Author: daviur
Subject: Bug - VMmap wrong segments category
Posted: 25 March 2013 at 11:27pm
VMmap is not displaying the category of some memory segments properly.
Analyzing the memory layout of Pidgin 2.10.6 in WinXP Pro SP3 with a suit of forensics tools i am currently developing, I found out that VMmap classification of some "Private Data" segments may be wrong, and they should actually be classified as "Heap (Private Data)".
Specifically we have:
Address VMmap classification
HEAP 0x3E0000 "Heap (Private Data)"
segment-1 0x3E0000 "Heap (Private Data)"
segment-2 0xe60000 "Private Data"
segment-3 0x1700000 "Private Data"
As you can see, segment-1 and segment-2, although belong to HEAP are being classified as "Private Data".
I very well may not being understanding the meaning of "Private Data" but the help says:
Private
"Private memory is memory allocated by VirtualAlloc and not suballocated either by the Heap Manager or the .NET run time. It cannot be shared with other processes, is charged against the system commit limit, and typically contains application data."
In this case, both of those segments are being suballocated by the Heap Manager, as the presence of heap metadata referencing them evidences.
Finally, WinDBG outputs:
0:005> !heap 3e0000
Index Address Name Debugging options enabled
4: 003e0000
Segment at 003e0000 to 003f0000 (00010000 bytes committed)
Segment at 00e60000 to 00f60000 (00100000 bytes committed)
Segment at 01700000 to 01900000 (00185000 bytes committed)
I do think this is a bug, nevertheless I would appreciate insights whether i am wrong and this is the expected behavior.
Thanks.
Subject: Bug - VMmap wrong segments category
Posted: 25 March 2013 at 11:27pm
VMmap is not displaying the category of some memory segments properly.
Analyzing the memory layout of Pidgin 2.10.6 in WinXP Pro SP3 with a suit of forensics tools i am currently developing, I found out that VMmap classification of some "Private Data" segments may be wrong, and they should actually be classified as "Heap (Private Data)".
Specifically we have:
Address VMmap classification
HEAP 0x3E0000 "Heap (Private Data)"
segment-1 0x3E0000 "Heap (Private Data)"
segment-2 0xe60000 "Private Data"
segment-3 0x1700000 "Private Data"
As you can see, segment-1 and segment-2, although belong to HEAP are being classified as "Private Data".
I very well may not being understanding the meaning of "Private Data" but the help says:
Private
"Private memory is memory allocated by VirtualAlloc and not suballocated either by the Heap Manager or the .NET run time. It cannot be shared with other processes, is charged against the system commit limit, and typically contains application data."
In this case, both of those segments are being suballocated by the Heap Manager, as the presence of heap metadata referencing them evidences.
Finally, WinDBG outputs:
0:005> !heap 3e0000
Index Address Name Debugging options enabled
4: 003e0000
Segment at 003e0000 to 003f0000 (00010000 bytes committed)
Segment at 00e60000 to 00f60000 (00100000 bytes committed)
Segment at 01700000 to 01900000 (00185000 bytes committed)
I do think this is a bug, nevertheless I would appreciate insights whether i am wrong and this is the expected behavior.
Thanks.
