Find all C++ objects of type X on heap using WinDbg

Question

I'm trying to find all objects of type module!SomeClass in the heap. I thought a command like this would've worked:

> s -v 0 L?0xfffffff module!SomeClass

but alas, it does not. If I knew how to find the vtable address for that class, I could then search memory for references to that vtable, but I haven't had much luck finding that either. How can I do it?

Answer 1

0:000> x module!SomeClass*table*
0:000> !heap -srch 'address_of_vtable'

Answer 2

class Polygon {
protected:
    int width, height;
public:
    virtual int area()
    {
        return 0;
    }
};

class Rectangle : public Polygon {
public:
    int area()
    {
        return width * height;
    }
};

class Triangle : public Polygon {
public:
    int area()
    {
        return (width * height / 2);
    }
};


class RectangleTriangle : public Rectangle, Triangle //RectangleTriangle  <-- This class will have two Vtables for each base class
{
public:
    int area()
    {
        return (2* 3/ 2);
    }
};

int main() {
    RectangleTriangle *rect = new RectangleTriangle();
    Triangle trgl;
    Polygon poly;
    return 0;
}

The reason why we start with vtables is because any object which inherit a virtual function will have a vtable pointer which is basically a static variable on the class. So every object of that class should have a reference to this vtable location when the object is created in the heap. So from vtable pointer we are basically trying to get hold of the object itself.

0:000> x Win32Sample!RectangleTriangle*table*
00007ff7`81ed3288 Win32Sample!RectangleTriangle::`vftable' = <function> *[2] <-- one for each base class
00007ff7`81ed3278 Win32Sample!RectangleTriangle::`vftable' = <function> *[2] <-- one for each base class

0:000> !heap -srch 00007ff7`81ed3288  // <-- We are asking !heap "who owns a pointer to this vtable in the entire process heap"
    _HEAP @ 1e5ed710000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        000001e5ed716620 0006 0000  [00]   000001e5ed716630    00021 - (busy)
          Win32Sample!RectangleTriangle::`vftable'

0:000> !heap -srch 00007ff7`81ed3278 // <-- We are asking !heap "who owns a pointer to this vtable in the entire process heap"
    _HEAP @ 1e5ed710000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        000001e5ed716620 0006 0000  [00]   000001e5ed716630    00021 - (busy)
          Win32Sample!RectangleTriangle::`vftable'

UserPtr is basically the starting of the block of memory returned by heap manager for new operator. That is why UserPtr does not mean the memory location which includes this value instead it is the starting of the heap block hence in both vtables the value is same 000001e5ed716630

0:000> dt Win32Sample!RectangleTriangle 000001e5ed716630
   +0x000 __VFN_table : 0x00007ff7`81ed3278 
   +0x008 width            : 0n0
   +0x00c height           : 0n0
   +0x010 __VFN_table : 0x00007ff7`81ed3288 
   +0x018 width            : 0n0
   +0x01c height           : 0n0

We cannot use s command to search for the vtable pointer and the object in heap because heap blocks are not contiguous!!!