-
-
[原创]闪讯客户端内存泄漏的简单分析
-
发表于: 2014-6-7 23:30
-
小菜第一次发文章,没啥技术含量,大家见谅。
杭州大部分地区的高校应该都用着闪讯客户端,现在是2.5.0081版本。上学也有个几年了,闪讯作为一个拨号软件搞得这么的复杂确实会让人不爽,但不管怎么说,作为一个每天必点的软件,对它多多少少有了些感情。以前写过个解除wifi限制的软件,自从有了猎豹之后也没啥用了。最近又注意到一个问题,很奇怪闪讯的内存占用一直再涨,一开始也没怎么注意,后来发现如果挂着闪讯的时间略长后,内存占有竟然会变成原来的几十倍。
刚开始连上网时的内存占有:
一段时间后(10几个小时)
内存从10几MB升到400MB,这种情况我想基本就是哪里有内存泄露了。于是就觉得一看究竟。
用OD附加上,在ZwAllocateVirtualMemory处下断来线索,因为调用ZwAllocateVirtualMemory的地方较多,我就又下断ZwFreeVirtualMemory来排除有借有还的内存申请部分,最后终于锁定申请内存没释放的地方。
查看断在此处的堆栈情况:
调用堆栈 地址 堆栈 程序过程 / 参数 调用来自 结构 040DFC84 77C5B8C1 ? ntdll.ZwAllocateVirtualMemory ntdll.77C5B8BC 040DFCB8 77C5B7D6 ? ntdll.77C5B825 ntdll.77C5B7D1 040DFCE0 77C5B741 ntdll.77C5B7AC ntdll.77C5B73C 040DFCDC 040DFDC0 77C53CFE ? ntdll.77C5390D ntdll.77C53CF9 040DFDBC 040DFE44 5F804FC8 ntdll.RtlAllocateHeap NetScan.5F804FC2 040DFE40 040DFE48 03B90000 hHeap = 03B90000 040DFE4C 00000000 dwFlags = 0x0 040DFE50 0000BF88 dwBytes = BF88 (49032.) 040DFE64 5F7116ED NetScan.5F804F7D NetScan.5F7116E8 040DFE60 040DFE88 5F711109 ? NetScan.CNetScan::IsConnectNet NetScan.5F711104 040DFE84
5F7110E0 > 55 push ebp 5F7110E1 8BEC mov ebp,esp 5F7110E3 56 push esi 5F7110E4 8B75 08 mov esi,dword ptr ss:[ebp+0x8] 5F7110E7 837E 24 00 cmp dword ptr ds:[esi+0x24],0x0 5F7110EB 74 5C je short NetScan.5F711149 5F7110ED 53 push ebx 5F7110EE 8B1D 5098825F mov ebx,dword ptr ds:[<&USER32.PostMessageA>] ; USER32.PostMessageA 5F7110F4 57 push edi 5F7110F5 837E 30 00 cmp dword ptr ds:[esi+0x30],0x0 5F7110F9 8B3E mov edi,dword ptr ds:[esi] 5F7110FB 74 1A je short NetScan.5F711117 5F7110FD 85FF test edi,edi 5F7110FF 74 16 je short NetScan.5F711117 5F711101 57 push edi ;传入网卡名称 5F711102 8BCE mov ecx,esi 5F711104 E8 B7050000 call NetScan.CNetScan::IsConnectNet ; 调用IsConnectNet判断是否连接网络(网线是否有连上) 5F711109 85C0 test eax,eax 5F71110B 75 41 jnz short NetScan.5F71114E 5F71110D 8BBF 00010000 mov edi,dword ptr ds:[edi+0x100] 5F711113 85FF test edi,edi 5F711115 ^ 75 EA jnz short NetScan.5F711101 5F711117 8B46 04 mov eax,dword ptr ds:[esi+0x4] 5F71111A 50 push eax 5F71111B FF15 5498825F call dword ptr ds:[<&USER32.IsWindow>] ; USER32.IsWindow 5F711121 85C0 test eax,eax 5F711123 74 11 je short NetScan.5F711136 5F711125 6A 00 push 0x0 5F711127 68 01500000 push 0x5001 ; 未连接则PostMessage 0x5001(需重新连接) 5F71112C 8B4E 08 mov ecx,dword ptr ds:[esi+0x8] 5F71112F 8B56 04 mov edx,dword ptr ds:[esi+0x4] 5F711132 51 push ecx 5F711133 52 push edx 5F711134 FFD3 call ebx 5F711136 68 88130000 push 0x1388 ; 每隔5秒检测 5F71113B FF15 2892825F call dword ptr ds:[<&KERNEL32.Sleep>] ; kernel32.Sleep 5F711141 837E 24 00 cmp dword ptr ds:[esi+0x24],0x0 5F711145 ^ 75 AE jnz short NetScan.5F7110F5 5F711147 5F pop edi 5F711148 5B pop ebx 5F711149 33C0 xor eax,eax 5F71114B 5E pop esi 5F71114C 5D pop ebp 5F71114D C3 retn 5F71114E 8B46 04 mov eax,dword ptr ds:[esi+0x4] 5F711151 50 push eax 5F711152 FF15 5498825F call dword ptr ds:[<&USER32.IsWindow>] ; USER32.IsWindow 5F711158 85C0 test eax,eax 5F71115A ^ 74 DA je short NetScan.5F711136 5F71115C 6A 00 push 0x0 5F71115E 68 00500000 push 0x5000 ; 连接着则继续循环检测 5F711163 ^ EB C7 jmp short NetScan.5F71112C
