Remove objects dump from .Net application memory
We continue the topic of interesting on .Net, from which the Java world will chuckle (although it is also possible for them to do this), and C ++ supporters say: “what will they not do to not learn C ++”.In this note, we will write in essence - a simple kernel kernel memory profile for the .Net platform that will take a dump from the SOH heap (and in the long run from the LOH).
To write an article we need the code from the article.
Getting a pointer to an .Net object and Manual stream cloning (measuring the size of objects).')
Our goals for today:
- Learn to iterate a bunch of .Net
- Learn to find the beginning of the heap .Net
- Try to test all objects in a foreign domain.
Link to the project in GitHub:
DotNetExTo begin with, the full list of articles posted on this cycle in Habré
We make shipped assemblies: we interact between domains without marshalling
Getting a pointer to a .Net object
Manual stream cloning. When Assembler + C # or Java = Love
Changing the code of system assemblies or "leak". Net Framework 5.0
How does decompilation in .Net or Java using the example .Net
Continuing to shred CLR: .Net object pool outside SOH / LOH heaps
Remove objects dump from .Net application memory
We make shipped assemblies: we interact between domains without marshalling Getting a pointer to a .Net object Manual stream cloning. When Assembler + C # or Java = Love Changing the code of system assemblies or "leak". Net Framework 5.0 How does decompilation in .Net or Java using the example .Net Continuing to shred CLR: .Net object pool outside SOH / LOH heaps Remove objects dump from .Net application memoryLike last time, we will solve problems as they come:
- Find the beginning of the heap in .Net
As we probably know, there are two kinds of heaps in .Net. This is a heap for small objects and a heap for large objects (> 85K). They differ primarily in the organization of objects within themselves. If in SOH objects are allocated one after another, then in LOH everything is based on linked lists and a table of free intervals between occupied areas. This is what we know. But the truth is different. Firstly, SOH cannot be continuous due to the possibility of stumbling upon a busy portion of virtual memory as it expands. The second - in fact, the fact that objects are allocated continuously one after the other - is a beautiful assumption, since there are pinned objects that cannot be moved, which means that there will be empty gaps during heap compression. This means that SOH also contains a table of voids. And in summary, this should mean specifically for us that: (a) there may be several virtual memory zones in the memory that are allocated for the heap, (b) most likely they are allocated via VirtualAlloc, (c) the objects are not continuous, which means our algorithm can't rely on it.
To simplify the example, let's take a dump only from the objects in our heap. In order to do this, we will take a pointer to any object and, using WinApi, VirtualQuery functions will try to get a virtual memory region that was allocated for this heap.public static void GetManagedHeap(out IntPtr heapsOffset, out IntPtr lastHeapByte) { // . var offset = EntityPtr.ToPointer(new object()); var memoryBasicInformation = new WinApi.MEMORY_BASIC_INFORMATION(); unsafe { WinApi.VirtualQuery(offset, ref memoryBasicInformation, (IntPtr)Marshal.SizeOf(memoryBasicInformation)); heapsOffset = (IntPtr)memoryBasicInformation.AllocationBase; lastHeapByte = (IntPtr)((long)offset + (long)memoryBasicInformation.RegionSize); } }
Perfectly! Now we know the room on which to look for objects. - We test all objects of another domain
In order to do this, we need to understand how to recognize them. So if we sit with the debugger and study the memory, then we can finally come to the conclusion that the reference to the object points not to the first field of the object, but to a pointer to a table of virtual methods. Which in fact is not only a table of virtual methods, but methods in general and type descriptions. After all, we are not in the C ++ world, but in the .Net world, where one can understand for each object, “Who will you be?”. But what about SyncBlockIndex, you ask? And as it turned out, it is “in front of” the object, minus the word size (4 bytes on 32-bit and 8 - on a 64-bit system). Because the header structure of any object is as follows:[StructLayout(LayoutKind.Explicit)] public unsafe struct EntityInfo { [FieldOffset(0)] public int SyncBlockIndex; [FieldOffset(4)] public MethodTableInfo *MethodTable; } [StructLayout(LayoutKind.Explicit)] public struct RefTypeInfo { [FieldOffset(0)] public EntityInfo BasicInfo; [FieldOffset(8)] public byte fieldsStart; }
Next, let's see how MethodTableInfo looks like:[StructLayout(LayoutKind.Explicit)] public unsafe struct MethodTableInfo { #region Basic Type Info [FieldOffset(0)] public MethodTableFlags Flags; [FieldOffset(4)] public int Size; [FieldOffset(8)] public short AdditionalFlags; [FieldOffset(10)] public short MethodsCount; [FieldOffset(12)] public short VirtMethodsCount; [FieldOffset(14)] public short InterfacesCount; [FieldOffset(16)] public MethodTableInfo *ParentTable; #endregion [FieldOffset(20)] public ObjectTypeInfo *ModuleInfo; [FieldOffset(24)] public ObjectTypeInfo *EEClass; }
Here - only a part of all information from this structure. In fact, it is more extensive. The EEClass field is important here, which leads to the structure of the type description. I practically did not study it. The content looks like this:[StructLayout(LayoutKind.Explicit)] public unsafe struct ObjectTypeInfo { [FieldOffset(0)] public ObjectTypeInfo *ParentClass; [FieldOffset(16)] public MethodTableInfo *MethodsTable; }
Since only the MethodsTable field is important for us, I just found it. The rest - missed. Why do we need it? This is a backward link to MethodsTable, which with its EEClass field refers here.
