首先使用windbg工具gflags.exe設置內存啟動跟蹤內存泄露進程的user stack
啟動方法就是運行下面指令gflags.exe /i test.exe +ust
等價於HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,命令“gflags.exe /i test.exe +ust”實際上就是在該路徑下創建一個子鍵“test.exe”並創建一個名為GlobalFlag內容為0x00001000的REG_DWORD值。
使用windbg加載test.exe,運行關閉時windbg中會提示內存泄露
normal block at 0x026A5F98, 4000 bytes long. Data: < > CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD Object dump complete.
可以發現地址0x026A5F98就是內存泄漏的地址泄漏4000個字節
通過!heap命令對該地址進行分析可以發現具體的調用堆棧
0:000> !heap -p -a 0x026A5F98
address 026a5f98 found in
_HEAP @ 14f0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
026a5f60 01fc 0000 [00] 026a5f78 00fc4 - (busy)
77a1b234 ntdll!RtlAllocateHeap+0x00000274
584d7743 MSVCR100D!_heap_alloc_base+0x00000053
584e5d8c MSVCR100D!_heap_alloc_dbg_impl+0x000001fc
584e5b2f MSVCR100D!_nh_malloc_dbg_impl+0x0000001f
584e5adc MSVCR100D!_nh_malloc_dbg+0x0000002c
584e5a91 MSVCR100D!_malloc_dbg+0x00000021
58694dd6 mfc100ud!operator new+0x00000026
58694e6a mfc100ud!operator new[]+0x0000001a
58694768 mfc100ud!operator new[]+0x00000018
*** WARNING: Unable to verify checksum for SendMsgEx.exe
2a3c25 SendMsgEx!CSendMsgExDlg::Thread1Proc+0x00000055
767c1174 kernel32!BaseThreadInitThunk+0x0000000e
779fb3f5 ntdll!__RtlUserThreadStart+0x00000070
779fb3c8 ntdll!_RtlUserThreadStart+0x0000001b
可以發現內存泄漏的地址在CSendMsgExDlg::Thread1Proc這個地址里面調用了new[]導致內存泄漏
DWORD WINAPI CSendMsgExDlg::Thread1Proc(__in LPVOID lpParameter)
{
INT *pVal = new INT[1000];
//..................
}
如此即可發現導致內存泄漏的原因和地址!