windbg로 핸들 릭을 찾아보자

windbg에서는 htrace로 얼마만큼 해당 프로세스가 핸들릭을 가지고 있는지 찾을 수 있다.
아래와 같이 핸들릭 발생 코드를 생성 후

for (DWORD i = 1; i<=10; ++i) { WCHAR name[10] = {0,}; StringCbPrintfW(name, sizeof(name), L"E:\\hTrace_test\\%d.txt", i); h[i] = CreateFile(name, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, 0, NULL); }

프로세스 생성 후 attach를 하면

Handle tracing is not enabled for this process. Use "!htrace -enable" to enable it.

활성화 시키라는 문구가 나온다. 기본적으로 이미 발생한 핸들에 대해서는 htrace는 유효하지 않다.
프로세스를 실행킨 후 !htrace -enable 로 활성화 시킨 후 메모리 릭이 발생한 시점에 !htrace를 해보면

0:001> !htrace
--------------------------------------
Handle = 0x0000000000000134 - OPEN
Thread ID = 0x00000000000028dc, Process ID = 0x00000000000026d0

0x00007fff9235b25a: ntdll!NtCreateFile+0x000000000000000a
0x00000000770eae5c: wow64!whNtCreateFile+0x00000000000000f8
0x00000000770ebb64: wow64!Wow64SystemServiceEx+0x00000000000000d4
0x00000000770d21e5: wow64cpu!ServiceNoTurbo+0x000000000000000b
0x00000000770f323a: wow64!RunCpuSimulation+0x000000000000000a
0x00000000770f317e: wow64!Wow64LdrpInitialize+0x0000000000000172
0x00007fff9238eba7: ntdll!LdrpInitializeProcess+0x000000000000157b
0x00007fff9236df2a: ntdll!_LdrpInitialize+0x0000000000092cca
0x00007fff922db20e: ntdll!LdrInitializeThunk+0x000000000000000e
0x000000007716d28c: ntdll_77130000!NtCreateFile+0x000000000000000c
0x0000000075671aaa: KERNELBASE!CreateFileInternal+0x00000000000002da
0x00000000756717c5: KERNELBASE!CreateFileW+0x000000000000005e
0x0000000000dc1470: hTrace!wmain+0x00000000000000b0
--------------------------------------
Handle = 0x0000000000000130 - CLOSE
Thread ID = 0x00000000000028dc, Process ID = 0x00000000000026d0

0x00007fff9235b25a: ntdll!NtCreateFile+0x000000000000000a
0x00000000770eae5c: wow64!whNtCreateFile+0x00000000000000f8
0x00000000770ebb64: wow64!Wow64SystemServiceEx+0x00000000000000d4
--------------------------------------
Handle = 0x0000000000000130 - OPEN
Thread ID = 0x00000000000028dc, Process ID = 0x00000000000026d0

.. 생략 ..

모든 OPEN,CLOSE에 대한 정보를 어떤 모듈에서 발생했는지도 확인 할 수 있다.

하지만 필요한건, 핸들릭이 발생한 정보만이다.

그것을 위해선 !htrace -diff 명령을 사용하면 OPEN 후 CLOSE가 되지 않은 핸들만 보여준다.

0:001> !htrace -diff
Handle tracing information snapshot successfully taken.
0x77 new stack traces since the previous snapshot.
Ignoring handles that were already closed...
Outstanding handles opened since the previous snapshot:
--------------------------------------
Handle = 0x0000000000000134 - OPEN
Thread ID = 0x00000000000028dc, Process ID = 0x00000000000026d0

0x00007fff9235b25a: ntdll!NtCreateFile+0x000000000000000a
0x00000000770eae5c: wow64!whNtCreateFile+0x00000000000000f8
0x00000000770ebb64: wow64!Wow64SystemServiceEx+0x00000000000000d4
0x00000000770d21e5: wow64cpu!ServiceNoTurbo+0x000000000000000b
0x00000000770f323a: wow64!RunCpuSimulation+0x000000000000000a
0x00000000770f317e: wow64!Wow64LdrpInitialize+0x0000000000000172
0x00007fff9238eba7: ntdll!LdrpInitializeProcess+0x000000000000157b
0x00007fff9236df2a: ntdll!_LdrpInitialize+0x0000000000092cca
0x00007fff922db20e: ntdll!LdrInitializeThunk+0x000000000000000e
0x000000007716d28c: ntdll_77130000!NtCreateFile+0x000000000000000c
0x0000000075671aaa: KERNELBASE!CreateFileInternal+0x00000000000002da
0x00000000756717c5: KERNELBASE!CreateFileW+0x000000000000005e
*** WARNING: Unable to verify checksum for hTrace.exe
0x0000000000dc1470: hTrace!wmain+0x00000000000000b0
--------------------------------------
Handle = 0x000000000000012c - OPEN
Thread ID = 0x00000000000028dc, Process ID = 0x00000000000026d0

이제 핸들릭을 잡을 일만 남았네요.^^

저작자표시 비영리

WeZz

windbg로 핸들 릭을 찾아보자

티스토리툴바

windbg로 핸들 릭을 찾아보자

관련글

티스토리툴바