Monday, August 19, 2013

Tip: analyze .net stack and heap

Sometimes it is necessary to analyze values stored in stack and heap. Or maybe you need to answer the oldest question on earth: "do the array of ints stored in stack?". You can once again use SOS dll for it.

Lets say, we have a code like this:

class Program
 class Class
  public int ClassField;

 static void Main(string[] args)
  int s = 1986;

  int[] arr = {123, 256, 708, 510, 111};

  var c = new Class {ClassField = 2303};

Lets enable debugging unmanaged code, run debug, break all, open immediate window and load sos using .load sos command. Now list the stack !clrstack -a. And we need only information about local variables from our stack:
0038F3EC 002600F8 ConsoleApplication1.Program.Main(System.String[])
        args (0x0038f40c) = 0x027c2430
        0x0038f408 = 0x000007c2 (this is our s variable and its value 0x000007c2==1986 stored directly in stack)
        0x0038f404 = 0x027c2440 (this is the pointer to our array of ints)
        0x0038f400 = 0x027c2484 (this is the pointer to our class)
        0x0038f3fc = 0x027c2484
So we see already, that array of ints and our class instance stored in heap. Only pointers stored in stack.

Now we can use object addresses from stack to analyze our objects in heap. For array we can use !dumparray -details 0x027c2440 to see the values of the array. And we can simply do !dumpobj 0x027c2484 to see the information about our c class instance.

No comments :

Post a Comment