This is not a tricky way, we found a few not accurate, but a perfectly working method for detecting .Net objects. It looks like this:private static unsafe bool IsCorrectMethodsTable(IntPtr mt) { if (mt == IntPtr.Zero) return false; if (PointsToAllocated(mt)) if (PointsToAllocated((IntPtr) ((MethodTableInfo*) mt)->EEClass)) if (PointsToAllocated((IntPtr) ((MethodTableInfo*) mt)->EEClass->MethodsTable)) return ((IntPtr) ((MethodTableInfo*) mt)->EEClass->MethodsTable == mt) || ((IntPtr) ((MethodTableInfo*) mt)->ModuleInfo == MscorlibModule); return false; } private static bool PointsToAllocated(IntPtr ptr) { if (ptr == IntPtr.Zero) return false; return !WinApi.IsBadReadPtr(ptr, 32); }
For each pointer, it is checked whether it points to the allocated memory area. This is the first barrier. The second barrier is if the theoretical object has the first field pointing to something that we initially interpret as a MethodsTable. We check that the EEClass field points to the allocated memory area and interpret this pointer as a pointer to an ObjectTypeInfo structure, and then check if the pointer to MethodsTable is equal to our found pointer (is there a backward link?) If all the rules apply, the object is found.
It remains only to go through all the memory areas and try to recognize objects there. I will not lay out this sheet, because there is also a code for registering what was found and displaying it on the screen. I can only say that the problem is solved, the output link from the program is below.
Link to the complete example code: GitHub / DotNetEx / AdvSampleOutput of our program, memory dump00606 : System.String 00583 : System.Object 00277 : System.RuntimeType 00072 : System.Array+SZArrayEnumerator 00046 : System.Char[] 00041 : System.Int32[] 00033 : System.String[] 00032 : System.Object[] 00030 : System.Version 00029 : System.Byte[] 00024 : System.Text.StringBuilder 00023 : System.Collections.Hashtable+bucket[] 00020 : System.Security.PermissionSet 00020 : System.Collections.Hashtable 00020 : System.Reflection.AssemblyName 00014 : System.Reflection.RuntimeAssembly 00014 : System.Security.Permissions.EnvironmentPermission 00013 : System.Collections.Hashtable+SyncHashtable 00012 : System.Globalization.CompareInfo 00012 : System.Collections.Generic.Dictionary`2+Entry[[System.Type, mscorlib, Ve rsion=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Securit y.Policy.EvidenceTypeDescriptor, mscorlib, Version=4.0.0.0, Culture=neutral, Pub licKeyToken=b77a5c561934e089]][] 00011 : System.Globalization.CultureInfo 00010 : System.Collections.ArrayList 00010 : System.Int32 00010 : System.Threading.ThreadStart 00010 : System.Internal.HandleCollector+HandleType 00010 : System.Internal.HandleCollector+HandleType 00009 : System.Security.Permissions.SecurityPermission 00009 : System.EventHandler 00009 : Microsoft.Win32.SafeHandles.SafeRegistryHandle 00009 : Microsoft.Win32.RegistryKey 00008 : System.Threading.Thread 00008 : Microsoft.Win32.SafeHandles.SafeWaitHandle 00008 : System.Security.Policy.EvidenceTypeDescriptor 00008 : System.Runtime.InteropServices.HandleRef 00008 : System.UInt16 00006 : System.Runtime.Remoting.Metadata.SoapTypeAttribute[] 00005 : System.Type[] 00005 : System.Threading.ReaderWriterLock 00005 : System.Reflection.CustomAttributeRecord[] 00005 : System.Globalization.TextInfo 00005 : System.Security.Permissions.EnvironmentStringExpressionSet 00005 : System.WeakReference 00005 : System.Threading.ThreadHelper 00004 : System.Security.FrameSecurityDescriptor 00004 : System.Reflection.RuntimeModule 00004 : System.Reflection.RuntimeConstructorInfo 00004 : System.Guid 00004 : Microsoft.Win32.SafeHandles.SafePEFileHandle 00004 : System.Security.Policy.Evidence 00004 : System.Collections.Generic.Dictionary`2[[System.Type, mscorlib, Version= 4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Security.Poli cy.EvidenceTypeDescriptor, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKey Token=b77a5c561934e089]] 