News

Release: Advanced Memory Allocation Monitor v1.0

Advanced Memory Allocation Monitor v1.0: This is an interesting program which monitors all heap allocations in the targetted process.

How it works:

When a C or C++ is compiled for windows, 'new', 'malloc', 'free', and 'delete' keywords are compiled into calls to kernel32.dll and ntdll.dll memory management functions. At the ntdll.dll level, these functions are called RtlFreeHeap and RtlAllocateHeap (which the kernel32.dll functions HeapAlloc and HeapFree just redirect to). This program adds hooks into these two functions and records all their call parameters. In the case of the RtlFreeHeap function, the memory about to be freed is recorded. For example, in a code block as follows:

1: void someFunction()
2: {
3:      char* unencryptedPacket = new char[50];        <--- Calls RtlAllocateHeap
4:      ...
5:      char* encryptedData = encryptPacket( unecnryptedPacket );  <--- Somewhere in encryptPacket() calls RtlAllocateHeap
6:      delete[] unencryptedPacket; <--- Calls RtlFreeHeap: unencryptedPacket[0 to 99] is recorded.
7:      sendPacket(encryptedData)
8:      delete[] encryptedData; <--- Calls RtlFreeHeap: encryptedData[0 to 99] is recorded.
9: }

This section of code will generate two allocation rows in the Advanced Memory Allocation Monitor:

Address of Calling Code Size Status Hex Value
Address of line 3 50 Freed contents of unencrypted packet (copied at line 6)
...
Address in encryptPacket() 120 Freed first 100 bytes of encrypted packet (copied at line 8)
...

What it can be used for:

This program has two main purposes; finding difficult to find memory leaks, and finding unencrypted packets. In the case of finding unencrpyted packets and creating a packet viewer/editor, here is the general procedure:

1. Start the game and Advanced Memory Allocation Monitor.
2. Under the 'Filters' category, change the 'Last Value' to:
   Method: Contains
   Type: String
   Value: this is a test
3. Click 'Set Filter'.
4. In-game perform a chat saying 'this is a test'.
5. If the unencrypted packet is being formed on the heap, you should be able to see at least one list item appear in the List View tab. You can then build your own code injection to intercept all the decrypted packets, or you can even make a code injection to create your own packets. The allocation is being created at the 'Address of Calling Code' instruction address.
6. If step 5 was successful, copy and paste one of the 'Address of Calling Code' cells, and paste it into the 'Filters'-'Address of Calling Code' box.
7. Clear the 'Last Value'-'Value' box, and then click on 'Set Filter'.
8. You should now be seeing all the packets decrypted.

In the case of finding memory leaks, here is a general procedure.:

1. Start the program you wish to detect memory leaks on, and attach to it with the Advanced Memory Allocation Monitor.
2. Record data for as long as you would like.
3. Select the 'Tree View' tab, and click Refresh Tree View.
4. Look through the modules for a module with a high 'Unfreed Allocations' value.
5. Press this expand(+) button on the module to view all the code locations within the module which is making allocations.
6. Look for a code location with a high 'Unfreed Allocations' value.
7. Create a breakpoint at that address while debugging your software with symbols. You now have the location of your memory leak.