Winapi 验证可执行文件的Authenticode签名时内存泄漏?
我使用以下函数验证某些Windows可执行文件的有效性,该函数在Winapi 验证可执行文件的Authenticode签名时内存泄漏?,winapi,cryptography,digital-signature,cryptoapi,winverifytrust,Winapi,Cryptography,Digital Signature,Cryptoapi,Winverifytrust,我使用以下函数验证某些Windows可执行文件的有效性,该函数在\u tmain的循环中调用: int signature_is_valid(const wchar_t *filepath) { GUID guid = WINTRUST_ACTION_GENERIC_VERIFY_V2; WINTRUST_FILE_INFO file_info = { 0 }; WINTRUST_DATA wd; file_info.cbStruct = sizeof(file
\u tmain
的循环中调用:
int signature_is_valid(const wchar_t *filepath) {
GUID guid = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_FILE_INFO file_info = { 0 };
WINTRUST_DATA wd;
file_info.cbStruct = sizeof(file_info);
file_info.pcwszFilePath = filepath;
file_info.hFile = NULL;
file_info.pgKnownSubject = NULL;
ZeroMemory(&wd, sizeof(wd));
wd.cbStruct = sizeof(wd);
wd.dwUIChoice = WTD_UI_NONE;
wd.fdwRevocationChecks = WTD_REVOCATION_CHECK_NONE;
wd.dwUnionChoice = WTD_CHOICE_FILE;
wd.dwStateAction = 0;
wd.pFile = &file_info;
wd.dwProvFlags = WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | WTD_CACHE_ONLY_URL_RETRIEVAL;
return 0 == WinVerifyTrust(NULL, &guid, &wd);
}
然而,每次循环内存都在不断增长,这肯定是内存泄漏的迹象
我对API
的理解是否有问题,或者WinVerifyTrust
函数是否实际泄漏?我正在一个windowsxpprofessionalsp3
系统上进行测试
编辑:
以下是来自umdh
的一些输出:
+ 16812 ( 16992 - 180) 472 allocs BackTraceAD1
+ 467 ( 472 - 5) BackTraceAD1 allocations
ntdll!RtlDebugAllocateHeap+000000E1
ntdll!RtlAllocateHeapSlowly+00000044
ntdll!RtlAllocateHeap+00000E64
kernel32!LocalAlloc+00000058
CRYPT32!operator new+00000011
CRYPT32!I_CryptCreateLruEntry+00000011
CRYPT32!CreateAuthRootAutoUpdateMatchCaches+00000107
CRYPT32!CCertChainEngine::FindAuthRootAutoUpdateMatchingCtlEntries+0000004D
CRYPT32!CChainPathObject::GetAuthRootAutoUpdateUrlStore+000000C9
CRYPT32!CChainPathObject::CChainPathObject+0000030E
CRYPT32!ChainCreatePathObject+00000050
CRYPT32!CCertIssuerList::AddIssuer+0000006A
CRYPT32!CChainPathObject::FindAndAddIssuersFromStoreByMatchType+00000182
CRYPT32!CChainPathObject::FindAndAddIssuersByMatchType+00000096
CRYPT32!CChainPathObject::FindAndAddIssuers+00000023
CRYPT32!CChainPathObject::CChainPathObject+000001F9
CRYPT32!ChainCreatePathObject+00000050
CRYPT32!CCertIssuerList::AddIssuer+0000006A
CRYPT32!CChainPathObject::FindAndAddIssuersFromCacheByMatchType+00000084
CRYPT32!CChainPathObject::FindAndAddIssuersByMatchType+00000023
CRYPT32!CChainPathObject::FindAndAddIssuers+00000063
CRYPT32!CChainPathObject::CChainPathObject+000001F9
CRYPT32!ChainCreatePathObject+00000050
CRYPT32!CCertChainEngine::CreateChainContextFromPathGraph+0000019E
CRYPT32!CCertChainEngine::GetChainContext+00000044
CRYPT32!CertGetCertificateChain+00000060
WINTRUST!_WalkChain+0000019C
WINTRUST!WintrustCertificateTrust+000000B7
WINTRUST!_VerifyTrust+00000144
WINTRUST!WinVerifyTrust+0000004E
SigTest!signature_is_valid+000000DD
+ 10984 ( 10984 - 0) 2 allocs BackTraceBB3
+ 2 ( 2 - 0) BackTraceBB3 allocations
ntdll!RtlDebugAllocateHeap+000000E1
ntdll!RtlAllocateHeapSlowly+00000044
ntdll!RtlAllocateHeap+00000E64
kernel32!LocalAlloc+00000058
CRYPT32!PkiDefaultCryptAlloc+00000011
CRYPT32!CertFindCertificateInCRL+00000051
cryptnet!MicrosoftCertDllVerifyRevocation+00000250
CRYPT32!I_CryptRemainingMilliseconds+0000021B
CRYPT32!CertVerifyRevocation+000000B7
CRYPT32!CChainPathObject::CalculateRevocationStatus+000001F2
CRYPT32!CChainPathObject::CalculateAdditionalStatus+00000147
CRYPT32!CCertChainEngine::CreateChainContextFromPathGraph+00000227
CRYPT32!CCertChainEngine::GetChainContext+00000044
CRYPT32!CertGetCertificateChain+00000060
WINTRUST!_WalkChain+0000019C
WINTRUST!WintrustCertificateTrust+000000B7
WINTRUST!_VerifyTrust+00000144
WINTRUST!WinVerifyTrust+0000004E
SigTest!signature_is_valid+000000DD
SigTest!wmain+00000073
SigTest!__tmainCRTStartup+000001A8
SigTest!wmainCRTStartup+0000000F
kernel32!BaseProcessStart+00000023
在我看来,CRYPT32
函数就是泄漏的函数。。。或者我错过了什么
EDIT2
以下是数千个循环的内存演变:
我没有看到此API泄漏的任何信息。也许这只是过程中的堆碎片 您可以使用在时间X和X+delta拍摄进程快照来确认这一点,然后分析这些时间的比较堆使用情况。确保所有符号都可用,以便对此最有帮助。(编辑:查看新图表,我错了。) 根据callstack中的“I_CryptCreateLRuntry”,我猜这不是内存泄漏;它只是API以有界的方式缓存数据。i、 它不会无限期地增长 以该名称命名的LRU表示它正在存储在中获得的证书,以便加速可能涉及同一证书的后续操作
如果您在循环中运行代码,发现它使用了数兆字节,并且在多次迭代后仍在增长,那么可能存在漏洞,或者缓存算法配置非常糟糕,但否则,我会说您可能不必担心。根据,Windows XP或Windows 2000不支持WTD\u仅缓存\u URL\u检索。我怀疑这与明显的泄漏有关,但我认为可能值得指出。是的。如果您的crypt32.dll文件版本足够低,则会出现非常恼人的内存泄漏 看
安装修补程序KB2641690 for fix我知道LRU应该做什么,但它似乎没有缓存任何东西。对于在循环中被检查的同一个可执行文件,内存一直呈线性增长。这看起来不像缓存(除非缓存出了严重错误:)。抱歉,这是在转移注意力。仅仅因为内存随着每次迭代而增长并不一定意味着内存泄漏。堆可能决定释放新内存,而不是以前释放的内存。这在具有大量可用内存的系统上很常见。当系统中存在内存压力时,工作集将被修剪,这可能会说服堆不要这么贪婪。