00004 : System.Security.Policy.AssemblyEvidenceFactory 00004 : System.Security.Policy.Evidence+EvidenceUpgradeLockHolder 00003 : System.Security.Util.TokenBasedSet 00003 : System.Globalization.CultureData 00003 : System.Reflection.MemberFilter 00003 : System.Reflection.MethodBase[] 00003 : System.RuntimeType[] 00003 : System.Runtime.Remoting.Lifetime.LeaseLifeTimeServiceProperty 00003 : System.Attribute[] 00003 : System.Threading.ManualResetEvent 00003 : System.IO.PathHelper 00003 : System.Security.Permissions.UIPermission 00002 : System.AppDomainSetup 00002 : System.Security.PermissionToken 00002 : System.Runtime.Remoting.Contexts.IContextProperty[] 00002 : System.Reflection.TypeFilter 00002 : System.Collections.Queue 00002 : System.WeakReference[] 00002 : System.Char 00002 : System.Security.Policy.StrongName[] 00002 : System.Reflection.RuntimeMethodInfo 00002 : System.Threading.SynchronizationContext 00002 : System.Internal.HandleCollector+HandleType[] 00002 : System.Globalization.NumberFormatInfo 00002 : Microsoft.Win32.SystemEvents+SystemEventInvokeInfo[] 00002 : System.Text.EncoderReplacementFallback 00002 : System.IO.UnmanagedMemoryStream 00002 : System.Security.Permissions.FileIOAccess 00002 : System.Security.Util.StringExpressionSet 00001 : System.Exception 00001 : System.OutOfMemoryException 00001 : System.StackOverflowException 00001 : System.ExecutionEngineException 00001 : System.AppDomain 00001 : System.Security.PermissionTokenFactory 00001 : System.Security.PermissionToken[] 00001 : System.Globalization.CalendarData[] 00001 : System.Globalization.CalendarData 00001 : System.__Filters 00001 : System.DefaultBinder 00001 : System.RuntimeType+RuntimeTypeCache+MemberInfoCache`1[[System.Reflection .RuntimeConstructorInfo, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyTo ken=b77a5c561934e089]] 00001 : System.Reflection.RuntimeConstructorInfo[] 00001 : System.Reflection.ConstructorInfo[] 00001 : System.Collections.Generic.List`1[[System.Reflection.MethodBase, mscorli b, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Signature 00001 : System.Reflection.ParameterInfo[] 00001 : System.Int32[][] 00001 : System.Runtime.Remoting.Proxies.ProxyAttribute 00001 : System.Runtime.Remoting.DomainSpecificRemotingData 00001 : System.Runtime.Remoting.Channels.ChannelServicesData 00001 : System.Runtime.Remoting.Activation.LocalActivator 00001 : System.Runtime.Remoting.Activation.ActivationListener 00001 : System.Runtime.Remoting.Contexts.ContextAttribute[] 00001 : System.Runtime.Remoting.Contexts.Context 00001 : System.Runtime.Remoting.Messaging.ConstructorCallMessage 00001 : System.Runtime.Remoting.Metadata.RemotingTypeCachedData 00001 : System.Collections.Generic.Dictionary`2[[System.RuntimeType, mscorlib, V ersion=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Runtim eType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0 89]] 00001 : System.Collections.Generic.Dictionary`2+Entry[[System.RuntimeType, mscor lib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System. RuntimeType, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c56 1934e089]][] 00001 : System.AttributeUsageAttribute 00001 : System.Runtime.Remoting.Metadata.SoapTypeAttribute 00001 : System.Runtime.Remoting.Activation.ConstructionLevelActivator 00001 : System.Runtime.Remoting.RemotingConfigHandler+RemotingConfigInfo 00001 : System.Collections.Generic.Dictionary`2[[System.String, mscorlib, Versio n=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Globalizati on.CultureData, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5 c561934e089]] 00001 : System.Runtime.Remoting.ObjectHandle 00001 : System.Diagnostics.TraceSwitch 00001 : System.Collections.Generic.Dictionary`2[[System.Int16, mscorlib, Version =4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.IntPtr, msco rlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Collections.Generic.GenericEqualityComparer`1[[System.Int16, msco rlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Collections.Generic.ObjectEqualityComparer`1[[System.IntPtr, msco rlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Threading.Mutex 00001 : System.Runtime.CompilerServices.RuntimeHelpers+CleanupCode 00001 : System.Threading.Mutex+MutexCleanupInfo 00001 : System.Threading.Mutex+MutexTryCodeHelper 00001 : System.Threading.EventWaitHandle 00001 : System.Threading.HostExecutionContextManager 00001 : System.Collections.Generic.ObjectEqualityComparer`1[[System.Type, mscorl ib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Security.Policy.ApplicationTrust 00001 : System.Security.Policy.PolicyStatement 00001 : System.Collections.Generic.List`1[[System.Security.Policy.StrongName, ms corlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.SZArrayHelper+SZGenericArrayEnumerator`1[[System.Security.Policy. StrongName, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561 934e089]] 00001 : System.Collections.ObjectModel.ReadOnlyCollection`1[[System.Security.Pol icy.StrongName, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5 c561934e089]] 00001 : Microsoft.Win32.Win32Native+OSVERSIONINFO 00001 : Microsoft.Win32.Win32Native+OSVERSIONINFOEX 00001 : System.OperatingSystem 00001 : System.__ComObject 00001 : System.Collections.Queue+SynchronizedQueue 00001 : System.Threading.AutoResetEvent 00001 : System.Threading.ContextCallback 00001 : System.RuntimeMethodInfoStub 00001 : System.RuntimeType+RuntimeTypeCache+MemberInfoCache`1[[System.Reflection .RuntimeMethodInfo, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b 77a5c561934e089]] 00001 : System.Reflection.RuntimeMethodInfo[] 00001 : System.Collections.Generic.List`1[[System.Attribute, mscorlib, Version=4 .0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Drawing.SizeF 00001 : System.Drawing.Point 00001 : System.Windows.Forms.Application+ThreadContext 00001 : System.Windows.Forms.WindowsFormsSynchronizationContext 00001 : System.EventArgs 00001 : System.Windows.Forms.NativeMethods+WNDCLASS_D 00001 : Microsoft.Win32.UserPreferenceChangedEventHandler 00001 : System.Random 00001 : System.Collections.Generic.ObjectEqualityComparer`1[[System.Object, msco rlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : System.Collections.Generic.Dictionary`2[[System.String, mscorlib, Versio n=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object[], m scorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] 00001 : Microsoft.Win32.SystemEvents 00001 : System.Runtime.Remoting.Messaging.LogicalCallContext 00001 : System.Text.UTF8Encoding 00001 : Microsoft.Win32.NativeMethods+WNDCLASS 00001 : System.Internal.HandleCollector+HandleType[] 00001 : System.IntPtr[] 00001 : System.Security.Util.URLString 00001 : System.Security.Permissions.FileIOPermission 00001 : System.Security.Util.LocalSiteString 00001 : System.Security.Util.DirectoryString 00001 : Microsoft.Win32.SafeHandles.SafeFileHandle 00001 : System.Text.SBCSCodePageEncoding 00001 : System.Text.InternalEncoderBestFitFallback 00001 : System.Text.InternalDecoderBestFitFallback 00001 : Microsoft.Win32.SafeHandles.SafeViewOfFileHandle 00001 : Microsoft.Win32.SafeHandles.SafeFileMappingHandle 00001 : System.IO.__ConsoleStream 00001 : System.Text.EncoderNLS 00001 : System.IO.StreamWriter+MdaHelper 00001 : System.IO.TextWriter+SyncTextWriter 00001 : System.Diagnostics.Stopwatch 00001 : System.Predicate`1[[System.Int64, mscorlib, Version=4.0.0.0, Culture=neu tral, PublicKeyToken=b77a5c561934e089]] 00001 : System.DBNull Objects total: 2294. Time taken: 437 - Can I get objects from someone else's domain?
Of course! After all, we are looking at virtual memory. This time ... And the second ... between the domains there are no boundaries, the objects stand out one after another, even when crossing the domain boundary. The difference is in the code. Therefore, it is possible, for example, to pass an object between domains without serialization.
Source: https://habr.com/ru/post/247447/
All Articles