ptr ss:[esp+24] ; Case 46 of switch 1B0A2519
1B0A2607 |. 8941 64 mov dword ptr ds:[ecx+64], eax
1B0A260A |.^ E9 35FFFFFF jmp msjet40.1B0A2544
1B0A260F |> 8D5424 04 lea edx, dword ptr ss:[esp+4]
1B0A2613 |. 8BCE mov ecx, esi
1B0A2615 |. E8 85C4F6FF call msjet40.1B00EA9F
1B0A261A |. 8BF0 mov esi, eax
1B0A261C \.^ E9 30FFFFFF jmp msjet40.1B0A2551
今天发现设置MaxBufferSize是可以控制缓存池的大小的,算是解决了Cache的问题。然而紧接着又发现了另一处不断增加的虚存块,而且通过VirtualAllocEx无法拦截,猜测是在内核中增加的,但可能性不大,仍需研究。