The !address windbg command says that heap address is 'REGionUsageIsVAD' even though it was allocated using HeapAlloc

0

My heap buffer of interest was allocated as follows: 

0:047> !heap -p -a 1d7cd1f0
    address 1d7cd1f0 found in
    _DPH_HEAP_ROOT @ 5251000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                1cf8f5b0:         1d7cc008             3ff8 -         1d7cb000             6000
    68448e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    76e465ee ntdll!RtlDebugAllocateHeap+0x00000030
    76e0a793 ntdll!RtlpAllocateHeap+0x000000c4
    76dd5dd0 ntdll!RtlAllocateHeap+0x0000023a
    000ca342 TEST+0x0002a342
    000be639 TEST+0x0001e639

As you can see, it was allocated using HeapAlloc(). When I run the !address command on the pointer of this heap I get:

 ProcessParametrs 01699928 in range 01699000 0169a000
 Environment 016976e8 in range 01697000 01698000
    1d790000 : 1d7cb000 - 00005000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageIsVAD

It claims to be in RegionUsageIsVAD. According to this stackoverflow answer, RegionUsageIsVAD generally means two things:

  1. This is a .NET application in which case, the CLR allocates this block of memory.
  2. The application calls VirtualAlloc to allocate a bloc of memory.

My scenario does not fit either one of these cases. I confirmed that CLR wasn't used by running .cordll -ve -u -l to which I got: 

CLR DLL status: No load attempts

What does RegionUsageIsVAD mean in this case?

debugging
windbg
asked on Stack Overflow Aug 19, 2016 by SivaDotRender • edited May 23, 2017 by Community

1 Answer

0

i reread your question thinking i would update what i commented
but upon closer look it seems there are lot of holes
it appears you copied things and didnt paste right
where is that pointer on heap ?
01699928 which version of windbg are you using
since i couldn't confirm i cooked up a simple program enabled hpa in gflags and executed the exe under windbg below is the screen shot
except what you paste as isregionvad ( this line is output under kernel !address not in user !address ) every thing else appears to be similar in the screenshot

enter image description here

answered on Stack Overflow Aug 20, 2016 by blabb

User contributions licensed under CC BY-SA 3.0