I'm trying to track down who is making an allocation of a certain size, and I tried using the user mode stack trace db (gflags +ust), but due to FPO I can't see the entire stack. So instead I wanted to set a breakpoint on RtlAllocateHeap when it makes the allocation size I'm looking for. The only problem is I can't seem to find out a way to get this to work.

I initially tried using @esi since it looked like the third parameter was being passed using this register, but it doesn't appear that's always the case. So then I tried @ebp-c to give me the third parameter, but that doesn't appear to always work, so I tried @esp+14 and that didn't work either.

No matter what I do I can't seem to find a way to get this to actually fire when I want it to. It seems like this should work, but I'm guessing it is using leaf function optimizations in certain cases which is preventing me from being able to do this.

Anyone have any ideas on how to get this to work.

Heap stack trace:

0:013> !heap -p -a 0c060710    
address 0c060710 found in
_HEAP @ 1420000
  HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
    0c0606f8 09c3 0000  [00]   0c060710    04e00 - (busy)
    77abb234 ntdll!RtlAllocateHeap+0x00000274
    75ee404b ole32!CRetailMalloc_Alloc+0x00000016
    76454557 OLEAUT32!APP_DATA::AllocCachedMem+0x00000060
    7645476a OLEAUT32!SysAllocStringByteLen+0x0000003d
    764547bf OLEAUT32!ErrStringCopyNoNull+0x00000016
    764547e3 OLEAUT32!VariantCopy+0x0000007f

Break points tried:

 bp ntdll!RtlAllocateHeap "j @esi == 0x4e00 ''; 'gc'"
 bp ntdll!RtlAllocateHeap "j poi(@ebp-c) == 0x4e00 ''; 'gc'"
 bp ntdll!RtlAllocateHeap "j poi(@esp+14) == 0x4e00 ''; 'gc'"

Use poi(@esp+c)

At the first instruction of the function, you do not have EBP. So the structure on the stack for cdecl and stdcall is

<return address>
<First arg>
<second arg>

etc.

I think I have tested this: Break on allocation size == 1303

bp ntdll!RtlAllocateHeap "j(poi(@esp+c) = 0x1303) 'k';'gc'"