Monitoring Indirect Memory Allocations in NTDLL

0 Likes

Problem:

Is there a way to have BC monitor memory allocations occuring from ntdll.

Resolution:

No.  BC does not track memory allocations from undocumented NT Api's.    Very few functions in ntdll are actually documented.  None of the core memory allocation routines are.    This includes indirect memory allocations from quasi-documented routines like RtlAnsiStringToUnicodeString().  Even if we could track allocations to RtlAllocateHeap(), we still may miss allocations from API's that allocate memory indirectly like RtlAnsiStringToUnicodeString(). Internally, these APIs call a funciton stored in an internal pointer. By default it will eventually thunk down to RtlAllocateHeap, but if the variable is set to some other arbitrary allocation api it would be a stretch to try to reliably predict what parameter in this new allocation function would contain the newly allocated pointer.

Old KB# 12272
Comment List
Anonymous
Related Discussions
Recommended