Special Command—Peeking Memory Addresses Using !address

  • Article

Let’s say that you get a memory address and you want to know if it’s from the heap, the stack, or someplace else. Or yet, let’s say you have a .NET application consuming lots of memory, and you want to get a better understanding of this memory consumption.

The !address command is helpful in both situations mentioned above and probably others not mentioned in this article.

Usage:

!address <address> ß gives you information about the address type.

!address –summary  ß displays all addresses and a summary at the end.

To interpret the results follow this table:

RegionUsageIsVAD

The "busy" region. This region includes all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.

RegionUsageFree

The available memory in the target's virtual address space. This memory includes all memory that has not been committed or reserved.

RegionUsageImage

The memory region that mapped images of binaries use.

RegionUsageStack

The memory region that is used for the stacks owned by the threads in the target process.

RegionUsageTeb

The memory region that is used for the thread environment blocks (TEBs) for all threads in the target process.

RegionUsageHeap

The memory region that is used for the heaps that the target process owns.

RegionUsagePageHeap

The memory region that is used for the full-page heap that the target process owns.

RegionUsagePeb

The memory region that is used for the process environment block (PEB) of the target process.

RegionUsageProcessParametrs

The memory region that is used for the startup parameters of the target process.

RegionUsageEnvironmentBlock

The memory region that is used for the environment block of the target process.

Examples:

!address <address>

 

!address –summary

ProcessParameters 003e1860 in range 003e0000 004b0000

 Environment 003e0808 in range 003e0000 004b0000

-------------------- Usage SUMMARY --------------------------

    TotSize ( KB) Pct(Tots) Pct(Busy) Usage

    3b09000 ( 60452) : 02.88% 41.28% : RegionUsageIsVAD ß Location where .NET allocates heaps.

   770f1000 ( 1950660) : 93.02% 00.00% : RegionUsageFree ß Not committed memory or not reserved memory.

    46ff000 ( 72700) : 03.47% 49.65% : RegionUsageImage

     6ff000 ( 7164) : 00.34% 04.89% : RegionUsageStack ß Used for stacks.

       7000 ( 28) : 00.00% 00.02% : RegionUsageTeb ß Used for Thread Environment Block.

     5f0000 ( 6080) : 00.29% 04.15% : RegionUsageHeap ß Heaps from native code allocations.

          0 ( 0) : 00.00% 00.00% : RegionUsagePageHeap

       1000 ( 4) : 00.00% 00.00% : RegionUsagePeb

          0 ( 0) : 00.00% 00.00% : RegionUsageProcessParametrs

          0 ( 0) : 00.00% 00.00% : RegionUsageEnvironmentBlock

       Tot: 7fff0000 (2097088 KB) Busy: 08eff000 (146428 KB)

-------------------- Type SUMMARY --------------------------

    TotSize ( KB) Pct(Tots) Usage

   770f1000 ( 1950660) : 93.02% : <free>

    46ff000 ( 72700) : 03.47% : MEM_IMAGE

    181f000 ( 24700) : 01.18% : MEM_MAPPED

    2fe1000 ( 49028) : 02.34% : MEM_PRIVATE

-------------------- State SUMMARY --------------------------

    TotSize ( KB) Pct(Tots) Usage

    5d48000 ( 95520) : 04.55% : MEM_COMMIT

   770f1000 ( 1950660) : 93.02% : MEM_FREE

    31b7000 ( 50908) : 02.43% : MEM_RESERVE

Largest free region: Base 04950000 - Size 5ee50000 (1554752 KB)