5F7116C0 > 55 push ebp 5F7116C1 8BEC mov ebp,esp 5F7116C3 83EC 0C sub esp,0xC 5F7116C6 53 push ebx 5F7116C7 56 push esi 5F7116C8 57 push edi 5F7116C9 8B3D D891825F mov edi,dword ptr ds:[<&IPHLPAPI.GetIfTable>] ; iphlpapi.GetIfTable 5F7116CF 6A 01 push 0x1 5F7116D1 8D45 FC lea eax,dword ptr ss:[ebp-0x4] 5F7116D4 33DB xor ebx,ebx 5F7116D6 50 push eax 5F7116D7 53 push ebx 5F7116D8 33F6 xor esi,esi 5F7116DA 895D FC mov dword ptr ss:[ebp-0x4],ebx 5F7116DD FFD7 call edi ; 首先调用GetIfTable来获取table长度 5F7116DF 83F8 7A cmp eax,0x7A 5F7116E2 75 17 jnz short NetScan.5F7116FB 5F7116E4 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] 5F7116E7 51 push ecx ; 根据获取的长度申请内存 5F7116E8 E8 90380F00 call NetScan.5F804F7D ; malloc //此处申请的内存没有释放 5F7116ED 83C4 04 add esp,0x4 5F7116F0 6A 01 push 0x1 5F7116F2 8D55 FC lea edx,dword ptr ss:[ebp-0x4] 5F7116F5 8BF0 mov esi,eax 5F7116F7 52 push edx 5F7116F8 56 push esi 5F7116F9 FFD7 call edi ; 再调用GetIfTable获取本机上接口的数据table 5F7116FB 8B06 mov eax,dword ptr ds:[esi] 5F7116FD 895D F8 mov dword ptr ss:[ebp-0x8],ebx 5F711700 8945 F4 mov dword ptr ss:[ebp-0xC],eax 5F711703 3BC3 cmp eax,ebx 5F711705 76 79 jbe short NetScan.5F711780 5F711707 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8] 5F71170A 8DBE 24020000 lea edi,dword ptr ds:[esi+0x224] 5F711710 8BC3 mov eax,ebx 5F711712 8D50 01 lea edx,dword ptr ds:[eax+0x1] 5F711715 8A08 mov cl,byte ptr ds:[eax] 5F711717 40 inc eax 5F711718 84C9 test cl,cl 5F71171A ^ 75 F9 jnz short NetScan.5F711715 5F71171C 2BC2 sub eax,edx 5F71171E 8BCB mov ecx,ebx 5F711720 8D77 3C lea esi,dword ptr ds:[edi+0x3C] ; 比较table中是否有网卡的名称数据 5F711723 83F8 04 cmp eax,0x4 5F711726 72 14 jb short NetScan.5F71173C 5F711728 8B16 mov edx,dword ptr ds:[esi] 5F71172A 3B11 cmp edx,dword ptr ds:[ecx] 5F71172C 75 40 jnz short NetScan.5F71176E 5F71172E 83E8 04 sub eax,0x4 5F711731 83C1 04 add ecx,0x4 5F711734 83C6 04 add esi,0x4 5F711737 83F8 04 cmp eax,0x4 5F71173A ^ 73 EC jnb short NetScan.5F711728 5F71173C 85C0 test eax,eax 5F71173E 74 20 je short NetScan.5F711760 5F711740 8A11 mov dl,byte ptr ds:[ecx] 5F711742 3A16 cmp dl,byte ptr ds:[esi] 5F711744 75 28 jnz short NetScan.5F71176E 5F711746 83F8 01 cmp eax,0x1 5F711749 76 15 jbe short NetScan.5F711760 5F71174B 8A51 01 mov dl,byte ptr ds:[ecx+0x1] 5F71174E 3A56 01 cmp dl,byte ptr ds:[esi+0x1] 5F711751 75 1B jnz short NetScan.5F71176E 5F711753 83F8 02 cmp eax,0x2 5F711756 76 08 jbe short NetScan.5F711760 5F711758 8A41 02 mov al,byte ptr ds:[ecx+0x2] 5F71175B 3A46 02 cmp al,byte ptr ds:[esi+0x2] 5F71175E 75 0E jnz short NetScan.5F71176E 5F711760 8B07 mov eax,dword ptr ds:[edi] 5F711762 83F8 05 cmp eax,0x5 5F711765 77 07 ja short NetScan.5F71176E 5F711767 FF2485 9C17715F jmp dword ptr ds:[eax*4+0x5F71179C] 5F71176E 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] 5F711771 40 inc eax 5F711772 81C7 5C030000 add edi,0x35C 5F711778 8945 F8 mov dword ptr ss:[ebp-0x8],eax 5F71177B 3B45 F4 cmp eax,dword ptr ss:[ebp-0xC] 5F71177E ^ 72 90 jb short NetScan.5F711710 5F711780 5F pop edi 5F711781 5E pop esi 5F711782 33C0 xor eax,eax ; 没有则返回false 5F711784 5B pop ebx 5F711785 8BE5 mov esp,ebp 5F711787 5D pop ebp 5F711788 C2 0400 retn 0x4 5F71178B 5F pop edi 5F71178C 5E pop esi 5F71178D B8 01000000 mov eax,0x1 ; 有则返回true 5F711792 5B pop ebx 5F711793 8BE5 mov esp,ebp 5F711795 5D pop ebp 5F711796 C2 0400 retn 0x4
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
